Patrick Goetz
2022-Mar-22 16:24 UTC
[Samba] authentication issue moving from Samba 4.11.x to 4.13.14
On 3/21/22 21:52, Gaiseric Vandal via samba wrote:> > On 3/21/2022 3:19 PM, Rowland Penny via samba wrote: >> On Mon, 2022-03-21 at 15:08 -0400, Gaiseric Vandal via samba wrote: >>> On 3/21/22 13:38, Rowland Penny via samba wrote: >>>> On Mon, 2022-03-21 at 13:17 -0400, Gaiseric Vandal via samba wrote: >>>>> LDAP is used for user and group lookups at the Unix/Linux level. >>>>> This >>>>> includes nfs and ssh.? The authentication itself is typically >>>>> kerberos.?? Presumably if nsswitch.conf pointed to winbind but >>>>> not >>>>> ldap >>>>> it everything would continue to work. >>>> Got to ask this, why are you using ldap for Unix user & group >>>> lookups ? >>>> I presume that the ldap lookups are searching for RFC2307 >>>> attributes, >>>> if so, ldap is a bit redundant, your 'ad' backend will use the same >>>> IDs >>>> >>>> While there a numerous superfluous lines in your smb.conf, it is >>>> basically sound. >>>> >>>> Rowland >>>> >>>> >>> A lot of the engineering/scientific software we use runs on Linux. >>> A >>> lot of the software development we do is also on Linux, so the focus >>> of >>> services on Solaris machines was to support Linux clients first, and >>> Windows clients 2nd.??? I am fairly confident that if I configure >>> /etc/nsswitch.conf to use winbind (not ldap) network users and >>> groups >>> that ssh login would still work. >> I am absolutely positive it will work, it is how I run Samba on Linux. >> >>> ?? but I don't know about NFS (which is >>> dependent on kerberos security.) >> This should also work, I do not use NFS, but kerberos works well on >> Linux, not sure about Solaris. If this was Debian, I would advise >> installing the libnss-winbind, libpam-winbind and libpam-krb5 packages, >> does Solaris have similar packages ? >> >> Rowland >> >> > With /etc/nsswitch.conf set to use > > > ??? passwd: files winbind > ??? group:? files winbind > > > Ssh logins fail, and the log shows the following > > > ?????? Mar 21 20:41:00 server1 sshd[28725]: [ID 800047 auth.error] > ?????? error: PAM: Authentication failed for myname from 192.x.x.x > > ?????? Mar 21 20:41:06 server1 sshd[28725]: [ID 720393 auth.error] > ?????? PAM-KRB5 (setcred): pam_setcred failed for myname (Failure > ?????? setting user credentials). > > ?????? Mar 21 20:43:43 server1 sshd[29042]: [ID 800047 auth.error] > ?????? error: PAM: User account has expired for myname from 192.x.x.x > > ?????? Mar 21 20:43:51 server1 sshd[29046]: [ID 800047 auth.error] > ?????? error: PAM: User account has expired for myname from 192.x.x.x > >For ssh to authenticate against AD, you will need to have /etc/pam.d/sssd configured to use pam_winbind.so. On Ubuntu/Debian systems this is squirreled away in /etc/pam.d/common-auth so you don't see it. I haven't used Solaris in modern times, but since Sun invented PAM, I'm guessing Solaris is also configured to use PAM.> > You will notice that solaris 11 does not have a separate shadow entry in > /etc/nsswitch.conf? (the shadow functionality is handled by the password > entry.) > > > With LDAP, I get > > > ?? # getent shadow myname > > ?? myname:*NP*::::::: > > > But with winbind, "getent shadow myname" does show anything. > > > > I don't have samba running as a domain member on any linux servers yet. >
Rowland Penny
2022-Mar-22 16:34 UTC
[Samba] authentication issue moving from Samba 4.11.x to 4.13.14
On Tue, 2022-03-22 at 11:24 -0500, Patrick Goetz via samba wrote:> > On 3/21/22 21:52, Gaiseric Vandal via samba wrote: > > On 3/21/2022 3:19 PM, Rowland Penny via samba wrote: > > > On Mon, 2022-03-21 at 15:08 -0400, Gaiseric Vandal via samba > > > wrote: > > > > On 3/21/22 13:38, Rowland Penny via samba wrote: > > > > > On Mon, 2022-03-21 at 13:17 -0400, Gaiseric Vandal via samba > > > > > wrote: > > > > > > LDAP is used for user and group lookups at the Unix/Linux > > > > > > level. > > > > > > This > > > > > > includes nfs and ssh. The authentication itself is > > > > > > typically > > > > > > kerberos. Presumably if nsswitch.conf pointed to winbind > > > > > > but > > > > > > not > > > > > > ldap > > > > > > it everything would continue to work. > > > > > Got to ask this, why are you using ldap for Unix user & group > > > > > lookups ? > > > > > I presume that the ldap lookups are searching for RFC2307 > > > > > attributes, > > > > > if so, ldap is a bit redundant, your 'ad' backend will use > > > > > the same > > > > > IDs > > > > > > > > > > While there a numerous superfluous lines in your smb.conf, it > > > > > is > > > > > basically sound. > > > > > > > > > > Rowland > > > > > > > > > > > > > > A lot of the engineering/scientific software we use runs on > > > > Linux. > > > > A > > > > lot of the software development we do is also on Linux, so the > > > > focus > > > > of > > > > services on Solaris machines was to support Linux clients > > > > first, and > > > > Windows clients 2nd. I am fairly confident that if I > > > > configure > > > > /etc/nsswitch.conf to use winbind (not ldap) network users and > > > > groups > > > > that ssh login would still work. > > > I am absolutely positive it will work, it is how I run Samba on > > > Linux. > > > > > > > but I don't know about NFS (which is > > > > dependent on kerberos security.) > > > This should also work, I do not use NFS, but kerberos works well > > > on > > > Linux, not sure about Solaris. If this was Debian, I would advise > > > installing the libnss-winbind, libpam-winbind and libpam-krb5 > > > packages, > > > does Solaris have similar packages ? > > > > > > Rowland > > > > > > > > With /etc/nsswitch.conf set to use > > > > > > passwd: files winbind > > group: files winbind > > > > > > Ssh logins fail, and the log shows the following > > > > > > Mar 21 20:41:00 server1 sshd[28725]: [ID 800047 auth.error] > > error: PAM: Authentication failed for myname from 192.x.x.x > > > > Mar 21 20:41:06 server1 sshd[28725]: [ID 720393 auth.error] > > PAM-KRB5 (setcred): pam_setcred failed for myname (Failure > > setting user credentials). > > > > Mar 21 20:43:43 server1 sshd[29042]: [ID 800047 auth.error] > > error: PAM: User account has expired for myname from > > 192.x.x.x > > > > Mar 21 20:43:51 server1 sshd[29046]: [ID 800047 auth.error] > > error: PAM: User account has expired for myname from > > 192.x.x.x > > > > > > For ssh to authenticate against AD, you will need to have > /etc/pam.d/sssd configured to use pam_winbind.so.No you don't, I do not use sssd anywhere and I can ssh into any of my Linux machines. /var/log/auth.log Mar 22 16:32:09 rpidc2 sshd[31208]: Authorized to rowland, krb5 principal rowland at SAMDOM.EXAMPLE.COM (krb5_kuserok) Mar 22 16:32:09 rpidc2 sshd[31208]: Accepted gssapi-with-mic for rowland from 192.168.0.49 port 45704 ssh2: rowland at SAMDOM.EXAMPLE.COM Mar 22 16:32:10 rpidc2 sshd[31208]: pam_unix(sshd:session): session opened for user rowland by (uid=0) Mar 22 16:32:10 rpidc2 systemd-logind[404]: New session 1190 of user SAMDOM\rowland. Mar 22 16:32:10 rpidc2 systemd: pam_unix(systemd-user:session): session opened for user SAMDOM\rowland by (uid=0)>