Nico Kadel-Garcia
2018-Dec-02 01:38 UTC
[Samba] Cannot log into Samba4 AD/DC with ssh as domain user
On Sat, Dec 1, 2018 at 4:17 PM Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Sat, 01 Dec 2018 15:23:36 -0500 > Mark Foley <mfoley at ohprs.org> wrote: > > > On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote: > > > > > > On Sat, 01 Dec 2018 06:26:42 -0500 > > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > From either a Linux or Mac domain member, I have tried logging > > > > into the Samba4 AD server as a domain user: > > > > > > > > labmac:~ mark$ ssh mark at mail pwd > > > > mark at mail's password: > > > > Permission denied, please try again. > > > > > > > > where 'mail' is the AD/DC. > > > > > > > > It also fails if I am on the AD/DC an try the same ssh. > > > > > > > > I've tried setting either the GSSAPIAuthentication or > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those don't > > > > help. I get:Stop here. If you have root privileges, add a *local* account on the relevant system, and log in using the Kerberos credentials. If those don't work, you have other issues. Also, just because a host is an AD server does not mean that it is configured to allow AD based logins. What is the OS of the AD server you are trying to log into?> > > > Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option > > > > GSSAPIAuthentication Dec 1 06:09:19 mail sshd[8645]: reprocess > > > > config line 89: Unsupported option GSSAPIAuthentication Dec 1 > > > > 06:09:22 mail sshd[8645]: Failed password for mark from > > > > 192.168.0.61 port 55802 ssh2 Dec 1 06:09:24 mail sshd[8645]: > > > > Connection closed by 192.168.0.61 port 55802 [preauth] > > > > > > > > Dec 1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported > > > > option KerberosAuthentication Dec 1 06:16:54 mail sshd[21898]: > > > > reprocess config line 83: Unsupported option > > > > KerberosAuthentication Dec 1 06:16:57 mail sshd[21898]: Failed > > > > password for mark from 192.168.0.61 port 55809 ssh2 Dec 1 > > > > 06:17:00 mail sshd[21898]: Connection closed by 192.168.0.61 port > > > > 55809 [preauth] > > > > > > > > The AD/DC host is Slackware and does not have PAM. > > > > > > > > Note that I can log in from the AD to the Linux domain member as a > > > > domain user. > > > > > > > > Is there a way to get domain users to ssh into the the AD? They do > > > > have home directories on this server? > > > > > > > > THX --Mark > > > > > > > > > > Have you set up the libnss-winbind links ? > > > Or to put it another way, does 'getent passwd mark' produce output > > > when run on the DC ? > > > > > > Rowland > > > > Yes, getent passwd on the DC gives: > > > > $ getent passwd mark > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash > > > > My /etc/nsswitch.conf on the DC has: > > > > passwd: compat winbind > > shadow: compat winbind > > group: compat winbind > > Don't think this has a bearing on the situation, but, on Debian, > adding winbind to the shadow line gives problems. > > > > > hosts: files dns > > networks: files > > > > services: files > > protocols: files > > rpc: files > > ethers: files > > netmasks: files > > netgroup: files > > bootparams: files > > > > automount: files > > aliases: files > > > > I suppose when authenticating login from domain members, Windows, > > Linux or Mac, the login mechanism is somehow communicting with the > > samba daemon, but ssh must not be using the same authentication > > mechanism? > > Looks like it, it works on Devuan. > > > > > Also, on the DC as a different normal (non-root) user, I cannot 'su - > > mark'. I get "su: Authentication failure". So, it's not just ssh > > having an issue. > > Very strange > > > > > Email clients on the domain members use kerberos/GSSAPI to > > authenticate with the Dovecot mail server on the AD/DC. Perhaps this > > is a clue? > > Doesn't Dovecot use ldap to authenticate (via kerberos) ? > > > > > Do I need to recompile sshd so that GSSAPIAuthentication or > > KerberosAuthentication are not unsupported? Maybe I also have to > > specify -K (Enables GSSAPI-based authentication) on the client-side > > ssh? > > > > Or, should this just work as is? > > Not knowing how openssh is compiled on Slackware, I don't know if you > need to recompile it, all I can say is, it works for me. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2018-Dec-02 08:52 UTC
[Samba] Cannot log into Samba4 AD/DC with ssh as domain user
On Sat, 1 Dec 2018 20:38:58 -0500 Nico Kadel-Garcia <nkadel at gmail.com> wrote:> On Sat, Dec 1, 2018 at 4:17 PM Rowland Penny via samba > <samba at lists.samba.org> wrote: > > > > On Sat, 01 Dec 2018 15:23:36 -0500 > > Mark Foley <mfoley at ohprs.org> wrote: > > > > > On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote: > > > > > > > > On Sat, 01 Dec 2018 06:26:42 -0500 > > > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > > > From either a Linux or Mac domain member, I have tried logging > > > > > into the Samba4 AD server as a domain user: > > > > > > > > > > labmac:~ mark$ ssh mark at mail pwd > > > > > mark at mail's password: > > > > > Permission denied, please try again. > > > > > > > > > > where 'mail' is the AD/DC. > > > > > > > > > > It also fails if I am on the AD/DC an try the same ssh. > > > > > > > > > > I've tried setting either the GSSAPIAuthentication or > > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those > > > > > don't help. I get: > > Stop here. If you have root privileges, add a *local* account on the > relevant system, and log in using the Kerberos credentials. If those > don't work, you have other issues.Just how is that going to work when the KDC is a Samba AD DC and a local account is just that, a local account that is unknown to kerberos ?> > Also, just because a host is an AD server does not mean that it is > configured to allow AD based logins. What is the OS of the AD server > you are trying to log into?Did you miss the part where the OP said he could login as an AD user ? My gut feeling is that he is suffering from an old problem, he is using Slackware without PAM. Rowland
Mark Foley
2018-Dec-02 18:46 UTC
[Samba] Cannot log into Samba4 AD/DC with ssh as domain user
On Sun, 2 Dec 2018 08:52:19 Rowland Penny wrote:> > On Sat, 1 Dec 2018 20:38:58 -0500 > Nico Kadel-Garcia <nkadel at gmail.com> wrote: > > > On Sat, Dec 1, 2018 at 4:17 PM Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > > > On Sat, 01 Dec 2018 15:23:36 -0500 > > > Mark Foley <mfoley at ohprs.org> wrote: > > > > > > > On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote: > > > > > > > > > > On Sat, 01 Dec 2018 06:26:42 -0500 > > > > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > From either a Linux or Mac domain member, I have tried logging > > > > > > into the Samba4 AD server as a domain user: > > > > > > > > > > > > labmac:~ mark$ ssh mark at mail pwd > > > > > > mark at mail's password: > > > > > > Permission denied, please try again. > > > > > > > > > > > > where 'mail' is the AD/DC. > > > > > > > > > > > > It also fails if I am on the AD/DC an try the same ssh. > > > > > > > > > > > > I've tried setting either the GSSAPIAuthentication or > > > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those > > > > > > don't help. I get: > > > > > > > > > > > > Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option > > > > > > GSSAPIAuthentication Dec 1 06:09:19 mail sshd[8645]: reprocess > > > > > > > > > > > > Dec 1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported > > > > > > option KerberosAuthentication Dec 1 06:16:54 mail sshd[21898]:> > > > Stop here. If you have root privileges, add a *local* account on the > > relevant system, and log in using the Kerberos credentials. If those > > don't work, you have other issues. > > Just how is that going to work when the KDC is a Samba AD DC and a > local account is just that, a local account that is unknown to > kerberos ?I was wondering the same.> > Also, just because a host is an AD server does not mean that it is > > configured to allow AD based logins. What is the OS of the AD server > > you are trying to log into? > > Did you miss the part where the OP said he could login as an AD user ? > > My gut feeling is that he is suffering from an old problem, he is using > Slackware without PAM.I'm thinking the same. The domain member Slackware systems do have PAM installed. The AD/DC does not. There is no problem logging onto the domain members.>> Email clients on the domain members use kerberos/GSSAPI to >> authenticate with the Dovecot mail server on the AD/DC. Perhaps this >> is a clue?> Doesn't Dovecot use ldap to authenticate (via kerberos) ?The dovecot wiki lists various authentication methods, one of which is "GSSAPI: Kerberos v5 support." ldap is not mentioned, but is perhaps at some underlying level. I think I'll try two things: 1. Rebuild sshd with KerberosAuthentication and KerberosAuthentication. 2. Install PAM #1 seems like the quickest test. #2 I worry about. Although that works fine on the domain members, PAM affects a number of different program and might be a bit more difficult to undo. Supposedly, Slackware will include PAM in the next release. I report back on the results.