Hai, Lets start here. Handy for us to know. OS? Samba version? AD or member setup? And I suggest, set this in the ssh server. # GSSAPI options GSSAPIAuthentication yes Restart the ssh server and try to SSO login. If its a AD server this should work. Yes, you dont get home dir etc, end up in / after login, but lets check if this works. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Harpoon via samba > Verzonden: dinsdag 15 januari 2019 9:45 > Aan: samba at lists.samba.org > Onderwerp: [Samba] SSH SSO without keytab file > > Hi all, > > I've setup a SambaAD server. I joined two Linux test hosts, a > Windows test host and an SSH server to the domain. Here are > my requirements: > > 1. I plan to use Samba accounts to authenticate the users for SSH. > 2. Users shouldn't have to re-enter their passwords to connect to SSH. > > The link at [1] gives some hints on setting up SSO and SSH. > But that guide requires creation (and re-creation upon > password change) of keytab files. > > Is there a way to get SSO without using keytab files? My > rather theoretical knowledge of Kerberos says that the user > should get a TGT when logging in for a new session (using > LightDM). Can't the same TGT be used by ssh client to request > a ticket from Kerberos Authentication Server for SSH server? > > This approach will save me from management and routine > re-creation of keytab files. > > Kind regards, > Harp > > [1] > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on#SSH_cl > ient_setup > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
I was caught up in another issue so could't reply earlier.> OS?Debian stretch on all nodes.> Samba version?Version 4.5.12-Debian> AD or member setup?I followed Samba wiki instructions to setup DC and members. AD running Samba. Members running smbd, nmbd and winbind. `getent passwd` and `wbinfo -u` work fine; listing all members. I can also `su SAMDOM\\administrator` to get authenticated as `administrator`.> And I suggest, set this in the ssh server. > > GSSAPI options > > ==============> > GSSAPIAuthentication yes>Already have. For the time being, I setup SSH server on the DC itself. Eventually, SSH server will be on a separate machine. I have tried two options (after `kinit administrator`): a) Using `UsePAM yes` in sshd_config: ------------------------ I ran `ssh administrator at dc1.domain.com -vv` SSH client logs: debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug1: Next authentication method: password Then I enter the password, and I'm granted the shell. SSH server logs: Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): getting password (0x00000388) Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): pam_get_item returned a password Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): user 'administrator' granted access Jan 18 11:05:12 DC1 sshd[16690]: Accepted password for administrator from 10.0.5.101 port 33796 ssh2 Jan 18 11:05:12 DC1 sshd[16690]: pam_unix(sshd:session): session opened for user SAMDOM\administrator by (uid=0) b) Using `UsePAM no`: ------------------- I ran `ssh administrator at dc1.domain.com -vv` SSH client logs: debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug1: Next authentication method: password Then I enter the password, and receive this error: Permission denied, please try again. SSH server logs: Jan 18 11:09:15 DC1 sshd[16722]: error: Could not get shadow information for SAMDOM\\administrator Jan 18 11:09:15 DC1 sshd[16722]: Failed password for administrator from 10.0.5.101 port 33800 ssh2 --------------------------------------------------------- It seems I'm unable to use the TGT for SSH authentication. I read some where that using `UsePAM yes` **always** requires for password. But setting `UsePAM no` says permission denied. Regards, Harp> Restart the ssh server and try to SSO login. > If its a AD server this should work. > > Yes, you dont get home dir etc, end up in / after login, but lets check if this works. > > Greetz, > > Louis > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Harpoon via samba > > Verzonden: dinsdag 15 januari 2019 9:45 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] SSH SSO without keytab file > > Hi all, > > I've setup a SambaAD server. I joined two Linux test hosts, a > > Windows test host and an SSH server to the domain. Here are > > my requirements: > > > > 1. I plan to use Samba accounts to authenticate the users for SSH. > > 2. Users shouldn't have to re-enter their passwords to connect to SSH. > > > > The link at [1] gives some hints on setting up SSO and SSH. > > But that guide requires creation (and re-creation upon > > password change) of keytab files. > > Is there a way to get SSO without using keytab files? My > > rather theoretical knowledge of Kerberos says that the user > > should get a TGT when logging in for a new session (using > > LightDM). Can't the same TGT be used by ssh client to request > > a ticket from Kerberos Authentication Server for SSH server? > > This approach will save me from management and routine > > re-creation of keytab files. > > Kind regards, > > Harp > > [1] > > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on#SSH_cl > > ient_setup > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- > > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hai, I did see that you are using Administrator, and thats the problem. Administrator is mapped to root ( most of the time ), if you assigned Administrator UID = 0 then you have a problem, because only root = uid 0. Never ever give Administrator a UID/GID, create a new one assign that one a UID/GID. So try again with a normal user, that does have a UID/GID. If that does not work, please share these, because this should work fine. /etc/samba/smb.conf /etc/krb5.conf /etc/ssh/sshd_config Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Harpoon [mailto:harp00n at protonmail.com] > Verzonden: vrijdag 18 januari 2019 7:15 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] SSH SSO without keytab file > > > I was caught up in another issue so could't reply earlier.No problem at all, so are we ;-)> > > OS? > Debian stretch on all nodes. > > > > Samba version? > Version 4.5.12-Debian > > > > AD or member setup? > I followed Samba wiki instructions to setup DC and members. > AD running Samba. Members running smbd, nmbd and winbind. > `getent passwd` and `wbinfo -u` work fine; listing all > members. I can also `su SAMDOM\\administrator` to get > authenticated as `administrator`. > > > > And I suggest, set this in the ssh server. > > > > GSSAPI options > > > > ==============> > > > GSSAPIAuthentication yes> > > Already have. For the time being, I setup SSH server on the > DC itself. Eventually, SSH server will be on a separate machine. > > I have tried two options (after `kinit administrator`): > > a) Using `UsePAM yes` in sshd_config: > ------------------------ > > I ran `ssh administrator at dc1.domain.com -vv` > > SSH client logs: > > debug1: SSH2_MSG_EXT_INFO received > debug1: kex_input_ext_info: > server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp2 > 56,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: > gssapi-keyex,gssapi-with-mic,password > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > gssapi-keyex,gssapi-with-mic,password > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > gssapi-keyex,gssapi-with-mic,password > debug2: we did not send a packet, disable method > debug1: Next authentication method: password > > Then I enter the password, and I'm granted the shell. > > SSH server logs: > Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): > getting password (0x00000388) > Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): > pam_get_item returned a password > Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): user > 'administrator' granted access > Jan 18 11:05:12 DC1 sshd[16690]: Accepted password for > administrator from 10.0.5.101 port 33796 ssh2 > Jan 18 11:05:12 DC1 sshd[16690]: pam_unix(sshd:session): > session opened for user SAMDOM\administrator by (uid=0) > > > b) Using `UsePAM no`: > ------------------- > > I ran `ssh administrator at dc1.domain.com -vv` > > SSH client logs: > debug1: SSH2_MSG_EXT_INFO received > debug1: kex_input_ext_info: > server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp2 > 56,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: > gssapi-keyex,gssapi-with-mic,password > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > gssapi-keyex,gssapi-with-mic,password > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > gssapi-keyex,gssapi-with-mic,password > debug2: we did not send a packet, disable method > debug1: Next authentication method: password > > Then I enter the password, and receive this error: > > Permission denied, please try again. > > SSH server logs: > Jan 18 11:09:15 DC1 sshd[16722]: error: Could not get shadow > information for SAMDOM\\administrator > Jan 18 11:09:15 DC1 sshd[16722]: Failed password for > administrator from 10.0.5.101 port 33800 ssh2 > > --------------------------------------------------------- > > It seems I'm unable to use the TGT for SSH authentication. I > read some where that using `UsePAM yes` **always** requires > for password. But setting `UsePAM no` says permission denied. > > Regards, > Harp > > > Restart the ssh server and try to SSO login. > > If its a AD server this should work. > > > > Yes, you dont get home dir etc, end up in / after login, > but lets check if this works. > > > > Greetz, > > > > Louis > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > > Harpoon via samba > > > Verzonden: dinsdag 15 januari 2019 9:45 > > > Aan: samba at lists.samba.org > > > Onderwerp: [Samba] SSH SSO without keytab file > > > Hi all, > > > I've setup a SambaAD server. I joined two Linux test hosts, a > > > Windows test host and an SSH server to the domain. Here are > > > my requirements: > > > > > > 1. I plan to use Samba accounts to authenticate the > users for SSH. > > > 2. Users shouldn't have to re-enter their passwords to > connect to SSH. > > > > > > The link at [1] gives some hints on setting up SSO and SSH. > > > But that guide requires creation (and re-creation upon > > > password change) of keytab files. > > > Is there a way to get SSO without using keytab files? My > > > rather theoretical knowledge of Kerberos says that the user > > > should get a TGT when logging in for a new session (using > > > LightDM). Can't the same TGT be used by ssh client to request > > > a ticket from Kerberos Authentication Server for SSH server? > > > This approach will save me from management and routine > > > re-creation of keytab files. > > > Kind regards, > > > Harp > > > [1] > > > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on#SSH_cl > > > ient_setup > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > >
Thanks for the prompt reply!> I did see that you are using Administrator, and thats the problem.> Administrator is mapped to root ( most of the time ), > if you assigned Administrator UID = 0 then you have a problem, because only root = uid 0. > > Never ever give Administrator a UID/GIDI am using tdb backend. It mapped administrator account to 12000:10000.> So try again with a normal user, that does have a UID/GID.I tried testing with normal users too whose UID/GID was mapped by tdb in ~10000 range. It produced the same problem.> If that does not work, please share these, because this should work fine. > /etc/samba/smb.conf > /etc/krb5.conf > /etc/ssh/sshd_configPlease find these conf files here: ----------------------------- DC's /etc/samba/smb.conf ----------------------------- [global] netbios name = DC1 realm = SAMDOM.EXAMPLE.COM workgroup = SAMDOM dns forwarder = 10.0.5.200 server role = active directory domain controller idmap_ldb:use rfc2307 = yes winbind enum users = yes winbind enum groups = yes template shell = /bin/bash [netlogon] path = /var/lib/samba/sysvol/samdom.example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No -------------------------------- Client's /etc/samba/smb.conf -------------------------------- [global] netbios name = client1 realm = SAMDOM.EXAMPLE.COM workgroup = SAMDOM security = ADS kerberos method = secrets and keytab winbind trusted domains only = no winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nss info = rfc2307 idmap config * : backend = tdb idmap config * : range = 10000-200000 ------------------------------- /etc/ssh/sshd_config (Running on DC) ------------------------------- PubkeyAuthentication no PasswordAuthentication yes ChallengeResponseAuthentication no X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server KerberosAuthentication yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes UseDNS yes PermitRootLogin yes UsePAM no ------------------------------- /etc/ssh/ssh_config (Client SSH config) ------------------------------- Host * SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes -------------------------------------- /etc/krb5.conf (Same of DC and clients) -------------------------------------- [libdefaults] default_realm = SAMDOM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true Thanks for your help!> > -----Oorspronkelijk bericht----- > > Van: Harpoon [mailto:harp00n at protonmail.com] > > Verzonden: vrijdag 18 januari 2019 7:15 > > Aan: L.P.H. van Belle > > CC: samba at lists.samba.org > > Onderwerp: Re: [Samba] SSH SSO without keytab file > > I was caught up in another issue so could't reply earlier. > > No problem at all, so are we ;-) > > > > OS? > > > Debian stretch on all nodes. > > > Samba version? > > > Version 4.5.12-Debian > > > AD or member setup? > > > I followed Samba wiki instructions to setup DC and members. > > > AD running Samba. Members running smbd, nmbd and winbind. > > > `getent passwd` and `wbinfo -u` work fine; listing all > > > members. I can also `su SAMDOM\\\\administrator` to get > > > authenticated as `administrator`. > > > And I suggest, set this in the ssh server. > > > GSSAPI options > > > ==============> > > GSSAPIAuthentication yes> > > > > Already have. For the time being, I setup SSH server on the > > DC itself. Eventually, SSH server will be on a separate machine. > > I have tried two options (after `kinit administrator`): > > > > a) Using `UsePAM yes` in sshd_config: > > > > -------------------------------------- > > > > I ran `ssh administrator at dc1.domain.com -vv` > > SSH client logs: > > debug1: SSH2_MSG_EXT_INFO received > > debug1: kex_input_ext_info: > > server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp2 > > 56,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> > > debug2: service_accept: ssh-userauth > > debug1: SSH2_MSG_SERVICE_ACCEPT received > > debug1: Authentications that can continue: > > gssapi-keyex,gssapi-with-mic,password > > debug1: Next authentication method: gssapi-keyex > > debug1: No valid Key exchange context > > debug2: we did not send a packet, disable method > > debug1: Next authentication method: gssapi-with-mic > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > gssapi-keyex,gssapi-with-mic,password > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > gssapi-keyex,gssapi-with-mic,password > > debug2: we did not send a packet, disable method > > debug1: Next authentication method: password > > Then I enter the password, and I'm granted the shell. > > SSH server logs: > > Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): > > getting password (0x00000388) > > Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): > > pam_get_item returned a password > > Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): user > > 'administrator' granted access > > Jan 18 11:05:12 DC1 sshd[16690]: Accepted password for > > administrator from 10.0.5.101 port 33796 ssh2 > > Jan 18 11:05:12 DC1 sshd[16690]: pam_unix(sshd:session): > > session opened for user SAMDOM\administrator by (uid=0) > > > > b) Using `UsePAM no`: > > > > ---------------------- > > > > I ran `ssh administrator at dc1.domain.com -vv` > > SSH client logs: > > debug1: SSH2_MSG_EXT_INFO received > > debug1: kex_input_ext_info: > > server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp2 > > 56,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> > > debug2: service_accept: ssh-userauth > > debug1: SSH2_MSG_SERVICE_ACCEPT received > > debug1: Authentications that can continue: > > gssapi-keyex,gssapi-with-mic,password > > debug1: Next authentication method: gssapi-keyex > > debug1: No valid Key exchange context > > debug2: we did not send a packet, disable method > > debug1: Next authentication method: gssapi-with-mic > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > gssapi-keyex,gssapi-with-mic,password > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > gssapi-keyex,gssapi-with-mic,password > > debug2: we did not send a packet, disable method > > debug1: Next authentication method: password > > Then I enter the password, and receive this error: > > Permission denied, please try again. > > SSH server logs: > > Jan 18 11:09:15 DC1 sshd[16722]: error: Could not get shadow > > information for SAMDOM\\administrator > > Jan 18 11:09:15 DC1 sshd[16722]: Failed password for > > administrator from 10.0.5.101 port 33800 ssh2 > > > > It seems I'm unable to use the TGT for SSH authentication. I > > read some where that using `UsePAM yes` always requires > > for password. But setting `UsePAM no` says permission denied. > > Regards, > > Harp > > > > > Restart the ssh server and try to SSO login. > > > If its a AD server this should work. > > > Yes, you dont get home dir etc, end up in / after login, > > > but lets check if this works. > > > Greetz, > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > > > Harpoon via samba > > > > Verzonden: dinsdag 15 januari 2019 9:45 > > > > Aan: samba at lists.samba.org > > > > Onderwerp: [Samba] SSH SSO without keytab file > > > > Hi all, > > > > I've setup a SambaAD server. I joined two Linux test hosts, a > > > > Windows test host and an SSH server to the domain. Here are > > > > my requirements: > > > > > > > > 1. I plan to use Samba accounts to authenticate the > > > > users for SSH. > > > > > > > > > > > 2. Users shouldn't have to re-enter their passwords to > > > > connect to SSH. > > > > > > > > > > > The link at [1] gives some hints on setting up SSO and SSH. > > > > But that guide requires creation (and re-creation upon > > > > password change) of keytab files. > > > > Is there a way to get SSO without using keytab files? My > > > > rather theoretical knowledge of Kerberos says that the user > > > > should get a TGT when logging in for a new session (using > > > > LightDM). Can't the same TGT be used by ssh client to request > > > > a ticket from Kerberos Authentication Server for SSH server? > > > > This approach will save me from management and routine > > > > re-creation of keytab files. > > > > Kind regards, > > > > Harp > > > > [1] > > > > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on#SSH_cl > > > > ient_setup > > > > > > > > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > > > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > -- > > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hai,> -----Oorspronkelijk bericht----- > Van: Harpoon [mailto:harp00n at protonmail.com] > Verzonden: vrijdag 18 januari 2019 9:24 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] SSH SSO without keytab file > > Thanks for the prompt reply!Your welkom.> > > I did see that you are using Administrator, and thats the problem. > > > Administrator is mapped to root ( most of the time ), > > if you assigned Administrator UID = 0 then you have a > problem, because only root = uid 0. > > > > Never ever give Administrator a UID/GID> I am using tdb backend. It mapped administrator account to 12000:10000.No no no.. as said, never ever assign administrator a UID/GID. Now your administrator != root anymore and you cannt manage the server correctly anymore as user Administrator. You cant use the TDB backend for a domain member only, you MUST choose to set AD or RID backend. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba See: Choose backend for id mapping in winbindd> > > So try again with a normal user, that does have a UID/GID. > > I tried testing with normal users too whose UID/GID was > mapped by tdb in ~10000 range. It produced the same problem. > > > If that does not work, please share these, because this > should work fine. > > /etc/samba/smb.conf > > /etc/krb5.conf > > /etc/ssh/sshd_config > > Please find these conf files here: > > ----------------------------- > DC's /etc/samba/smb.conf > ----------------------------- > [global] > netbios name = DC1 > realm = SAMDOM.EXAMPLE.COM > workgroup = SAMDOM > dns forwarder = 10.0.5.200 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > winbind enum users = yes > winbind enum groups = yes > template shell = /bin/bash > > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No >Looks good, except, you dont need : winbind enum users = yes winbind enum groups = yes For testing fine, but when done testing set these 2 to no. These only slowdown you server.> -------------------------------- > Client's /etc/samba/smb.conf > -------------------------------- > [global] > netbios name = client1 > realm = SAMDOM.EXAMPLE.COM > workgroup = SAMDOM > security = ADS > kerberos method = secrets and keytab > winbind trusted domains only = no > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind nss info = rfc2307 > > idmap config * : backend = tdb > idmap config * : range = 10000-200000This config is incomplete. ( and same for the winbind enum set these to no. ) My suggested change dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # Renew the kerberos tickets winbind refresh tickets = yes # Enable offline logins winbind offline logon = yes # With default domain set to yes, wbinfo -u shows username only, not SAMBADOM\username. winbind use default domain = yes idmap config * : backend = tdb idmap config * : range = 3000-7999 # https://wiki.samba.org/index.php/Idmap_config_ad # ( based on > winbind nss info = rfc2307 in you config. ) idmap config SAMDOM : backend = ad idmap config SAMDOM : range = 10000-200000 # Optional, use these, but since you set AD backend you can set this from cli. # Template settings for login shell and home directory # template shell = /bin/bash # template homedir = /home/%U # mk_homedir might be needed, this depends on you needs/setup.> > ------------------------------- > /etc/ssh/sshd_config (Running on DC) > ------------------------------- > PubkeyAuthentication no > PasswordAuthentication yes > ChallengeResponseAuthentication no > X11Forwarding yes > PrintMotd no > AcceptEnv LANG LC_* > Subsystem sftp /usr/lib/openssh/sftp-server > KerberosAuthentication yes > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > UseDNS yes > PermitRootLogin yes > UsePAM no >Looks fine.> ------------------------------- > /etc/ssh/ssh_config (Client SSH config) > ------------------------------- > > Host * > SendEnv LANG LC_* > HashKnownHosts yes > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yesLooks fine.> > -------------------------------------- > /etc/krb5.conf (Same of DC and clients) > -------------------------------------- > > [libdefaults] > default_realm = SAMDOM.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true >Looks fine.> Thanks for your help!Greetz, Louis