samba - May 2017 - ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET

> On May 9, 2017, at 11:15 AM, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> 
> On Tue, 9 May 2017 11:00:09 -0400
> Robert Kudyba via samba <samba at lists.samba.org> wrote:
> 
>> Running Feora 25 workstation we're able to register the computer in
>> AD but I can't get SSH to authenticate properly.  wbinfo -u brings
>> back all the users. Just getting "Permission denied, please try
>> again." Below are key settings in related conf files.
>> 
>> rpm -q samba
>> samba-4.5.8-1.fc25.x86_64
>> 
>> winbindd -V
>> Version 4.5.8
>> 
>> /etc/nsswitch.conf:
>> passwd:     files winbind
>> shadow:     files
>> group:      files winbind
>> hosts:      files dns
>> 
>> /etc/samba/smb.conf:
>> [global]
>> 	workgroup = DSDEV
>> 	realm = DSDEV.LOCAL
>> 	security = ads
>> 	idmap.config *:backend	= tdb
>> 	idmap.config *:range	= 100000-199999
>> 	idmap.config DSDEV: backend	= rid
>> 	idmap.config DSDEV: range	= 1000000-4999999
>> 	winbind enum users = yes
>> 	winbind enum groups = yes
>> 	winbind separator = +
>> 	template homedir = /home/%D/%U
>> 	template shell = /bin/bash
>> #	winbind use default domain = true
>> 	winbind offline logon = true
>> 	passdb backend = tdbsam
>> 	printing = cups
>> 	printcap name = cups
>> 	load printers = yes
>> 	cups options = raw
>> #	ldap ssl ads = yes
>> #	ldap ssl = start tls
>>        client use spnego = yes
>>        client ntlmv2 auth = yes
>>        encrypt passwords = yes
>>        winbind use default domain = yes
>>        restrict anonymous = 2
>> 	log level = 3
>> 
>> /etc/krb5.conf:
>> includedir /etc/krb5.conf.d/
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>> [libdefaults]
>> default_realm = DSDEV.LOCAL
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> rdns = false
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = true
>> udp_preference_limit = 0
>> default_ccache_name = KEYRING:persistent:%{uid}
>> [domain_realm]
>> .dsdev = DSDEV.LOCAL
>> dsdev = DSDEV.LOCAL
>> dsdev.local = DSDEV.LOCAL
>> .dsdev.local = DSDEV.LOCAL
>> 
>> /etc/ssh/ssd_config:
>> ChallengeResponseAuthentication no
>> KerberosAuthentication yes
>> KerberosTicketCleanup yes
>> KerberosGetAFSToken yes
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>> 
>> /etc/resolv.conf:
>> search dsdev.local ourdomain
>> nameserver y.y.y.y.
>> nameserver x.x.x.x
>> 
>> /etc/pam.d/password-auth-ac:
>> auth        required	  pam_env.so
>> auth        [default=1 success=ok] pam_localuser.so
>> auth        [success=done ignore=ignore default=die] pam_unix.so
>> nullok try_first_pass auth        requisite     pam_succeed_if.so uid
>>> = 1000 quiet_success auth        sufficient    pam_sss.so
>>> forward_pass
>> auth        sufficient    pam_winbind.so cached_login use_first_pass
>> auth        required	  pam_deny.so
>> 
>> account     required	  pam_unix.so broken_shadow
>> account     sufficient    pam_localuser.so
>> account     sufficient    pam_succeed_if.so uid < 1000 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account     [default=bad success=ok user_unknown=ignore]
>> pam_winbind.so cached_login account     required
>> pam_permit.so
>> 
>> Some logs from log.wb-DSDEV:
>> [2017/05/09 10:05:36.038999,
>> 3] ../source3/winbindd/winbindd_ads.c:412(query_user_list) ads
>> query_user_list gave 43369 entries [2017/05/09 10:06:09.770858,
>> 3] ../source3/winbindd/winbindd_dual.c:60(child_read_request)
>> child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
>> [2017/05/09 10:09:40.556738,
>> 3] ../source3/winbindd/winbindd_ads.c:1495(sequence_number) ads:
>> fetch sequence_number for DSDEV [2017/05/09 10:09:40.557560,
>> 3] ../source3/libsmb/namequery.c:3117(get_dc_list) get_dc_list:
>> preferred server list: ", *" [2017/05/09 10:09:40.560753,
>> 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted
>> LDAP server 172.17.132.28
>> 
>> I've scanned the previous thread here:
>>
https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_forum_-23-21topic_linux.samba_XhVnPg-2DHMF8&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Tz146SNyvSi-v8QAv_C3FbF_1FQ7vdd24GxAd5tsCO8&s=5eQTJ36k4Edls1CIhRVQYWgSIaKvPDl1bhYI5ERnmM0&e=
>> 
>> And I didn't compile I'm using the packages via DNF so no need
for
>> the sym links. I have log level set to 3 but I didn’t want to
>> overwhelm my post any more.
> 
> is sssd installed ?
> 
> If so, try removing it,sssd has its own version of a winbind lib and
> this can conflict with win bind.
OK I stopped it and disabled it.

> You also only need this in /etc/krb5/conf for Samba:
> 
> [libdefaults]
> default_realm = DSDEV.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
OK I had dns_lookup_kdc = true just changed dns_lookup_realm = false. Restarted
smb and winbind.

> The first two lines in yours have been known to confuse Samba.
Do you mean the include lines? Should I comment them out?

Still getting:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.

May  9 11:32:30 our sshd[32423]: input_userauth_request: invalid user myuser
[preauth]
May  9 11:32:40 our sshd[32423]: Failed password for invalid user myuser from
x.x.x.x port 63258 ssh2

On Tue, 9 May 2017 11:34:27 -0400
Robert Kudyba <rkudyba at fordham.edu> wrote:

> > You also only need this in /etc/krb5/conf for Samba:
> > 
> > [libdefaults]
> > default_realm = DSDEV.LOCAL
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> 
> OK I had dns_lookup_kdc = true just changed dns_lookup_realm = false.
> Restarted smb and winbind.
> 
> 
> > The first two lines in yours have been known to confuse Samba.
> 
> Do you mean the include lines? Should I comment them out?
Er no, when I said you only need what I posted, I meant that
your /etc/krb.conf should only contain the 4 lines I posted.
> 
> Still getting:
> debug2: we sent a password packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password Permission denied,
> please try again.
> 
> May  9 11:32:30 our sshd[32423]: input_userauth_request: invalid user
> myuser [preauth] May  9 11:32:40 our sshd[32423]: Failed password for
> invalid user myuser from x.x.x.x port 63258 ssh2
> 
If you run 'getent passwd myuser' on the machine you are trying to
connect to, do you get any output ?

Rowland

> On May 9, 2017, at 11:48 AM, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> 
> On Tue, 9 May 2017 11:34:27 -0400
> Robert Kudyba <rkudyba at fordham.edu> wrote:
> 
> 
>>> You also only need this in /etc/krb5/conf for Samba:
>>> 
>>> [libdefaults]
>>> default_realm = DSDEV.LOCAL
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>> 
>> OK I had dns_lookup_kdc = true just changed dns_lookup_realm = false.
>> Restarted smb and winbind.
>> 
>> 
>>> The first two lines in yours have been known to confuse Samba.
>> 
>> Do you mean the include lines? Should I comment them out?
> 
> Er no, when I said you only need what I posted, I meant that
> your /etc/krb.conf should only contain the 4 lines I posted.
OK I wasn’t sure if you were referencing the "Connections to a Samba Domain
Member Fail After Adding a includedir Statement to the /etc/krb5.conf File” at
https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members
<https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members>
> If you run 'getent passwd myuser' on the machine you are trying to
> connect to, do you get any output ?
None, blank line. Are there any other services to restart other than smb,
winbind and sshd?