Mark Foley
2018-Dec-02 18:46 UTC
[Samba] Cannot log into Samba4 AD/DC with ssh as domain user
On Sun, 2 Dec 2018 08:52:19 Rowland Penny wrote:> > On Sat, 1 Dec 2018 20:38:58 -0500 > Nico Kadel-Garcia <nkadel at gmail.com> wrote: > > > On Sat, Dec 1, 2018 at 4:17 PM Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > > > On Sat, 01 Dec 2018 15:23:36 -0500 > > > Mark Foley <mfoley at ohprs.org> wrote: > > > > > > > On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote: > > > > > > > > > > On Sat, 01 Dec 2018 06:26:42 -0500 > > > > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > From either a Linux or Mac domain member, I have tried logging > > > > > > into the Samba4 AD server as a domain user: > > > > > > > > > > > > labmac:~ mark$ ssh mark at mail pwd > > > > > > mark at mail's password: > > > > > > Permission denied, please try again. > > > > > > > > > > > > where 'mail' is the AD/DC. > > > > > > > > > > > > It also fails if I am on the AD/DC an try the same ssh. > > > > > > > > > > > > I've tried setting either the GSSAPIAuthentication or > > > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those > > > > > > don't help. I get: > > > > > > > > > > > > Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option > > > > > > GSSAPIAuthentication Dec 1 06:09:19 mail sshd[8645]: reprocess > > > > > > > > > > > > Dec 1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported > > > > > > option KerberosAuthentication Dec 1 06:16:54 mail sshd[21898]:> > > > Stop here. If you have root privileges, add a *local* account on the > > relevant system, and log in using the Kerberos credentials. If those > > don't work, you have other issues. > > Just how is that going to work when the KDC is a Samba AD DC and a > local account is just that, a local account that is unknown to > kerberos ?I was wondering the same.> > Also, just because a host is an AD server does not mean that it is > > configured to allow AD based logins. What is the OS of the AD server > > you are trying to log into? > > Did you miss the part where the OP said he could login as an AD user ? > > My gut feeling is that he is suffering from an old problem, he is using > Slackware without PAM.I'm thinking the same. The domain member Slackware systems do have PAM installed. The AD/DC does not. There is no problem logging onto the domain members.>> Email clients on the domain members use kerberos/GSSAPI to >> authenticate with the Dovecot mail server on the AD/DC. Perhaps this >> is a clue?> Doesn't Dovecot use ldap to authenticate (via kerberos) ?The dovecot wiki lists various authentication methods, one of which is "GSSAPI: Kerberos v5 support." ldap is not mentioned, but is perhaps at some underlying level. I think I'll try two things: 1. Rebuild sshd with KerberosAuthentication and KerberosAuthentication. 2. Install PAM #1 seems like the quickest test. #2 I worry about. Although that works fine on the domain members, PAM affects a number of different program and might be a bit more difficult to undo. Supposedly, Slackware will include PAM in the next release. I report back on the results.
Mark Foley
2018-Dec-03 11:44 UTC
[Samba] Cannot log into Samba4 AD/DC with ssh as domain user
Got it working! I did download the openssh source from https://www.openssh.com/ I added the --with-kerberos5 option to the configure script and otherwise used the options that Slackware uses to build the package: export CFLAGS="-O2 -fPIC" export ARCH=`uname -m` ./configure \ --prefix=/usr \ --mandir=/usr/man \ --sysconfdir=/etc/ssh \ --without-pam \ --with-kerberos5 \ --with-md5-passwords \ --with-tcp-wrappers \ --with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin \ --with-privsep-path=/var/empty \ --with-privsep-user=sshd \ --build=$ARCH-slackware-linux make make install That worked. I was able to ssh from a Linux domain member to the AC/DC as a domain user and was plopped into the home directory as specified by 'getent passwd'. --Mark -----Original Message----- Date: Sun, 02 Dec 2018 13:46:51 -0500 Organization: Ohio Highway Patrol Retirement System To: samba at lists.samba.org Subject: Re: [Samba] Cannot log into Samba4 AD/DC with ssh as domain user On Sun, 2 Dec 2018 08:52:19 Rowland Penny wrote:> > On Sat, 1 Dec 2018 20:38:58 -0500 > Nico Kadel-Garcia <nkadel at gmail.com> wrote: > > > On Sat, Dec 1, 2018 at 4:17 PM Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > > > On Sat, 01 Dec 2018 15:23:36 -0500 > > > Mark Foley <mfoley at ohprs.org> wrote: > > > > > > > On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote: > > > > > > > > > > On Sat, 01 Dec 2018 06:26:42 -0500 > > > > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > From either a Linux or Mac domain member, I have tried logging > > > > > > into the Samba4 AD server as a domain user: > > > > > > > > > > > > labmac:~ mark$ ssh mark at mail pwd > > > > > > mark at mail's password: > > > > > > Permission denied, please try again. > > > > > > > > > > > > where 'mail' is the AD/DC. > > > > > > > > > > > > It also fails if I am on the AD/DC an try the same ssh. > > > > > > > > > > > > I've tried setting either the GSSAPIAuthentication or > > > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those > > > > > > don't help. I get: > > > > > > > > > > > > Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option > > > > > > GSSAPIAuthentication Dec 1 06:09:19 mail sshd[8645]: reprocess > > > > > > > > > > > > Dec 1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported > > > > > > option KerberosAuthentication Dec 1 06:16:54 mail sshd[21898]:> > > > Stop here. If you have root privileges, add a *local* account on the > > relevant system, and log in using the Kerberos credentials. If those > > don't work, you have other issues. > > Just how is that going to work when the KDC is a Samba AD DC and a > local account is just that, a local account that is unknown to > kerberos ?I was wondering the same.> > Also, just because a host is an AD server does not mean that it is > > configured to allow AD based logins. What is the OS of the AD server > > you are trying to log into? > > Did you miss the part where the OP said he could login as an AD user ? > > My gut feeling is that he is suffering from an old problem, he is using > Slackware without PAM.I'm thinking the same. The domain member Slackware systems do have PAM installed. The AD/DC does not. There is no problem logging onto the domain members.>> Email clients on the domain members use kerberos/GSSAPI to >> authenticate with the Dovecot mail server on the AD/DC. Perhaps this >> is a clue?> Doesn't Dovecot use ldap to authenticate (via kerberos) ?The dovecot wiki lists various authentication methods, one of which is "GSSAPI: Kerberos v5 support." ldap is not mentioned, but is perhaps at some underlying level. I think I'll try two things: 1. Rebuild sshd with KerberosAuthentication and KerberosAuthentication. 2. Install PAM #1 seems like the quickest test. #2 I worry about. Although that works fine on the domain members, PAM affects a number of different program and might be a bit more difficult to undo. Supposedly, Slackware will include PAM in the next release. I report back on the results. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
I'm having a very annoying problem I can't figure out. I've been running Samba4 as our office AD/DC for several years. This is a recent problem. Whenever I Remote Desktop into a particular Windows workstation (192.168.0.4) I get the following message in /var/log/samba/log.samba: Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[mark at HPRS] at [Thu, 17 Jan 2019 18:43:26.477871 EST] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.0.4:54315] mapped to [HPRS]\[mark]. local host [NULL] This message repeats in groups of 3 every 5 minutes for as long as I am logged into this computer. It does not matter if I am remoting in from another Windows host on the LAN (as domain user 'mark') or if I am logging from a remote, non-domain computer. I am not logging into the target computer as my domain id 'mark'. When logging in from a LAN workstations, I am logged into the original workstation as domain user 'mark', but when logging in from a remote computer I am not user 'mark' on any remote. I am remote desktopping into the target computer as the AD Domain Administrator. So, I don't know where it's getting the "user [(null)]\[mark at HPRS]" bit from. After some period of time (or some number of "wrong password" messages), my account gets locked out. The next time I try logging in from Remote desktop, or if I try ntlm_auth, I get the following message: auth_check_password_recv: sam authentication for user [HPRS\mark] FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT, authoritative=1 [2019/01/17 00:24:22.733958, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) At this point I have to go into ADUC and disable and re-enable the user account in order to be able to log back in. Does anyone have any idea what is going on and how to fix this? THX --Mark