Hi LPH & David, Im also interested in using kerberos authentication and tried your hints. Im using Ubuntu 14.04.3 Server on this machine. On 04.11.2015 08:52, L.P.H. van Belle wrote:> Ok, do the following. > > Remove all you modifications from pam so its back to original. > > apt-get install krb5-ssh > restart ssh, try again.@LPH: krb5-ssh doesnt exist in Ubuntu: # apt-get install krb5-ssh Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package krb5-ssh But maybe you mean libpam-krb5?> Still not working? > > Now try correct pam. > Type : pam-auth-update > Select kerberos winbind and unix ( and keep other defaults as is )I didnt found "kerberos" in the selection-list. But with "libpam-krb5" installed it is shown. @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? I see to select: # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes What should I enable from these?> > Type id username > You see a correct shell and correct and existing homedir?$ LANG=POSIX id oliver uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd) Where should I see shell and homedir here? Tfh! Oliver
I did not enable kerberos auth in the sshd_config file.. I didn't think I needed to if my pam stack was set to use winbind On Wed, Nov 4, 2015 at 1:34 AM, Oliver Rath <rath at mglug.de> wrote:> Hi LPH & David, > > Im also interested in using kerberos authentication and tried your > hints. Im using Ubuntu 14.04.3 Server on this machine. > > On 04.11.2015 08:52, L.P.H. van Belle wrote: > > Ok, do the following. > > > > Remove all you modifications from pam so its back to original. > > > > apt-get install krb5-ssh > > restart ssh, try again. > > @LPH: krb5-ssh doesnt exist in Ubuntu: > > # apt-get install krb5-ssh > Reading package lists... Done > Building dependency tree > Reading state information... Done > E: Unable to locate package krb5-ssh > > But maybe you mean libpam-krb5? > > > Still not working? > > > > Now try correct pam. > > Type : pam-auth-update > > Select kerberos winbind and unix ( and keep other defaults as is ) > > I didnt found "kerberos" in the selection-list. But with "libpam-krb5" > installed it is shown. > > @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? > I see to select: > > # Kerberos options > #KerberosAuthentication no > #KerberosGetAFSToken no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > > What should I enable from these? > > > > Type id username > > You see a correct shell and correct and existing homedir? > $ LANG=POSIX id oliver > uid=1000(oliver) gid=1000(oliver) > > groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd) > > Where should I see shell and homedir here? > > Tfh! > Oliver > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- David Bear mobile: (602) 903-6476
Thanks for the pointers Oliver -- Rowland, I did review the smb.conf file -- found typo's you alluded to, and here is the current version #======================= Global Settings ====================== [global] netbios name = HAT security = ADS realm = HA.EDU workgroup = HA server string = HATServer dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d idmap config *:backend = tdb idmap config *:range = 5000-9999 idmap config HA:backend = rid idmap config HA:range = 10000-100000 template shell = /bin/bash winbind nss info = template winbind allow trusted domains = no winbind trusted domains only = no winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind refresh tickets = yes template homedir = /home/%U template shell = /bin/bash encrypt passwords = yes -------------------------- This configuration did not allow me yet to ssh in to the system. However, I re-ran pam-auth-update and made sure the winbind section was selected. This was the action that allow me to ssh in to the box -- The one remaining problem is that the users home dir is not automatically created as I assumed it would be with the line template homedir = /home/%U in smb.conf.. I think that ubuntu must put other things in the pam stack (which I left in) that broke with the lines I added. Now on the homedir creation -- is there script that needs to be in place? My AD is a pure windows AD domain -- so as far as rfc2307 attributes, I'm not sure if they have been enabled in the AD to make things work . which is wy I used the rid method for the idmap config. On Wed, Nov 4, 2015 at 1:34 AM, Oliver Rath <rath at mglug.de> wrote:> Hi LPH & David, > > Im also interested in using kerberos authentication and tried your > hints. Im using Ubuntu 14.04.3 Server on this machine. > > On 04.11.2015 08:52, L.P.H. van Belle wrote: > > Ok, do the following. > > > > Remove all you modifications from pam so its back to original. > > > > apt-get install krb5-ssh > > restart ssh, try again. > > @LPH: krb5-ssh doesnt exist in Ubuntu: > > # apt-get install krb5-ssh > Reading package lists... Done > Building dependency tree > Reading state information... Done > E: Unable to locate package krb5-ssh > > But maybe you mean libpam-krb5? > > > Still not working? > > > > Now try correct pam. > > Type : pam-auth-update > > Select kerberos winbind and unix ( and keep other defaults as is ) > > I didnt found "kerberos" in the selection-list. But with "libpam-krb5" > installed it is shown. > > @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? > I see to select: > > # Kerberos options > #KerberosAuthentication no > #KerberosGetAFSToken no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > > What should I enable from these? > > > > Type id username > > You see a correct shell and correct and existing homedir? > $ LANG=POSIX id oliver > uid=1000(oliver) gid=1000(oliver) > > groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd) > > Where should I see shell and homedir here? > > Tfh! > Oliver > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- David Bear mobile: (602) 903-6476
homedir is created by pam on CentOS 6/7, edit /etc/pam.d/password-auth and add this: session required pam_mkhomedir.so skel=/etc/skel umask=0022 On Wed, Nov 4, 2015 at 9:33 PM, David Bear <dwbear75 at gmail.com> wrote:> Thanks for the pointers Oliver -- > > Rowland, I did review the smb.conf file -- found typo's you alluded to, > and here is the current version > #======================= Global Settings ======================> > [global] > netbios name = HAT > security = ADS > realm = HA.EDU > workgroup = HA > server string = HATServer > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > idmap config *:backend = tdb > idmap config *:range = 5000-9999 > idmap config HA:backend = rid > idmap config HA:range = 10000-100000 > template shell = /bin/bash > winbind nss info = template > winbind allow trusted domains = no > winbind trusted domains only = no > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind refresh tickets = yes > template homedir = /home/%U > template shell = /bin/bash > encrypt passwords = yes > > -------------------------- > > This configuration did not allow me yet to ssh in to the system. However, I > re-ran pam-auth-update and made sure the winbind section was selected. > > This was the action that allow me to ssh in to the box -- The one remaining > problem is that the users home dir is not automatically created as I > assumed it would be with the line > > template homedir = /home/%U > > in smb.conf.. > > I think that ubuntu must put other things in the pam stack (which I left > in) that broke with the lines I added. > > Now on the homedir creation -- is there script that needs to be in place? > > My AD is a pure windows AD domain -- so as far as rfc2307 attributes, I'm > not sure if they have been enabled in the AD to make things work . which > is wy I used the rid method for the idmap config. > > > On Wed, Nov 4, 2015 at 1:34 AM, Oliver Rath <rath at mglug.de> wrote: > > > Hi LPH & David, > > > > Im also interested in using kerberos authentication and tried your > > hints. Im using Ubuntu 14.04.3 Server on this machine. > > > > On 04.11.2015 08:52, L.P.H. van Belle wrote: > > > Ok, do the following. > > > > > > Remove all you modifications from pam so its back to original. > > > > > > apt-get install krb5-ssh > > > restart ssh, try again. > > > > @LPH: krb5-ssh doesnt exist in Ubuntu: > > > > # apt-get install krb5-ssh > > Reading package lists... Done > > Building dependency tree > > Reading state information... Done > > E: Unable to locate package krb5-ssh > > > > But maybe you mean libpam-krb5? > > > > > Still not working? > > > > > > Now try correct pam. > > > Type : pam-auth-update > > > Select kerberos winbind and unix ( and keep other defaults as is ) > > > > I didnt found "kerberos" in the selection-list. But with "libpam-krb5" > > installed it is shown. > > > > @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? > > I see to select: > > > > # Kerberos options > > #KerberosAuthentication no > > #KerberosGetAFSToken no > > #KerberosOrLocalPasswd yes > > #KerberosTicketCleanup yes > > > > What should I enable from these? > > > > > > Type id username > > > You see a correct shell and correct and existing homedir? > > $ LANG=POSIX id oliver > > uid=1000(oliver) gid=1000(oliver) > > > > > groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd) > > > > Where should I see shell and homedir here? > > > > Tfh! > > Oliver > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > David Bear > mobile: (602) 903-6476 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hai David, ( you have : template shell = /bin/bash twice in your config.. ) ;-) You have : idmap config HA:backend = rid in you config, so no need for giving UID/GID to users. Thats what RID is doing for you. In debian ( and proberly ubuntu also ) pam_mkhomedir is in the libpam-modules package, so it should be there already. Als Guilleherme also said, add session required pam_mkhomedir.so skel=/etc/skel umask=0022 to you pam config, this wil create you home directory for you. BUT one thing to remember.. You CANT share these folders between servers. If you want that, then you need to setup with config HA:backend = ad When above is done. Just enable this option and restart you ssh, and test. # GSSAPI options GSSAPIAuthentication yes Ow and If you using debian/ubuntu, use pam-auth-update. And put the mkhomedir line outside the managed lined line of pam-auth-update. ( or create a profile file for it ) Your almost there, Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens David Bear > Verzonden: donderdag 5 november 2015 0:34 > Aan: Oliver Rath > CC: samba > Onderwerp: Re: [Samba] ssh authentication with AD > > Thanks for the pointers Oliver -- > > Rowland, I did review the smb.conf file -- found typo's you alluded to, > and here is the current version > #======================= Global Settings ======================> > [global] > netbios name = HAT > security = ADS > realm = HA.EDU > workgroup = HA > server string = HATServer > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > idmap config *:backend = tdb > idmap config *:range = 5000-9999 > idmap config HA:backend = rid > idmap config HA:range = 10000-100000 > template shell = /bin/bash > winbind nss info = template > winbind allow trusted domains = no > winbind trusted domains only = no > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind refresh tickets = yes > template homedir = /home/%U > template shell = /bin/bash > encrypt passwords = yes > > -------------------------- > > This configuration did not allow me yet to ssh in to the system. However, > I > re-ran pam-auth-update and made sure the winbind section was selected. > > This was the action that allow me to ssh in to the box -- The one > remaining > problem is that the users home dir is not automatically created as I > assumed it would be with the line > > template homedir = /home/%U > > in smb.conf.. > > I think that ubuntu must put other things in the pam stack (which I left > in) that broke with the lines I added. > > Now on the homedir creation -- is there script that needs to be in place? > > My AD is a pure windows AD domain -- so as far as rfc2307 attributes, I'm > not sure if they have been enabled in the AD to make things work . which > is wy I used the rid method for the idmap config. > > > On Wed, Nov 4, 2015 at 1:34 AM, Oliver Rath <rath at mglug.de> wrote: > > > Hi LPH & David, > > > > Im also interested in using kerberos authentication and tried your > > hints. Im using Ubuntu 14.04.3 Server on this machine. > > > > On 04.11.2015 08:52, L.P.H. van Belle wrote: > > > Ok, do the following. > > > > > > Remove all you modifications from pam so its back to original. > > > > > > apt-get install krb5-ssh > > > restart ssh, try again. > > > > @LPH: krb5-ssh doesnt exist in Ubuntu: > > > > # apt-get install krb5-ssh > > Reading package lists... Done > > Building dependency tree > > Reading state information... Done > > E: Unable to locate package krb5-ssh > > > > But maybe you mean libpam-krb5? > > > > > Still not working? > > > > > > Now try correct pam. > > > Type : pam-auth-update > > > Select kerberos winbind and unix ( and keep other defaults as is ) > > > > I didnt found "kerberos" in the selection-list. But with "libpam-krb5" > > installed it is shown. > > > > @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? > > I see to select: > > > > # Kerberos options > > #KerberosAuthentication no > > #KerberosGetAFSToken no > > #KerberosOrLocalPasswd yes > > #KerberosTicketCleanup yes > > > > What should I enable from these? > > > > > > Type id username > > > You see a correct shell and correct and existing homedir? > > $ LANG=POSIX id oliver > > uid=1000(oliver) gid=1000(oliver) > > > > > groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpad > min),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd) > > > > Where should I see shell and homedir here? > > > > Tfh! > > Oliver > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > David Bear > mobile: (602) 903-6476 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 04/11/15 23:33, David Bear wrote:> Thanks for the pointers Oliver -- > > Rowland, I did review the smb.conf file -- found typo's you alluded to, > and here is the current version > #======================= Global Settings ======================> > [global] > netbios name = HAT > security = ADS > realm = HA.EDU > workgroup = HA > server string = HATServer > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > idmap config *:backend = tdb > idmap config *:range = 5000-9999 > idmap config HA:backend = rid > idmap config HA:range = 10000-100000 > template shell = /bin/bash > winbind nss info = template > winbind allow trusted domains = no > winbind trusted domains only = no > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind refresh tickets = yes > template homedir = /home/%U > template shell = /bin/bash > encrypt passwords = yes > > -------------------------- > > This configuration did not allow me yet to ssh in to the system. However, I > re-ran pam-auth-update and made sure the winbind section was selected. > > This was the action that allow me to ssh in to the box -- The one remaining > problem is that the users home dir is not automatically created as I > assumed it would be with the line > > template homedir = /home/%U > > in smb.conf.. > > I think that ubuntu must put other things in the pam stack (which I left > in) that broke with the lines I added. > > Now on the homedir creation -- is there script that needs to be in place?OK, know problem, on Debian I would run this on the server that will hold the users homedir i.e. the users workstation or the machine the user connects to via ssh: echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/common-account Rowland> > My AD is a pure windows AD domain -- so as far as rfc2307 attributes, I'm > not sure if they have been enabled in the AD to make things work . which > is wy I used the rid method for the idmap config. > > > On Wed, Nov 4, 2015 at 1:34 AM, Oliver Rath <rath at mglug.de> wrote: > >> Hi LPH & David, >> >> Im also interested in using kerberos authentication and tried your >> hints. Im using Ubuntu 14.04.3 Server on this machine. >> >> On 04.11.2015 08:52, L.P.H. van Belle wrote: >>> Ok, do the following. >>> >>> Remove all you modifications from pam so its back to original. >>> >>> apt-get install krb5-ssh >>> restart ssh, try again. >> @LPH: krb5-ssh doesnt exist in Ubuntu: >> >> # apt-get install krb5-ssh >> Reading package lists... Done >> Building dependency tree >> Reading state information... Done >> E: Unable to locate package krb5-ssh >> >> But maybe you mean libpam-krb5? >> >>> Still not working? >>> >>> Now try correct pam. >>> Type : pam-auth-update >>> Select kerberos winbind and unix ( and keep other defaults as is ) >> I didnt found "kerberos" in the selection-list. But with "libpam-krb5" >> installed it is shown. >> >> @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? >> I see to select: >> >> # Kerberos options >> #KerberosAuthentication no >> #KerberosGetAFSToken no >> #KerberosOrLocalPasswd yes >> #KerberosTicketCleanup yes >> >> What should I enable from these? >>> Type id username >>> You see a correct shell and correct and existing homedir? >> $ LANG=POSIX id oliver >> uid=1000(oliver) gid=1000(oliver) >> >> groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd) >> >> Where should I see shell and homedir here? >> >> Tfh! >> Oliver >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
Greetings, David Bear!> I did not enable kerberos auth in the sshd_config file..> I didn't think I needed to if my pam stack was set to use winbindIf your PAM stack is set correctly to use winbind, and your AD is correctly populated with UNIX binds, you should be able to at least authenticate with SSH. As has been suggested, getent passwd <username> should list your user. If it does not, you didn't set winbind correctly, or you didn't join the system to domain. -- With best regards, Andrey Repin Friday, November 6, 2015 03:09:45 Sorry for my terrible english...