On 21/06/2019 15:39, Edouard Guign? via samba wrote:> Hello, > > I am facing 2 issues now. > The first one is the more critical for me... > > 1. When I switch from sssd to winbind with : > # authconfig --enablekrb5 --enablewinbind --enablewinbindauth > --enablemkhomedir --update > > My sftp access did not work. Does it change the way to pass the login ? > I used to connect in sftp with userlogin / userpassword > > //var/log/secure :// > / > > /Jun 21 11:08:31 [localhost] sshd[17379]: Invalid user sftpuser from > x.x.x.x port 50187// > //Jun 21 11:08:31 [localhost] sshd[17379]: input_userauth_request: > invalid user sftpuser [preauth]// > //Jun 21 11:08:31 [localhost] sshd[17379]: pam_unix(sshd:auth): check > pass; user unknown// > //Jun 21 11:08:31 [localhost] sshd[17379]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=myhost.mydomain.fr// > //Jun 21 11:08:32 [localhost] sshd[17379]: Failed password for invalid > user sftpusert from x.x.x.x port 50187 ssh2/ > > Do I need now to pass MYDOMAIN\userlogin / userpassword or something > like that ? > How can I check the correct syntax ? > I would like to use userlogin / userpassword for sftp access. >Do you only have one domain and no trusted domains ? If so add this line to smb.conf and restart Samba: winbind use default domain = yes This will change 'MYDOMAIN\userlogin' to just 'userlogin' There is one gotcha though, it does not work on a Samba AD DC. Rowland
Yes, I have only one domain. Even after added "winbind use default domain = yes" to smb.cnf, I cannot ssh : /Jun 21 12:43:59 [localhost] sshd[5938]: pam_sss(sshd:auth): Request to sssd failed. Connection refused// //Jun 21 12:43:59 [localhost] sshd[5938]: pam_krb5[5938]: TGT verified using key for 'host/mysambserver at MYDOMAIN.LOCAL'// //Jun 21 12:43:59 [localhost] sshd[5938]: pam_krb5[5938]: authentication succeeds for 'usertest' (usertest at MYDOMAIN.LOCAL)// //Jun 21 12:43:59 [localhost] sshd[5938]: pam_sss(sshd:account): Request to sssd failed. Connection refused// //Jun 21 12:43:59 [localhost] sshd[5938]: pam_winbind(sshd:account): user 'usertest' granted access// //Jun 21 12:43:59 [localhost] sshd[5938]: Failed password for usertest from x.x.x.x port 44090 ssh2// //Jun 21 12:43:59 [localhost] sshd[5938]: fatal: Access denied for user usertest by PAM account configuration [preauth]/ The system seem to look first for sssd (pam_sss) and then for pam_winbind, even if I perform before : # authconfig --enablekrb5 --enablewinbind --enablewinbindauth --enablemkhomedir --update Edouard Le 21/06/2019 ? 12:21, Rowland penny via samba a ?crit?:> On 21/06/2019 15:39, Edouard Guign? via samba wrote: >> Hello, >> >> I am facing 2 issues now. >> The first one is the more critical for me... >> >> 1. When I switch from sssd to winbind with : >> # authconfig --enablekrb5 --enablewinbind --enablewinbindauth >> --enablemkhomedir --update >> >> My sftp access did not work. Does it change the way to pass the login ? >> I used to connect in sftp with userlogin / userpassword >> >> //var/log/secure :// >> / >> >> /Jun 21 11:08:31 [localhost] sshd[17379]: Invalid user sftpuser from >> x.x.x.x port 50187// >> //Jun 21 11:08:31 [localhost] sshd[17379]: input_userauth_request: >> invalid user sftpuser [preauth]// >> //Jun 21 11:08:31 [localhost] sshd[17379]: pam_unix(sshd:auth): check >> pass; user unknown// >> //Jun 21 11:08:31 [localhost] sshd[17379]: pam_unix(sshd:auth): >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=myhost.mydomain.fr// >> //Jun 21 11:08:32 [localhost] sshd[17379]: Failed password for >> invalid user sftpusert from x.x.x.x port 50187 ssh2/ >> >> Do I need now to pass MYDOMAIN\userlogin / userpassword or something >> like that ? >> How can I check the correct syntax ? >> I would like to use userlogin / userpassword for sftp access. >> > Do you only have one domain and no trusted domains ? > > If so add this line to smb.conf and restart Samba: > > winbind use default domain = yes > > This will change 'MYDOMAIN\userlogin' to just 'userlogin' > > There is one gotcha though, it does not work on a Samba AD DC. > > Rowland > > >
On 21/06/2019 16:49, Edouard Guign? via samba wrote:> Yes, I have only one domain. > > Even after added "winbind use default domain = yes" to smb.cnf, I > cannot ssh : > > /Jun 21 12:43:59 [localhost] sshd[5938]: pam_sss(sshd:auth): Request > to sssd failed. Connection refused// > //Jun 21 12:43:59 [localhost] sshd[5938]: pam_krb5[5938]: TGT verified > using key for 'host/mysambserver at MYDOMAIN.LOCAL'// > //Jun 21 12:43:59 [localhost] sshd[5938]: pam_krb5[5938]: > authentication succeeds for 'usertest' (usertest at MYDOMAIN.LOCAL)// > //Jun 21 12:43:59 [localhost] sshd[5938]: pam_sss(sshd:account): > Request to sssd failed. Connection refused// > //Jun 21 12:43:59 [localhost] sshd[5938]: pam_winbind(sshd:account): > user 'usertest' granted access// > //Jun 21 12:43:59 [localhost] sshd[5938]: Failed password for usertest > from x.x.x.x port 44090 ssh2// > //Jun 21 12:43:59 [localhost] sshd[5938]: fatal: Access denied for > user usertest by PAM account configuration [preauth]/ > > The system seem to look first for sssd (pam_sss) and then for > pam_winbind, even if I perform before : > # authconfig --enablekrb5 --enablewinbind --enablewinbindauth > --enablemkhomedir --updateI am not a PAM expert especially on Centos, but reading the authconfig man page turns up '--disablesssd' & '--disablesssdauth', so try them. Rowland