This seems to be common thread on the list, but I'm pulling my hair out and have to ask.. I've been following a couple of guides and using AD to authenticate users on my linux system. These include the ubuntu guide -- https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto - https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member - https://wiki.samba.org/index.php/Libnss_winbind_links and others... I'm using ubuntu 14 with the samba 4.1X packages installed. Our AD is a Windows AD. I have succeeded in getting wbinfo -u to return domain users, wbinfo -g to return domain groups, getent passwd to return domain users in passwd form, getent group returns domain groups.. I have made certain that libnss-winbind, libpam-cracklib and libpam-winbind are installed. They all seem to be ii libpam-cap:amd64 1:2.24-0ubuntu2 amd64 PAM module for implementing capabilities ii libpam-cracklib:amd64 1.1.8-1ubuntu2 amd64 PAM module to enable cracklib support ii libpam-modules:amd64 1.1.8-1ubuntu2 amd64 Pluggable Authentication Modules for PAM ii libpam-modules-bin 1.1.8-1ubuntu2 amd64 Pluggable Authentication Modules for PAM - helper binaries ii libpam-runtime 1.1.8-1ubuntu2 all Runtime support for the PAM library rc libpam-smbpass:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.5 amd64 pluggable authentication module for Samba ii libpam-systemd:amd64 204-5ubuntu20.15 amd64 system and service manager - PAM module ii libpam-winbind:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.9 amd64 Windows domain authentication integration plugin ii libpam0g:amd64 1.1.8-1ubuntu2 amd64 Pluggable Authentication Modules library Trouble is ai still cannot ssh in to this box and authenticate with AD creds. Here's the error in the auth.log Nov 3 15:49:18 hat sshd[14389]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229 user=ttt Nov 3 15:49:18 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete condition detected Nov 3 15:49:19 hat sshd[14389]: Failed password for ttt from 10.1.10.229 port 59317 ssh2 Nov 3 15:49:46 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete condition detected Nov 3 15:49:48 hat sshd[14389]: Failed password for ttt from 10.1.10.229 port 59317 ssh2 Nov 3 15:49:50 hat sshd[14389]: Failed password for ttt from 10.1.10.229 port 59317 ssh2 Nov 3 15:49:50 hat sshd[14389]: Connection closed by 10.1.10.229 [preauth] Nov 3 15:49:50 hat sshd[14389]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229 user=ttt Here's my smb.conf [global] netbios name = HAT security = ADS workgroup = HA server string = %h server (Samba, Ubuntu) dedicated keytab file =/etc/krb5.keytab log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d # idmap uid = 10000-20000 # idmap gid = 10000-20000 idmap config *:backent = rid idmap config *:range = 5000-100000 template shell = /bin/bash winbind allow trusted domains = no winbind trusted domains only = no winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind refresh tickets = yes template homedir = /home/%U template shell = /bin/bash # client use spnego = yes encrypt passwords = yes I have successfully created (I think) the keytab file, join the machine to the AD -- and I can successfully kinit and authenticate as any AD user. The bummer is that I cannot successfully login via ssh using a domain credential. I think the final bit of machine is the pam files -- since this is ubuntu, I just modify the common- files so here they are: common-account # /etc/pam.d/common-account - authorization settings common to all services # account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so # and here are more per-package modules (the "Additional" block) common-auth # /etc/pam.d/common-auth - authentication settings common to all services # auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >=1000 quiet_success auth sufficient pam_winbind.so user_first_pass auth required pam_deny.so # /etc/pam.d/common-password - password-related modules common to all services # password requisite pam_cracklib.so try_first_pass retry=3 typepassword sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so # /etc/pam.d/common-session - session-related modules common to all services # session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_systemd.so # end of pam-auth-update config ssh fails -- If I try to su - ADuser I get a message Error in service module.. I'm thinking the error must be in pam -- but need some advice. -- David Bear mobile: (602) 903-6476
Ok, do the following. Remove all you modifications from pam so its back to original. apt-get install krb5-ssh restart ssh, try again. Still not working? Now try correct pam. Type : pam-auth-update Select kerberos winbind and unix ( and keep other defaults as is ) Type id username You see a correct shell and correct and existing homedir? Not, you missed the setting in windows, or set them in you smb.conf Now try again to login. Greets, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens David Bear > Verzonden: woensdag 4 november 2015 0:18 > Aan: samba > Onderwerp: [Samba] ssh authentication with AD > > This seems to be common thread on the list, but I'm pulling my hair out > and > have to ask.. > > I've been following a couple of guides and using AD to authenticate users > on my linux system. These include the ubuntu guide -- > https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto > - https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > - https://wiki.samba.org/index.php/Libnss_winbind_links > > and others... > > I'm using ubuntu 14 with the samba 4.1X packages installed. > > Our AD is a Windows AD. > > I have succeeded in getting wbinfo -u to return domain users, wbinfo -g to > return domain groups, getent passwd to return domain users in passwd form, > getent group returns domain groups.. > > I have made certain that libnss-winbind, libpam-cracklib and libpam- > winbind > are installed. They all seem to be > ii libpam-cap:amd64 1:2.24-0ubuntu2 > amd64 PAM module for implementing capabilities > ii libpam-cracklib:amd64 1.1.8-1ubuntu2 > amd64 PAM module to enable cracklib support > ii libpam-modules:amd64 1.1.8-1ubuntu2 > amd64 Pluggable Authentication Modules for PAM > ii libpam-modules-bin 1.1.8-1ubuntu2 > amd64 Pluggable Authentication Modules for PAM - helper binaries > ii libpam-runtime 1.1.8-1ubuntu2 > all Runtime support for the PAM library > rc libpam-smbpass:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.5 > amd64 pluggable authentication module for Samba > ii libpam-systemd:amd64 204-5ubuntu20.15 > amd64 system and service manager - PAM module > ii libpam-winbind:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.9 > amd64 Windows domain authentication integration plugin > ii libpam0g:amd64 1.1.8-1ubuntu2 > amd64 Pluggable Authentication Modules library > > Trouble is ai still cannot ssh in to this box and authenticate with AD > creds. > > Here's the error in the auth.log > Nov 3 15:49:18 hat sshd[14389]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229 user=ttt > Nov 3 15:49:18 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete > condition detected > Nov 3 15:49:19 hat sshd[14389]: Failed password for ttt from 10.1.10.229 > port 59317 ssh2 > Nov 3 15:49:46 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete > condition detected > Nov 3 15:49:48 hat sshd[14389]: Failed password for ttt from 10.1.10.229 > port 59317 ssh2 > Nov 3 15:49:50 hat sshd[14389]: Failed password for ttt from 10.1.10.229 > port 59317 ssh2 > Nov 3 15:49:50 hat sshd[14389]: Connection closed by 10.1.10.229 > [preauth] > Nov 3 15:49:50 hat sshd[14389]: PAM 1 more authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229 user=ttt > > Here's my smb.conf > [global] > netbios name = HAT > security = ADS > workgroup = HA > server string = %h server (Samba, Ubuntu) > dedicated keytab file =/etc/krb5.keytab > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > # idmap uid = 10000-20000 > # idmap gid = 10000-20000 > idmap config *:backent = rid > idmap config *:range = 5000-100000 > template shell = /bin/bash > winbind allow trusted domains = no > winbind trusted domains only = no > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind refresh tickets = yes > template homedir = /home/%U > template shell = /bin/bash > # client use spnego = yes > encrypt passwords = yes > > I have successfully created (I think) the keytab file, join the machine to > the AD -- and I can successfully kinit and authenticate as any AD user. > > The bummer is that I cannot successfully login via ssh using a domain > credential. > > I think the final bit of machine is the pam files -- since this is ubuntu, > I just modify the common- files so here they are: > common-account > # /etc/pam.d/common-account - authorization settings common to all > services > # > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 > quiet > account [default=bad success=ok user_unknown=ignore] pam_winbind.so > account required pam_permit.so > # and here are more per-package modules (the "Additional" block) > common-auth > # /etc/pam.d/common-auth - authentication settings common to all services > # > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >=1000 > quiet_success > auth sufficient pam_winbind.so user_first_pass > auth required pam_deny.so > > # /etc/pam.d/common-password - password-related modules common to all > services > # > password requisite pam_cracklib.so > try_first_pass retry=3 type> password sufficient pam_unix.so sha512 shadow > nullok try_first_pass use_authtok > password sufficient pam_winbind.so use_authtok > password required pam_deny.so > > # /etc/pam.d/common-session - session-related modules common to all > services > # > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet > use_uid > session required pam_unix.so > session optional pam_systemd.so > # end of pam-auth-update config > > ssh fails -- > If I try to su - ADuser I get a message > Error in service module.. > > I'm thinking the error must be in pam -- but need some advice. > > > > > > > -- > David Bear > mobile: (602) 903-6476 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hi LPH & David, Im also interested in using kerberos authentication and tried your hints. Im using Ubuntu 14.04.3 Server on this machine. On 04.11.2015 08:52, L.P.H. van Belle wrote:> Ok, do the following. > > Remove all you modifications from pam so its back to original. > > apt-get install krb5-ssh > restart ssh, try again.@LPH: krb5-ssh doesnt exist in Ubuntu: # apt-get install krb5-ssh Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package krb5-ssh But maybe you mean libpam-krb5?> Still not working? > > Now try correct pam. > Type : pam-auth-update > Select kerberos winbind and unix ( and keep other defaults as is )I didnt found "kerberos" in the selection-list. But with "libpam-krb5" installed it is shown. @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? I see to select: # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes What should I enable from these?> > Type id username > You see a correct shell and correct and existing homedir?$ LANG=POSIX id oliver uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd) Where should I see shell and homedir here? Tfh! Oliver
Hai, Ok good to know that ( debian ) krb5-ssh, is in ubuntu libpam-krb5. The debian packages also sets: GSSAPIAuthentication no To GSSAPIAuthentication yes So here are all my kerberos settings from sshd_config. ( it should work with only GSSAPIAuthentication ) # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIKeyExchange yes # If your version supports this GSSAPIStoreCredentialsOnRekey yes # If your version supports this Sorry, id username is not the right one. Try getent passwd username Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Rath > Verzonden: woensdag 4 november 2015 9:35 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] ssh authentication with AD > > Hi LPH & David, > > Im also interested in using kerberos authentication and tried your > hints. Im using Ubuntu 14.04.3 Server on this machine. > > On 04.11.2015 08:52, L.P.H. van Belle wrote: > > Ok, do the following. > > > > Remove all you modifications from pam so its back to original. > > > > apt-get install krb5-ssh > > restart ssh, try again. > > @LPH: krb5-ssh doesnt exist in Ubuntu: > > # apt-get install krb5-ssh > Reading package lists... Done > Building dependency tree > Reading state information... Done > E: Unable to locate package krb5-ssh > > But maybe you mean libpam-krb5? > > > Still not working? > > > > Now try correct pam. > > Type : pam-auth-update > > Select kerberos winbind and unix ( and keep other defaults as is ) > > I didnt found "kerberos" in the selection-list. But with "libpam-krb5" > installed it is shown. > > @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? > I see to select: > > # Kerberos options > #KerberosAuthentication no > #KerberosGetAFSToken no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > > What should I enable from these? > > > > Type id username > > You see a correct shell and correct and existing homedir? > $ LANG=POSIX id oliver > uid=1000(oliver) gid=1000(oliver) > groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpad > min),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd) > > Where should I see shell and homedir here? > > Tfh! > Oliver > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 03/11/15 23:17, David Bear wrote:> This seems to be common thread on the list, but I'm pulling my hair out and > have to ask.. > > I've been following a couple of guides and using AD to authenticate users > on my linux system. These include the ubuntu guide -- > https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto > - https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > - https://wiki.samba.org/index.php/Libnss_winbind_links > > and others... > > I'm using ubuntu 14 with the samba 4.1X packages installed. > > Our AD is a Windows AD. > > I have succeeded in getting wbinfo -u to return domain users, wbinfo -g to > return domain groups, getent passwd to return domain users in passwd form, > getent group returns domain groups.. > > I have made certain that libnss-winbind, libpam-cracklib and libpam-winbind > are installed. They all seem to be > ii libpam-cap:amd64 1:2.24-0ubuntu2 > amd64 PAM module for implementing capabilities > ii libpam-cracklib:amd64 1.1.8-1ubuntu2 > amd64 PAM module to enable cracklib support > ii libpam-modules:amd64 1.1.8-1ubuntu2 > amd64 Pluggable Authentication Modules for PAM > ii libpam-modules-bin 1.1.8-1ubuntu2 > amd64 Pluggable Authentication Modules for PAM - helper binaries > ii libpam-runtime 1.1.8-1ubuntu2 > all Runtime support for the PAM library > rc libpam-smbpass:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.5 > amd64 pluggable authentication module for Samba > ii libpam-systemd:amd64 204-5ubuntu20.15 > amd64 system and service manager - PAM module > ii libpam-winbind:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.9 > amd64 Windows domain authentication integration plugin > ii libpam0g:amd64 1.1.8-1ubuntu2 > amd64 Pluggable Authentication Modules library > > Trouble is ai still cannot ssh in to this box and authenticate with AD > creds. > > Here's the error in the auth.log > Nov 3 15:49:18 hat sshd[14389]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229 user=ttt > Nov 3 15:49:18 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete > condition detected > Nov 3 15:49:19 hat sshd[14389]: Failed password for ttt from 10.1.10.229 > port 59317 ssh2 > Nov 3 15:49:46 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete > condition detected > Nov 3 15:49:48 hat sshd[14389]: Failed password for ttt from 10.1.10.229 > port 59317 ssh2 > Nov 3 15:49:50 hat sshd[14389]: Failed password for ttt from 10.1.10.229 > port 59317 ssh2 > Nov 3 15:49:50 hat sshd[14389]: Connection closed by 10.1.10.229 [preauth] > Nov 3 15:49:50 hat sshd[14389]: PAM 1 more authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229 user=ttt > > Here's my smb.conf > [global] > netbios name = HAT > security = ADS > workgroup = HA > server string = %h server (Samba, Ubuntu) > dedicated keytab file =/etc/krb5.keytab > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > # idmap uid = 10000-20000 > # idmap gid = 10000-20000 > idmap config *:backent = rid > idmap config *:range = 5000-100000 > template shell = /bin/bash > winbind allow trusted domains = no > winbind trusted domains only = no > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind refresh tickets = yes > template homedir = /home/%U > template shell = /bin/bash > # client use spnego = yes > encrypt passwords = yes > > I have successfully created (I think) the keytab file, join the machine to > the AD -- and I can successfully kinit and authenticate as any AD user. > > The bummer is that I cannot successfully login via ssh using a domain > credential. > > I think the final bit of machine is the pam files -- since this is ubuntu, > I just modify the common- files so here they are: > common-account > # /etc/pam.d/common-account - authorization settings common to all services > # > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_winbind.so > account required pam_permit.so > # and here are more per-package modules (the "Additional" block) > common-auth > # /etc/pam.d/common-auth - authentication settings common to all services > # > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >=1000 > quiet_success > auth sufficient pam_winbind.so user_first_pass > auth required pam_deny.so > > # /etc/pam.d/common-password - password-related modules common to all > services > # > password requisite pam_cracklib.so > try_first_pass retry=3 type> password sufficient pam_unix.so sha512 shadow > nullok try_first_pass use_authtok > password sufficient pam_winbind.so use_authtok > password required pam_deny.so > > # /etc/pam.d/common-session - session-related modules common to all services > # > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond quiet > use_uid > session required pam_unix.so > session optional pam_systemd.so > # end of pam-auth-update config > > ssh fails -- > If I try to su - ADuser I get a message > Error in service module.. > > I'm thinking the error must be in pam -- but need some advice. > > > > > >Evidently you haven't read the guides correctly, your smb.conf is up the spout! Read this: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Follow the links and set up your smb.conf correctly, I will give you some hints: you have no realm line, you have spelling mistakes, because of this you have nowhere to store the builtin users & groups, you have nowhere to store your domain users & groups, you do not create the keytab - the join does it for you, I could go on. Rowland