samba - Oct 2014 - Allow Samba4/AD group "MYDOM\Domain Admins" to login through SSH on linux hosts

Hi,

For several linux server on our network we want to allow the AD domain group
called "MYDOM\Domain Admins" to login through ssh with their AD
credentials. Our DC1 and DC2 are running on Debian 64bit using Samba
4.1.12/Sernet.

I'm kinda confused, what exactly I need therefore. Do I need to setup a
PAM_authentication as explained on that tutorial here?
(https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication)
I tried that. I didn't create the symlink as shown on the tutorial (ln -s
/usr/local/samba/lib/security/pam_winbind.so /lib64/security/), because I
realized that I have a file called "root at
membersrv1:/lib/x86_64-linux-gnu/security/pam_winbind.so" which I think
comes from the Sernet Samba 4.1.12 package (please correct me if I'm wrong).
Then I tried to modify the "/etc/pam.d/sshd" according the tutorial,
that's how my "/etc/pam.d/sshd" looked like afterwards:
============================================================================#
PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale
auth        sufficient    pam_winbind.so use_first_pass                        #

Hi,

For several linux server on our network we want to allow the AD domain group
called "MYDOM\Domain Admins" to login through ssh with their AD
credentials. Our DC1 and DC2 are running on Debian 64bit using Samba
4.1.12/Sernet.

I'm kinda confused, what exactly I need therefore. Do I need to setup a
PAM_authentication as explained on that tutorial here?
(https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication)
I tried that. I didn't create the symlink as shown on the tutorial (ln -s
/usr/local/samba/lib/security/pam_winbind.so /lib64/security/), because I
realized that I have a file called "root at
membersrv1:/lib/x86_64-linux-gnu/security/pam_winbind.so" which I think
comes from the Sernet Samba 4.1.12 package (please correct me if I'm wrong).
Then I tried to modify the "/etc/pam.d/sshd" according the tutorial,
that's how my "/etc/pam.d/sshd" looked like afterwards:
============================================================================#
PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale
auth        sufficient    pam_winbind.so use_first_pass
# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password
password    sufficient    pam_winbind.so use_authtok
============================================================================
As you see, I have just inserted the particular three lines. Then I did
"service sernet-samba-winbindd restart && service ssh restart"
on that member server, and I also modified "/etc/ssh/sshd_config" and
uncommented the line "PasswordAuthentication yes" to be sure I am not
missing anything. Then I restarted ssh daemon, too. Unfortunately I cannot login
through ssh onto that member server, although I provide the correct credentials
for the user. I tried following combinations as login:

username=testuser1, password=test1test1
username=MYDOM\testuser1, password=test1test1
username=MYDOM\\testuser1,password=test1test1

I am sure that the password is correct.

In my thoughts the file I did modify is not the correct filename or maybe I used
a wrong order in the lines. Because my /etc/pam.d/sshd looks quite different
than that provided in the wiki. In the following I modified
"/etc/pam.d/sshd" again to make the changes back. I commented the
three lines, so they are not active any more because I think that was the wrong
way for my Debian Wheezy 64bit GNU/Linux distribution. Instead, some other files
draw my attention ...

I edited "/etc/pam.d/common-account" and added at the end of the file
the desired line like this:
[...]
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
account [default=bad success=ok user_unknown=ignore] pam_winbind.so

Then I edited "/etc/pam.d/common-auth" and added at the end the
corresponding line like this:
[...]
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
auth    sufficient                      pam_winbind.so use_first_pass

Then I edited "/etc/pam.d/common-password" and added at the end the
corresponding line like this:
[...]
password        sufficient                      pam_winbind.so use_authtok

I restarted "sernet-samba-winbindd" and "ssh" daemon but I
still cannot login through SSH with "testuser1" credentials. the file
"/var/log/auth.log" outputs following errors, while I try to login
through ssh with that testuser1:
Oct 21 01:04:59 membersrv1 sshd[2915]: pam_winbind(sshd:auth): getting password
(0x00000010)
Oct 21 01:04:59 membersrv1 sshd[2915]: pam_winbind(sshd:auth): Could not
retrieve user's password
Oct
 21 01:04:59 membersrv1 sshd[2915]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.123  
user=testuser1
Oct 21 01:05:01 membersrv1 sshd[2915]: Failed password for testuser1 from
192.168.0.123 port 18337 ssh2
Oct 21 01:05:12 membersrv1 sshd[2915]: Connection closed by 192.168.0.123
[preauth]

I want o add, that I can "su - testuser1" correctly on that member
server, the user "testuser1" has a valid login shell and the "su
- testuser1" login worked fine.
Also "testuser1" is correctly shown by winbind on that memberserver,
see output below:
==========================================================================#
getent passwd testuser1
testuser1:*:10003:10000:Test User 1:/home/MYDOM/testuser1:/bin/bash

# id testuser1
uid=10003(testuser1) gid=10000(domain users) groups=10000(domain
users),70002(BUILTIN\users)

# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

# kinit testuser1 at MYDOM.EXAMPLE.COM
Password for testuser1 at MYDOM.EXAMPLE.COM:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser1 at MYDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
21.10.2014 00:18:58  21.10.2014 10:18:58  krbtgt/MYDOM.EXAMPLE.COM at
MYDOM.EXAMPLE.COM
        renew until 22.10.2014 00:18:56
==========================================================================
So I am sure that the password supplied for testuser1 was correct, because
"kinit" did succeed as you can see. Now I am stuck here and I am quite
unsure if that's even the correct way?
I did also find that tutorial here
(https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Secure_passwordless_SSH)
which is explaining a completely other way. What exactly do I need? PAM_WINBIND
authentication or Kerberos, or maybe even both ? Someone else told me also that
I should use sssd for that, but I don't think I want to completely build a
new configuration for my member server, because my member server was configured
with ad backend according the tutorial
(https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server). Please, any
help appreciated.

Thanks a lot in advance.

Mirco