On 10/06/16 12:47, Kaplan, Andrew H. wrote:> Hello -- > > I started a thread on the list that you suggested in your e-mail, and thank-you for the reference. > > Also, I checked the auth.log file on the server, and the following entries were present: > > I checked the auth.log file, and the following entries were present: > > Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=<username>@<domainname> > Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): getting password (0x00000388) > Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): pam_get_item returned a password > Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=username>@<domainname> > Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): received for user username>@<domainname> 17 (Failure setting user credentials) > Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory) > Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server > Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to LDAP server... > Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server > Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid user username>@<domainname>from <ip address> port 49847 ssh2 > > > ________________________________________ > From: Sumit Bose [sbose at redhat.com] > Sent: Friday, June 10, 2016 4:44 AM > To: Kaplan, Andrew H. > Cc: samba-technical at lists.samba.org; samba at lists.samba.org > Subject: Re: Problem with Active Directory authentication > > On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote: >> Hello -- >> >> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure: >> >> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/> >> >> Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries: >> >> https://help.ubuntu.com/lts/serverguide/sssd-ad.html > The sssd-users list > https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/ > might be more appropriate for your question. > > As a general comment, the PAM configuration is important here. Please > check the system logs which PAM module was consulted during the login > attempt and which cause the rejection. > > HTH > > bye, > Sumit > >> The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following: >> >> ssh -v -l <username>@<domainname> <fully qualified domain name> >> >> The output that was generated is the following: >> >> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013 >> debug1: Reading configuration data /etc/ssh/ssh_config >> debug1: /etc/ssh/ssh_config line 19: Applying options for * >> debug1: Connecting to <fully qualified domain name> [<ip address>] port 22. >> debug1: Connection established. >> debug1: identity file /home/knoppix/.ssh/id_rsa type -1 >> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1 >> debug1: identity file /home/knoppix/.ssh/id_dsa type -1 >> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1 >> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1 >> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1 >> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 >> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH* >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4 >> debug1: SSH2_MSG_KEXINIT sent >> debug1: SSH2_MSG_KEXINIT received >> debug1: kex: server->client aes128-ctr hmac-md5 none >> debug1: kex: client->server aes128-ctr hmac-md5 none >> debug1: sending SSH2_MSG_KEX_ECDH_INIT >> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY >> debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17 >> debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key. >> debug1: Found key in /home/knoppix/.ssh/known_hosts:29 >> debug1: ssh_ecdsa_verify: signature correct >> debug1: SSH2_MSG_NEWKEYS sent >> debug1: expecting SSH2_MSG_NEWKEYS >> debug1: SSH2_MSG_NEWKEYS received >> debug1: Roaming not allowed by server >> debug1: SSH2_MSG_SERVICE_REQUEST sent >> debug1: SSH2_MSG_SERVICE_ACCEPT received >> debug1: Authentications that can continue: publickey,password >> debug1: Next authentication method: publickey >> debug1: Trying private key: /home/knoppix/.ssh/id_rsa >> debug1: Trying private key: /home/knoppix/.ssh/id_dsa >> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa >> debug1: Next authentication method: password >> <username>@<domainname>@<fully qualified domain name>'s password: >> Connection closed by <ip address> >> >> Does anyone have thoughts on this? >> >> Thanks. >> >> >> The information in this e-mail is intended only for the person to whom it is >> addressed. If you believe this e-mail was sent to you in error and the e-mail >> contains patient information, please contact the Partners Compliance HelpLine at >> http://www.partners.org/complianceline . If the e-mail was sent to you in error >> but does not contain patient information, please contact the sender and properly >> dispose of the e-mail.As Sumit has said, this should be on the sssd mailing list. From your log fragment, it looks like you have the winbind and ldap PAM packages installed, you do not need them. Rowland
Kaplan, Andrew H.
2016-Jun-10 12:46 UTC
[Samba] Problem with Active Directory authentication
Hello --
The winbind packages that are installed on the server are the following:
Package Description
libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba nameservice
integration plugins
libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows domain authentication
integration plugin
libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba winbind client library
winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 service to resolve user and
group information from Windows NT servers
Similarly, the ldap PAM packages are as follows:
Package Description
ldap-auth-client 0.5.3 all meta-package for
LDAP authentication
ldap-auth-config 0.5.3 all Config package for LDAP
authentication
ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP utilities
libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP libraries
libldb1 1.1.24-0ubuntu0.14.04.1 amd64 LDAP-like embedded
database - shared library
libnss-ldap 264-2.2ubuntu4.14.04.1 amd64 NSS module for using LDAP
as a naming service
libpam-ldap 184-8.5ubuntu3 amd64 Pluggable Authentication
Module for LDAP
sssd-ldap 1.11.5-1ubuntu3 amd64 System
Security Services Daemon -- LDAP back end
Finally, the sssd packages are the following:
Package Description
libsss-idmap0 1.11.5-1ubuntu3 amd64 ID mapping library for
SSSD
sssd 1.11.5-1ubuntu3 amd64 System Security Services
Daemon -- metapackage
sssd-ad 1.11.5-1ubuntu3 amd64 System Security
Services Daemon -- Active Directory back end
sssd-ad-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon
-- PAC responder
sssd-common 1.11.5-1ubuntu3 amd64 System Security Services
Daemon -- common files
sssd-ipa 1.11.5-1ubuntu3 amd64 System Security
Services Daemon -- IPA back end
sssd-krb5 1.11.5-1ubuntu3 amd64 System Security
Services Daemon -- Kerberos back end
sssd-krb5-common 1.11.5-1ubuntu3 amd64 System Security Services
Daemon -- Kerberos helpers
sssd-ldap 1.11.5-1ubuntu3 amd64 System Security
Services Daemon -- LDAP back end
sssd-proxy 1.11.5-1ubuntu3 amd64 System Security Services
Daemon -- proxy back end
sssd-tools 1.11.5-1ubuntu3 amd64 System Security Services
Daemon -- tools
Will removing all packages for the first two groups solve this problem?
From: samba [samba-bounces at lists.samba.org] on behalf of Rowland penny
[rpenny at samba.org]
Sent: Friday, June 10, 2016 8:29 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Problem with Active Directory authentication
On 10/06/16 12:47, Kaplan, Andrew H. wrote:> Hello --
>
> I started a thread on the list that you suggested in your e-mail, and
thank-you for the reference.
>
> Also, I checked the auth.log file on the server, and the following entries
were present:
>
> I checked the auth.log file, and the following entries were present:
>
> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
user=<username>@<domainname>
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
getting password (0x00000388)
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
pam_get_item returned a password
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
user=username>@<domainname>
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
received for user username>@<domainname> 17 (Failure setting user
credentials)
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open
secret file /etc/ldap.secret (No such file or directory)
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind
Can't contact LDAP server
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to
LDAP server...
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind
Can't contact LDAP server
> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for
invalid user username>@<domainname>from <ip address> port 49847
ssh2
>
>
> ________________________________________
> From: Sumit Bose [sbose at redhat.com]
> Sent: Friday, June 10, 2016 4:44 AM
> To: Kaplan, Andrew H.
> Cc: samba-technical at lists.samba.org; samba at lists.samba.org
> Subject: Re: Problem with Active Directory authentication
>
> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
>> Hello --
>>
>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a
Vmware appliance. The goal of the installation is to create a Samba server that
utilizes Active Directory authentication. To that end I utilized the following
procedure:
>>
>>
http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/>
>>
>> Afterwards, I referenced the following documentation to confirm that
all configuration files had the appropriate entries:
>>
>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
> The sssd-users list
> https://lists.fedorahosted.org/archives/list/sssd-users at
lists.fedorahosted.org/
> might be more appropriate for your question.
>
> As a general comment, the PAM configuration is important here. Please
> check the system logs which PAM module was consulted during the login
> attempt and which cause the rejection.
>
> HTH
>
> bye,
> Sumit
>
>> The problem is the following: I am unable to log into the server from
the console or via SSH using my Active Directory user account. The syntax that I
use when doing an SSH connection is the following:
>>
>> ssh -v -l <username>@<domainname> <fully qualified
domain name>
>>
>> The output that was generated is the following:
>>
>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>> debug1: Connecting to <fully qualified domain name> [<ip
address>] port 22.
>> debug1: Connection established.
>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>> debug1: Remote protocol version 2.0, remote software version
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug1: kex: server->client aes128-ctr hmac-md5 none
>> debug1: kex: client->server aes128-ctr hmac-md5 none
>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>> debug1: Server host key: ECDSA
ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>> debug1: Host '<fully qualified domain name>' is known and
matches the ECDSA host key.
>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>> debug1: ssh_ecdsa_verify: signature correct
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: Roaming not allowed by server
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug1: Authentications that can continue: publickey,password
>> debug1: Next authentication method: publickey
>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>> debug1: Next authentication method: password
>> <username>@<domainname>@<fully qualified domain
name>'s password:
>> Connection closed by <ip address>
>>
>> Does anyone have thoughts on this?
>>
>> Thanks.
>>
>>
>> The information in this e-mail is intended only for the person to whom
it is
>> addressed. If you believe this e-mail was sent to you in error and the
e-mail
>> contains patient information, please contact the Partners Compliance
HelpLine at
>> http://www.partners.org/complianceline . If the e-mail was sent to you
in error
>> but does not contain patient information, please contact the sender and
properly
>> dispose of the e-mail.
As Sumit has said, this should be on the sssd mailing list.
From your log fragment, it looks like you have the winbind and ldap PAM
packages installed, you do not need them.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On 10/06/16 13:46, Kaplan, Andrew H. wrote:> Hello -- > > The winbind packages that are installed on the server are the following: > > Package Description > libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba nameservice integration plugins > libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows domain authentication integration plugin > libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba winbind client library > winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 service to resolve user and group information from Windows NT servers > > Similarly, the ldap PAM packages are as follows: > > Package Description > ldap-auth-client 0.5.3 all meta-package for LDAP authentication > ldap-auth-config 0.5.3 all Config package for LDAP authentication > ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP utilities > libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP libraries > libldb1 1.1.24-0ubuntu0.14.04.1 amd64 LDAP-like embedded database - shared library > libnss-ldap 264-2.2ubuntu4.14.04.1 amd64 NSS module for using LDAP as a naming service > libpam-ldap 184-8.5ubuntu3 amd64 Pluggable Authentication Module for LDAP > sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end > > Finally, the sssd packages are the following: > > Package Description > libsss-idmap0 1.11.5-1ubuntu3 amd64 ID mapping library for SSSD > sssd 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- metapackage > sssd-ad 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Active Directory back end > sssd-ad-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- PAC responder > sssd-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- common files > sssd-ipa 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- IPA back end > sssd-krb5 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos back end > sssd-krb5-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos helpers > sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end > sssd-proxy 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- proxy back end > sssd-tools 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- tools > > Will removing all packages for the first two groups solve this problem? > > From: samba [samba-bounces at lists.samba.org] on behalf of Rowland penny [rpenny at samba.org] > Sent: Friday, June 10, 2016 8:29 AM > To: samba at lists.samba.org > Subject: Re: [Samba] Problem with Active Directory authentication > > On 10/06/16 12:47, Kaplan, Andrew H. wrote: >> Hello -- >> >> I started a thread on the list that you suggested in your e-mail, and thank-you for the reference. >> >> Also, I checked the auth.log file on the server, and the following entries were present: >> >> I checked the auth.log file, and the following entries were present: >> >> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=<username>@<domainname> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): getting password (0x00000388) >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): pam_get_item returned a password >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=username>@<domainname> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): received for user username>@<domainname> 17 (Failure setting user credentials) >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory) >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to LDAP server... >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server >> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid user username>@<domainname>from <ip address> port 49847 ssh2 >> >> >> ________________________________________ >> From: Sumit Bose [sbose at redhat.com] >> Sent: Friday, June 10, 2016 4:44 AM >> To: Kaplan, Andrew H. >> Cc: samba-technical at lists.samba.org; samba at lists.samba.org >> Subject: Re: Problem with Active Directory authentication >> >> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote: >>> Hello -- >>> >>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure: >>> >>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/> >>> >>> Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries: >>> >>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html >> The sssd-users list >> https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/ >> might be more appropriate for your question. >> >> As a general comment, the PAM configuration is important here. Please >> check the system logs which PAM module was consulted during the login >> attempt and which cause the rejection. >> >> HTH >> >> bye, >> Sumit >> >>> The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following: >>> >>> ssh -v -l <username>@<domainname> <fully qualified domain name> >>> >>> The output that was generated is the following: >>> >>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013 >>> debug1: Reading configuration data /etc/ssh/ssh_config >>> debug1: /etc/ssh/ssh_config line 19: Applying options for * >>> debug1: Connecting to <fully qualified domain name> [<ip address>] port 22. >>> debug1: Connection established. >>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1 >>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1 >>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1 >>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1 >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1 >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1 >>> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 >>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH* >>> debug1: Enabling compatibility mode for protocol 2.0 >>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4 >>> debug1: SSH2_MSG_KEXINIT sent >>> debug1: SSH2_MSG_KEXINIT received >>> debug1: kex: server->client aes128-ctr hmac-md5 none >>> debug1: kex: client->server aes128-ctr hmac-md5 none >>> debug1: sending SSH2_MSG_KEX_ECDH_INIT >>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY >>> debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17 >>> debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key. >>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29 >>> debug1: ssh_ecdsa_verify: signature correct >>> debug1: SSH2_MSG_NEWKEYS sent >>> debug1: expecting SSH2_MSG_NEWKEYS >>> debug1: SSH2_MSG_NEWKEYS received >>> debug1: Roaming not allowed by server >>> debug1: SSH2_MSG_SERVICE_REQUEST sent >>> debug1: SSH2_MSG_SERVICE_ACCEPT received >>> debug1: Authentications that can continue: publickey,password >>> debug1: Next authentication method: publickey >>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa >>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa >>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa >>> debug1: Next authentication method: password >>> <username>@<domainname>@<fully qualified domain name>'s password: >>> Connection closed by <ip address> >>> >>> Does anyone have thoughts on this? >>> >>> Thanks. >>> >>> >>> The information in this e-mail is intended only for the person to whom it is >>> addressed. If you believe this e-mail was sent to you in error and the e-mail >>> contains patient information, please contact the Partners Compliance HelpLine at >>> http://www.partners.org/complianceline . If the e-mail was sent to you in error >>> but does not contain patient information, please contact the sender and properly >>> dispose of the e-mail. > As Sumit has said, this should be on the sssd mailing list. > From your log fragment, it looks like you have the winbind and ldap PAM > packages installed, you do not need them. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaI am not entirely sure, what I can say is that you are using three different methods of authentication, winbindd, ldap and sssd, surely you don't need all three ? If you decide to use sssd, then ask on their mailing list what sssd packages you need and what you should remove. If you decide to use LDAP, then this probably entails using nslcd, find their mailing list and ask them. If you decide to use winbindd (the Samba recommended way), then this is the place to ask and I would suggest you have a look here: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Rowland