samba - Dec 2018 - Cannot log into Samba4 AD/DC with ssh as domain user

>From either a Linux or Mac domain member, I have tried logging into the
Samba4 AD server as a
domain user:

labmac:~ mark$ ssh mark at mail pwd
mark at mail's password: 
Permission denied, please try again.

where 'mail' is the AD/DC.

It also fails if I am on the AD/DC an try the same ssh.

I've tried setting either the GSSAPIAuthentication or KerberosAuthentication
in
/etc/ssh/sshd_config, but those don't help. I get:

Dec  1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option
GSSAPIAuthentication
Dec  1 06:09:19 mail sshd[8645]: reprocess config line 89: Unsupported option
GSSAPIAuthentication
Dec  1 06:09:22 mail sshd[8645]: Failed password for mark from 192.168.0.61 port
55802 ssh2
Dec  1 06:09:24 mail sshd[8645]: Connection closed by 192.168.0.61 port 55802
[preauth]

Dec  1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported option
KerberosAuthentication
Dec  1 06:16:54 mail sshd[21898]: reprocess config line 83: Unsupported option
KerberosAuthentication
Dec  1 06:16:57 mail sshd[21898]: Failed password for mark from 192.168.0.61
port 55809 ssh2
Dec  1 06:17:00 mail sshd[21898]: Connection closed by 192.168.0.61 port 55809
[preauth]

The AD/DC host is Slackware and does not have PAM.

Note that I can log in from the AD to the Linux domain member as a domain user.

Is there a way to get domain users to ssh into the the AD? They do have home
directories on
this server?

THX --Mark

On Sat, 01 Dec 2018 06:26:42 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> From either a Linux or Mac domain member, I have tried logging into
> the Samba4 AD server as a domain user:
> 
> labmac:~ mark$ ssh mark at mail pwd
> mark at mail's password: 
> Permission denied, please try again.
> 
> where 'mail' is the AD/DC.
> 
> It also fails if I am on the AD/DC an try the same ssh.
> 
> I've tried setting either the GSSAPIAuthentication or
> KerberosAuthentication in /etc/ssh/sshd_config, but those don't help.
> I get:
> 
> Dec  1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option
> GSSAPIAuthentication Dec  1 06:09:19 mail sshd[8645]: reprocess
> config line 89: Unsupported option GSSAPIAuthentication Dec  1
> 06:09:22 mail sshd[8645]: Failed password for mark from 192.168.0.61
> port 55802 ssh2 Dec  1 06:09:24 mail sshd[8645]: Connection closed by
> 192.168.0.61 port 55802 [preauth]
> 
> Dec  1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported option
> KerberosAuthentication Dec  1 06:16:54 mail sshd[21898]: reprocess
> config line 83: Unsupported option KerberosAuthentication Dec  1
> 06:16:57 mail sshd[21898]: Failed password for mark from 192.168.0.61
> port 55809 ssh2 Dec  1 06:17:00 mail sshd[21898]: Connection closed
> by 192.168.0.61 port 55809 [preauth]
> 
> The AD/DC host is Slackware and does not have PAM.
> 
> Note that I can log in from the AD to the Linux domain member as a
> domain user.
> 
> Is there a way to get domain users to ssh into the the AD? They do
> have home directories on this server?
> 
> THX --Mark
> 
Have you set up the libnss-winbind links ?
Or to put it another way, does 'getent passwd mark' produce output when
run on the DC ?

Rowland

On Sat, 01 Dec 2018 15:23:36 -0500
Mark Foley <mfoley at ohprs.org> wrote:
> On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote:
> >
> > On Sat, 01 Dec 2018 06:26:42 -0500
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > From either a Linux or Mac domain member, I have tried logging
> > > into the Samba4 AD server as a domain user:
> > > 
> > > labmac:~ mark$ ssh mark at mail pwd
> > > mark at mail's password: 
> > > Permission denied, please try again.
> > > 
> > > where 'mail' is the AD/DC.
> > > 
> > > It also fails if I am on the AD/DC an try the same ssh.
> > > 
> > > I've tried setting either the GSSAPIAuthentication or
> > > KerberosAuthentication in /etc/ssh/sshd_config, but those
don't
> > > help. I get:
> > > 
> > > Dec  1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported
option
> > > GSSAPIAuthentication Dec  1 06:09:19 mail sshd[8645]: reprocess
> > > config line 89: Unsupported option GSSAPIAuthentication Dec  1
> > > 06:09:22 mail sshd[8645]: Failed password for mark from
> > > 192.168.0.61 port 55802 ssh2 Dec  1 06:09:24 mail sshd[8645]:
> > > Connection closed by 192.168.0.61 port 55802 [preauth]
> > > 
> > > Dec  1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported
> > > option KerberosAuthentication Dec  1 06:16:54 mail sshd[21898]:
> > > reprocess config line 83: Unsupported option
> > > KerberosAuthentication Dec  1 06:16:57 mail sshd[21898]: Failed
> > > password for mark from 192.168.0.61 port 55809 ssh2 Dec  1
> > > 06:17:00 mail sshd[21898]: Connection closed by 192.168.0.61 port
> > > 55809 [preauth]
> > > 
> > > The AD/DC host is Slackware and does not have PAM.
> > > 
> > > Note that I can log in from the AD to the Linux domain member as
a
> > > domain user.
> > > 
> > > Is there a way to get domain users to ssh into the the AD? They
do
> > > have home directories on this server?
> > > 
> > > THX --Mark
> > > 
> >
> > Have you set up the libnss-winbind links ?
> > Or to put it another way, does 'getent passwd mark' produce
output
> > when run on the DC ?
> >
> > Rowland
> 
> Yes, getent passwd on the DC gives:
> 
> $ getent passwd mark
> mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> 
> My /etc/nsswitch.conf on the DC has:
> 
> passwd:         compat winbind
> shadow:         compat winbind
> group:          compat winbind
Don't think this has a bearing on the situation, but, on Debian,
adding winbind to the shadow line gives problems.
 
> 
> hosts:          files dns
> networks:       files
> 
> services:       files
> protocols:      files
> rpc:            files
> ethers:         files
> netmasks:       files
> netgroup:       files
> bootparams:     files
> 
> automount:      files
> aliases:        files
> 
> I suppose when authenticating login from domain members, Windows,
> Linux or Mac, the login mechanism is somehow communicting with the
> samba daemon, but ssh must not be using the same authentication
> mechanism?
Looks like it, it works on Devuan.
> 
> Also, on the DC as a different normal (non-root) user, I cannot 'su -
> mark'. I get "su: Authentication failure". So, it's not
just ssh
> having an issue.
Very strange
> 
> Email clients on the domain members use kerberos/GSSAPI to
> authenticate with the Dovecot mail server on the AD/DC. Perhaps this
> is a clue?
Doesn't Dovecot use ldap to authenticate (via kerberos) ?
> 
> Do I need to recompile sshd so that GSSAPIAuthentication or
> KerberosAuthentication are not unsupported? Maybe I also have to
> specify -K (Enables GSSAPI-based authentication) on the client-side
> ssh?
> 
> Or, should this just work as is?
 
Not knowing how openssh is compiled on Slackware, I don't know if you
need to recompile it, all I can say is, it works for me.

Rowland

On Sat, Dec 1, 2018 at 4:17 PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
> On Sat, 01 Dec 2018 15:23:36 -0500
> Mark Foley <mfoley at ohprs.org> wrote:
>
> > On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote:
> > >
> > > On Sat, 01 Dec 2018 06:26:42 -0500
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > > > From either a Linux or Mac domain member, I have tried
logging
> > > > into the Samba4 AD server as a domain user:
> > > >
> > > > labmac:~ mark$ ssh mark at mail pwd
> > > > mark at mail's password:
> > > > Permission denied, please try again.
> > > >
> > > > where 'mail' is the AD/DC.
> > > >
> > > > It also fails if I am on the AD/DC an try the same ssh.
> > > >
> > > > I've tried setting either the GSSAPIAuthentication or
> > > > KerberosAuthentication in /etc/ssh/sshd_config, but those
don't
> > > > help. I get:
Stop here. If you have root privileges, add a *local* account on the
relevant system, and log in using the Kerberos credentials. If those
don't work, you have other issues.

Also, just because a host is an AD server does not mean that it is
configured to allow AD based logins. What is the OS of the AD server
you are trying to log into?
> > > > Dec  1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported
option
> > > > GSSAPIAuthentication Dec  1 06:09:19 mail sshd[8645]:
reprocess
> > > > config line 89: Unsupported option GSSAPIAuthentication Dec 
1
> > > > 06:09:22 mail sshd[8645]: Failed password for mark from
> > > > 192.168.0.61 port 55802 ssh2 Dec  1 06:09:24 mail
sshd[8645]:
> > > > Connection closed by 192.168.0.61 port 55802 [preauth]
> > > >
> > > > Dec  1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported
> > > > option KerberosAuthentication Dec  1 06:16:54 mail
sshd[21898]:
> > > > reprocess config line 83: Unsupported option
> > > > KerberosAuthentication Dec  1 06:16:57 mail sshd[21898]:
Failed
> > > > password for mark from 192.168.0.61 port 55809 ssh2 Dec  1
> > > > 06:17:00 mail sshd[21898]: Connection closed by 192.168.0.61
port
> > > > 55809 [preauth]
> > > >
> > > > The AD/DC host is Slackware and does not have PAM.
> > > >
> > > > Note that I can log in from the AD to the Linux domain
member as a
> > > > domain user.
> > > >
> > > > Is there a way to get domain users to ssh into the the AD?
They do
> > > > have home directories on this server?
> > > >
> > > > THX --Mark
> > > >
> > >
> > > Have you set up the libnss-winbind links ?
> > > Or to put it another way, does 'getent passwd mark'
produce output
> > > when run on the DC ?
> > >
> > > Rowland
> >
> > Yes, getent passwd on the DC gives:
> >
> > $ getent passwd mark
> > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> >
> > My /etc/nsswitch.conf on the DC has:
> >
> > passwd:         compat winbind
> > shadow:         compat winbind
> > group:          compat winbind
>
> Don't think this has a bearing on the situation, but, on Debian,
> adding winbind to the shadow line gives problems.
>
> >
> > hosts:          files dns
> > networks:       files
> >
> > services:       files
> > protocols:      files
> > rpc:            files
> > ethers:         files
> > netmasks:       files
> > netgroup:       files
> > bootparams:     files
> >
> > automount:      files
> > aliases:        files
> >
> > I suppose when authenticating login from domain members, Windows,
> > Linux or Mac, the login mechanism is somehow communicting with the
> > samba daemon, but ssh must not be using the same authentication
> > mechanism?
>
> Looks like it, it works on Devuan.
>
> >
> > Also, on the DC as a different normal (non-root) user, I cannot
'su -
> > mark'. I get "su: Authentication failure". So, it's
not just ssh
> > having an issue.
>
> Very strange
>
> >
> > Email clients on the domain members use kerberos/GSSAPI to
> > authenticate with the Dovecot mail server on the AD/DC. Perhaps this
> > is a clue?
>
> Doesn't Dovecot use ldap to authenticate (via kerberos) ?
>
> >
> > Do I need to recompile sshd so that GSSAPIAuthentication or
> > KerberosAuthentication are not unsupported? Maybe I also have to
> > specify -K (Enables GSSAPI-based authentication) on the client-side
> > ssh?
> >
> > Or, should this just work as is?
>
> Not knowing how openssh is compiled on Slackware, I don't know if you
> need to recompile it, all I can say is, it works for me.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba