Robert Kudyba
2017-May-09 15:00 UTC
[Samba] ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
Running Feora 25 workstation we're able to register the computer in AD but I can't get SSH to authenticate properly. wbinfo -u brings back all the users. Just getting "Permission denied, please try again." Below are key settings in related conf files. rpm -q samba samba-4.5.8-1.fc25.x86_64 winbindd -V Version 4.5.8 /etc/nsswitch.conf: passwd: files winbind shadow: files group: files winbind hosts: files dns /etc/samba/smb.conf: [global] workgroup = DSDEV realm = DSDEV.LOCAL security = ads idmap.config *:backend = tdb idmap.config *:range = 100000-199999 idmap.config DSDEV: backend = rid idmap.config DSDEV: range = 1000000-4999999 winbind enum users = yes winbind enum groups = yes winbind separator = + template homedir = /home/%D/%U template shell = /bin/bash # winbind use default domain = true winbind offline logon = true passdb backend = tdbsam printing = cups printcap name = cups load printers = yes cups options = raw # ldap ssl ads = yes # ldap ssl = start tls client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 log level = 3 /etc/krb5.conf: includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DSDEV.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [domain_realm] .dsdev = DSDEV.LOCAL dsdev = DSDEV.LOCAL dsdev.local = DSDEV.LOCAL .dsdev.local = DSDEV.LOCAL /etc/ssh/ssd_config: ChallengeResponseAuthentication no KerberosAuthentication yes KerberosTicketCleanup yes KerberosGetAFSToken yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes /etc/resolv.conf: search dsdev.local ourdomain nameserver y.y.y.y. nameserver x.x.x.x /etc/pam.d/password-auth-ac: auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so Some logs from log.wb-DSDEV: [2017/05/09 10:05:36.038999, 3] ../source3/winbindd/winbindd_ads.c:412(query_user_list) ads query_user_list gave 43369 entries [2017/05/09 10:06:09.770858, 3] ../source3/winbindd/winbindd_dual.c:60(child_read_request) child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET [2017/05/09 10:09:40.556738, 3] ../source3/winbindd/winbindd_ads.c:1495(sequence_number) ads: fetch sequence_number for DSDEV [2017/05/09 10:09:40.557560, 3] ../source3/libsmb/namequery.c:3117(get_dc_list) get_dc_list: preferred server list: ", *" [2017/05/09 10:09:40.560753, 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted LDAP server 172.17.132.28 I've scanned the previous thread here: https://groups.google.com/forum/#!topic/linux.samba/XhVnPg-HMF8 And I didn't compile I'm using the packages via DNF so no need for the sym links. I have log level set to 3 but I didn’t want to overwhelm my post any more.
Rowland Penny
2017-May-09 15:15 UTC
[Samba] ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
On Tue, 9 May 2017 11:00:09 -0400 Robert Kudyba via samba <samba at lists.samba.org> wrote:> Running Feora 25 workstation we're able to register the computer in > AD but I can't get SSH to authenticate properly. wbinfo -u brings > back all the users. Just getting "Permission denied, please try > again." Below are key settings in related conf files. > > rpm -q samba > samba-4.5.8-1.fc25.x86_64 > > winbindd -V > Version 4.5.8 > > /etc/nsswitch.conf: > passwd: files winbind > shadow: files > group: files winbind > hosts: files dns > > /etc/samba/smb.conf: > [global] > workgroup = DSDEV > realm = DSDEV.LOCAL > security = ads > idmap.config *:backend = tdb > idmap.config *:range = 100000-199999 > idmap.config DSDEV: backend = rid > idmap.config DSDEV: range = 1000000-4999999 > winbind enum users = yes > winbind enum groups = yes > winbind separator = + > template homedir = /home/%D/%U > template shell = /bin/bash > # winbind use default domain = true > winbind offline logon = true > passdb backend = tdbsam > printing = cups > printcap name = cups > load printers = yes > cups options = raw > # ldap ssl ads = yes > # ldap ssl = start tls > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yes > winbind use default domain = yes > restrict anonymous = 2 > log level = 3 > > /etc/krb5.conf: > includedir /etc/krb5.conf.d/ > includedir /var/lib/sss/pubconf/krb5.include.d/ > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > [libdefaults] > default_realm = DSDEV.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > [domain_realm] > .dsdev = DSDEV.LOCAL > dsdev = DSDEV.LOCAL > dsdev.local = DSDEV.LOCAL > .dsdev.local = DSDEV.LOCAL > > /etc/ssh/ssd_config: > ChallengeResponseAuthentication no > KerberosAuthentication yes > KerberosTicketCleanup yes > KerberosGetAFSToken yes > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > /etc/resolv.conf: > search dsdev.local ourdomain > nameserver y.y.y.y. > nameserver x.x.x.x > > /etc/pam.d/password-auth-ac: > auth required pam_env.so > auth [default=1 success=ok] pam_localuser.so > auth [success=done ignore=ignore default=die] pam_unix.so > nullok try_first_pass auth requisite pam_succeed_if.so uid > >= 1000 quiet_success auth sufficient pam_sss.so > >forward_pass > auth sufficient pam_winbind.so cached_login use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account [default=bad success=ok user_unknown=ignore] > pam_winbind.so cached_login account required > pam_permit.so > > Some logs from log.wb-DSDEV: > [2017/05/09 10:05:36.038999, > 3] ../source3/winbindd/winbindd_ads.c:412(query_user_list) ads > query_user_list gave 43369 entries [2017/05/09 10:06:09.770858, > 3] ../source3/winbindd/winbindd_dual.c:60(child_read_request) > child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET > [2017/05/09 10:09:40.556738, > 3] ../source3/winbindd/winbindd_ads.c:1495(sequence_number) ads: > fetch sequence_number for DSDEV [2017/05/09 10:09:40.557560, > 3] ../source3/libsmb/namequery.c:3117(get_dc_list) get_dc_list: > preferred server list: ", *" [2017/05/09 10:09:40.560753, > 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted > LDAP server 172.17.132.28 > > I've scanned the previous thread here: > https://groups.google.com/forum/#!topic/linux.samba/XhVnPg-HMF8 > > And I didn't compile I'm using the packages via DNF so no need for > the sym links. I have log level set to 3 but I didn’t want to > overwhelm my post any more.is sssd installed ? If so, try removing it,sssd has its own version of a winbind lib and this can conflict with winbind. You also only need this in /etc/krb5/conf for Samba: [libdefaults] default_realm = DSDEV.LOCAL dns_lookup_realm = false dns_lookup_kdc = true The first two lines in yours have been known to confuse Samba. Rowland
Robert Kudyba
2017-May-09 15:34 UTC
[Samba] ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
> On May 9, 2017, at 11:15 AM, Rowland Penny via samba <samba at lists.samba.org> wrote: > > On Tue, 9 May 2017 11:00:09 -0400 > Robert Kudyba via samba <samba at lists.samba.org> wrote: > >> Running Feora 25 workstation we're able to register the computer in >> AD but I can't get SSH to authenticate properly. wbinfo -u brings >> back all the users. Just getting "Permission denied, please try >> again." Below are key settings in related conf files. >> >> rpm -q samba >> samba-4.5.8-1.fc25.x86_64 >> >> winbindd -V >> Version 4.5.8 >> >> /etc/nsswitch.conf: >> passwd: files winbind >> shadow: files >> group: files winbind >> hosts: files dns >> >> /etc/samba/smb.conf: >> [global] >> workgroup = DSDEV >> realm = DSDEV.LOCAL >> security = ads >> idmap.config *:backend = tdb >> idmap.config *:range = 100000-199999 >> idmap.config DSDEV: backend = rid >> idmap.config DSDEV: range = 1000000-4999999 >> winbind enum users = yes >> winbind enum groups = yes >> winbind separator = + >> template homedir = /home/%D/%U >> template shell = /bin/bash >> # winbind use default domain = true >> winbind offline logon = true >> passdb backend = tdbsam >> printing = cups >> printcap name = cups >> load printers = yes >> cups options = raw >> # ldap ssl ads = yes >> # ldap ssl = start tls >> client use spnego = yes >> client ntlmv2 auth = yes >> encrypt passwords = yes >> winbind use default domain = yes >> restrict anonymous = 2 >> log level = 3 >> >> /etc/krb5.conf: >> includedir /etc/krb5.conf.d/ >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> [libdefaults] >> default_realm = DSDEV.LOCAL >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> renew_lifetime = 7d >> forwardable = true >> udp_preference_limit = 0 >> default_ccache_name = KEYRING:persistent:%{uid} >> [domain_realm] >> .dsdev = DSDEV.LOCAL >> dsdev = DSDEV.LOCAL >> dsdev.local = DSDEV.LOCAL >> .dsdev.local = DSDEV.LOCAL >> >> /etc/ssh/ssd_config: >> ChallengeResponseAuthentication no >> KerberosAuthentication yes >> KerberosTicketCleanup yes >> KerberosGetAFSToken yes >> GSSAPIAuthentication yes >> GSSAPICleanupCredentials yes >> >> /etc/resolv.conf: >> search dsdev.local ourdomain >> nameserver y.y.y.y. >> nameserver x.x.x.x >> >> /etc/pam.d/password-auth-ac: >> auth required pam_env.so >> auth [default=1 success=ok] pam_localuser.so >> auth [success=done ignore=ignore default=die] pam_unix.so >> nullok try_first_pass auth requisite pam_succeed_if.so uid >>> = 1000 quiet_success auth sufficient pam_sss.so >>> forward_pass >> auth sufficient pam_winbind.so cached_login use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 1000 quiet >> account [default=bad success=ok user_unknown=ignore] pam_sss.so >> account [default=bad success=ok user_unknown=ignore] >> pam_winbind.so cached_login account required >> pam_permit.so >> >> Some logs from log.wb-DSDEV: >> [2017/05/09 10:05:36.038999, >> 3] ../source3/winbindd/winbindd_ads.c:412(query_user_list) ads >> query_user_list gave 43369 entries [2017/05/09 10:06:09.770858, >> 3] ../source3/winbindd/winbindd_dual.c:60(child_read_request) >> child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET >> [2017/05/09 10:09:40.556738, >> 3] ../source3/winbindd/winbindd_ads.c:1495(sequence_number) ads: >> fetch sequence_number for DSDEV [2017/05/09 10:09:40.557560, >> 3] ../source3/libsmb/namequery.c:3117(get_dc_list) get_dc_list: >> preferred server list: ", *" [2017/05/09 10:09:40.560753, >> 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted >> LDAP server 172.17.132.28 >> >> I've scanned the previous thread here: >> https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_forum_-23-21topic_linux.samba_XhVnPg-2DHMF8&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Tz146SNyvSi-v8QAv_C3FbF_1FQ7vdd24GxAd5tsCO8&s=5eQTJ36k4Edls1CIhRVQYWgSIaKvPDl1bhYI5ERnmM0&e= >> >> And I didn't compile I'm using the packages via DNF so no need for >> the sym links. I have log level set to 3 but I didn’t want to >> overwhelm my post any more. > > is sssd installed ? > > If so, try removing it,sssd has its own version of a winbind lib and > this can conflict with win bind.OK I stopped it and disabled it.> You also only need this in /etc/krb5/conf for Samba: > > [libdefaults] > default_realm = DSDEV.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = trueOK I had dns_lookup_kdc = true just changed dns_lookup_realm = false. Restarted smb and winbind.> The first two lines in yours have been known to confuse Samba.Do you mean the include lines? Should I comment them out? Still getting: debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. May 9 11:32:30 our sshd[32423]: input_userauth_request: invalid user myuser [preauth] May 9 11:32:40 our sshd[32423]: Failed password for invalid user myuser from x.x.x.x port 63258 ssh2
Maybe Matching Threads
- ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
- ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
- ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
- ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed