Robert Kudyba
2017-May-09 15:34 UTC
[Samba] ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
> On May 9, 2017, at 11:15 AM, Rowland Penny via samba <samba at lists.samba.org> wrote: > > On Tue, 9 May 2017 11:00:09 -0400 > Robert Kudyba via samba <samba at lists.samba.org> wrote: > >> Running Feora 25 workstation we're able to register the computer in >> AD but I can't get SSH to authenticate properly. wbinfo -u brings >> back all the users. Just getting "Permission denied, please try >> again." Below are key settings in related conf files. >> >> rpm -q samba >> samba-4.5.8-1.fc25.x86_64 >> >> winbindd -V >> Version 4.5.8 >> >> /etc/nsswitch.conf: >> passwd: files winbind >> shadow: files >> group: files winbind >> hosts: files dns >> >> /etc/samba/smb.conf: >> [global] >> workgroup = DSDEV >> realm = DSDEV.LOCAL >> security = ads >> idmap.config *:backend = tdb >> idmap.config *:range = 100000-199999 >> idmap.config DSDEV: backend = rid >> idmap.config DSDEV: range = 1000000-4999999 >> winbind enum users = yes >> winbind enum groups = yes >> winbind separator = + >> template homedir = /home/%D/%U >> template shell = /bin/bash >> # winbind use default domain = true >> winbind offline logon = true >> passdb backend = tdbsam >> printing = cups >> printcap name = cups >> load printers = yes >> cups options = raw >> # ldap ssl ads = yes >> # ldap ssl = start tls >> client use spnego = yes >> client ntlmv2 auth = yes >> encrypt passwords = yes >> winbind use default domain = yes >> restrict anonymous = 2 >> log level = 3 >> >> /etc/krb5.conf: >> includedir /etc/krb5.conf.d/ >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> [libdefaults] >> default_realm = DSDEV.LOCAL >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> renew_lifetime = 7d >> forwardable = true >> udp_preference_limit = 0 >> default_ccache_name = KEYRING:persistent:%{uid} >> [domain_realm] >> .dsdev = DSDEV.LOCAL >> dsdev = DSDEV.LOCAL >> dsdev.local = DSDEV.LOCAL >> .dsdev.local = DSDEV.LOCAL >> >> /etc/ssh/ssd_config: >> ChallengeResponseAuthentication no >> KerberosAuthentication yes >> KerberosTicketCleanup yes >> KerberosGetAFSToken yes >> GSSAPIAuthentication yes >> GSSAPICleanupCredentials yes >> >> /etc/resolv.conf: >> search dsdev.local ourdomain >> nameserver y.y.y.y. >> nameserver x.x.x.x >> >> /etc/pam.d/password-auth-ac: >> auth required pam_env.so >> auth [default=1 success=ok] pam_localuser.so >> auth [success=done ignore=ignore default=die] pam_unix.so >> nullok try_first_pass auth requisite pam_succeed_if.so uid >>> = 1000 quiet_success auth sufficient pam_sss.so >>> forward_pass >> auth sufficient pam_winbind.so cached_login use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 1000 quiet >> account [default=bad success=ok user_unknown=ignore] pam_sss.so >> account [default=bad success=ok user_unknown=ignore] >> pam_winbind.so cached_login account required >> pam_permit.so >> >> Some logs from log.wb-DSDEV: >> [2017/05/09 10:05:36.038999, >> 3] ../source3/winbindd/winbindd_ads.c:412(query_user_list) ads >> query_user_list gave 43369 entries [2017/05/09 10:06:09.770858, >> 3] ../source3/winbindd/winbindd_dual.c:60(child_read_request) >> child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET >> [2017/05/09 10:09:40.556738, >> 3] ../source3/winbindd/winbindd_ads.c:1495(sequence_number) ads: >> fetch sequence_number for DSDEV [2017/05/09 10:09:40.557560, >> 3] ../source3/libsmb/namequery.c:3117(get_dc_list) get_dc_list: >> preferred server list: ", *" [2017/05/09 10:09:40.560753, >> 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted >> LDAP server 172.17.132.28 >> >> I've scanned the previous thread here: >> https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_forum_-23-21topic_linux.samba_XhVnPg-2DHMF8&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Tz146SNyvSi-v8QAv_C3FbF_1FQ7vdd24GxAd5tsCO8&s=5eQTJ36k4Edls1CIhRVQYWgSIaKvPDl1bhYI5ERnmM0&e= >> >> And I didn't compile I'm using the packages via DNF so no need for >> the sym links. I have log level set to 3 but I didn’t want to >> overwhelm my post any more. > > is sssd installed ? > > If so, try removing it,sssd has its own version of a winbind lib and > this can conflict with win bind.OK I stopped it and disabled it.> You also only need this in /etc/krb5/conf for Samba: > > [libdefaults] > default_realm = DSDEV.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = trueOK I had dns_lookup_kdc = true just changed dns_lookup_realm = false. Restarted smb and winbind.> The first two lines in yours have been known to confuse Samba.Do you mean the include lines? Should I comment them out? Still getting: debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. May 9 11:32:30 our sshd[32423]: input_userauth_request: invalid user myuser [preauth] May 9 11:32:40 our sshd[32423]: Failed password for invalid user myuser from x.x.x.x port 63258 ssh2
Rowland Penny
2017-May-09 15:48 UTC
[Samba] ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
On Tue, 9 May 2017 11:34:27 -0400 Robert Kudyba <rkudyba at fordham.edu> wrote:> > You also only need this in /etc/krb5/conf for Samba: > > > > [libdefaults] > > default_realm = DSDEV.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > OK I had dns_lookup_kdc = true just changed dns_lookup_realm = false. > Restarted smb and winbind. > > > > The first two lines in yours have been known to confuse Samba. > > Do you mean the include lines? Should I comment them out?Er no, when I said you only need what I posted, I meant that your /etc/krb.conf should only contain the 4 lines I posted.> > Still getting: > debug2: we sent a password packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, > please try again. > > May 9 11:32:30 our sshd[32423]: input_userauth_request: invalid user > myuser [preauth] May 9 11:32:40 our sshd[32423]: Failed password for > invalid user myuser from x.x.x.x port 63258 ssh2 >If you run 'getent passwd myuser' on the machine you are trying to connect to, do you get any output ? Rowland
Robert Kudyba
2017-May-09 15:55 UTC
[Samba] ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
> On May 9, 2017, at 11:48 AM, Rowland Penny via samba <samba at lists.samba.org> wrote: > > On Tue, 9 May 2017 11:34:27 -0400 > Robert Kudyba <rkudyba at fordham.edu> wrote: > > >>> You also only need this in /etc/krb5/conf for Samba: >>> >>> [libdefaults] >>> default_realm = DSDEV.LOCAL >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >> >> OK I had dns_lookup_kdc = true just changed dns_lookup_realm = false. >> Restarted smb and winbind. >> >> >>> The first two lines in yours have been known to confuse Samba. >> >> Do you mean the include lines? Should I comment them out? > > Er no, when I said you only need what I posted, I meant that > your /etc/krb.conf should only contain the 4 lines I posted.OK I wasn’t sure if you were referencing the "Connections to a Samba Domain Member Fail After Adding a includedir Statement to the /etc/krb5.conf File” at https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members <https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members>> If you run 'getent passwd myuser' on the machine you are trying to > connect to, do you get any output ?None, blank line. Are there any other services to restart other than smb, winbind and sshd?
Possibly Parallel Threads
- ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
- ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
- ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
- ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed