Patrick Goetz
2022-Mar-22 16:58 UTC
[Samba] authentication issue moving from Samba 4.11.x to 4.13.14
On 3/22/22 11:34, Rowland Penny via samba wrote:> On Tue, 2022-03-22 at 11:24 -0500, Patrick Goetz via samba wrote: >> >> On 3/21/22 21:52, Gaiseric Vandal via samba wrote: >>> On 3/21/2022 3:19 PM, Rowland Penny via samba wrote: >>>> On Mon, 2022-03-21 at 15:08 -0400, Gaiseric Vandal via samba >>>> wrote: >>>>> On 3/21/22 13:38, Rowland Penny via samba wrote: >>>>>> On Mon, 2022-03-21 at 13:17 -0400, Gaiseric Vandal via samba >>>>>> wrote: >>>>>>> LDAP is used for user and group lookups at the Unix/Linux >>>>>>> level. >>>>>>> This >>>>>>> includes nfs and ssh. The authentication itself is >>>>>>> typically >>>>>>> kerberos. Presumably if nsswitch.conf pointed to winbind >>>>>>> but >>>>>>> not >>>>>>> ldap >>>>>>> it everything would continue to work. >>>>>> Got to ask this, why are you using ldap for Unix user & group >>>>>> lookups ? >>>>>> I presume that the ldap lookups are searching for RFC2307 >>>>>> attributes, >>>>>> if so, ldap is a bit redundant, your 'ad' backend will use >>>>>> the same >>>>>> IDs >>>>>> >>>>>> While there a numerous superfluous lines in your smb.conf, it >>>>>> is >>>>>> basically sound. >>>>>> >>>>>> Rowland >>>>>> >>>>>> >>>>> A lot of the engineering/scientific software we use runs on >>>>> Linux. >>>>> A >>>>> lot of the software development we do is also on Linux, so the >>>>> focus >>>>> of >>>>> services on Solaris machines was to support Linux clients >>>>> first, and >>>>> Windows clients 2nd. I am fairly confident that if I >>>>> configure >>>>> /etc/nsswitch.conf to use winbind (not ldap) network users and >>>>> groups >>>>> that ssh login would still work. >>>> I am absolutely positive it will work, it is how I run Samba on >>>> Linux. >>>> >>>>> but I don't know about NFS (which is >>>>> dependent on kerberos security.) >>>> This should also work, I do not use NFS, but kerberos works well >>>> on >>>> Linux, not sure about Solaris. If this was Debian, I would advise >>>> installing the libnss-winbind, libpam-winbind and libpam-krb5 >>>> packages, >>>> does Solaris have similar packages ? >>>> >>>> Rowland >>>> >>>> >>> With /etc/nsswitch.conf set to use >>> >>> >>> passwd: files winbind >>> group: files winbind >>> >>> >>> Ssh logins fail, and the log shows the following >>> >>> >>> Mar 21 20:41:00 server1 sshd[28725]: [ID 800047 auth.error] >>> error: PAM: Authentication failed for myname from 192.x.x.x >>> >>> Mar 21 20:41:06 server1 sshd[28725]: [ID 720393 auth.error] >>> PAM-KRB5 (setcred): pam_setcred failed for myname (Failure >>> setting user credentials). >>> >>> Mar 21 20:43:43 server1 sshd[29042]: [ID 800047 auth.error] >>> error: PAM: User account has expired for myname from >>> 192.x.x.x >>> >>> Mar 21 20:43:51 server1 sshd[29046]: [ID 800047 auth.error] >>> error: PAM: User account has expired for myname from >>> 192.x.x.x >>> >>> >> >> For ssh to authenticate against AD, you will need to have >> /etc/pam.d/sssd configured to use pam_winbind.so. > > No you don't, I do not use sssd anywhere and I can ssh into any of my > Linux machines. >Um, that was a typo: I meant to say /etc/pam.d/sshd The reference to pam_winbind.so should have given this away.> /var/log/auth.log > > Mar 22 16:32:09 rpidc2 sshd[31208]: Authorized to rowland, krb5 > principal rowland at SAMDOM.EXAMPLE.COM (krb5_kuserok) > Mar 22 16:32:09 rpidc2 sshd[31208]: Accepted gssapi-with-mic for > rowland from 192.168.0.49 port 45704 ssh2: rowland at SAMDOM.EXAMPLE.COM > Mar 22 16:32:10 rpidc2 sshd[31208]: pam_unix(sshd:session): session > opened for user rowland by (uid=0) > Mar 22 16:32:10 rpidc2 systemd-logind[404]: New session 1190 of user > SAMDOM\rowland. > Mar 22 16:32:10 rpidc2 systemd: pam_unix(systemd-user:session): session > opened for user SAMDOM\rowland by (uid=0) >> > >
Gaiseric Vandal
2022-Mar-22 17:22 UTC
[Samba] authentication issue moving from Samba 4.11.x to 4.13.14
On 3/22/2022 12:58 PM, Patrick Goetz via samba wrote:> > > On 3/22/22 11:34, Rowland Penny via samba wrote: >> On Tue, 2022-03-22 at 11:24 -0500, Patrick Goetz via samba wrote: >>> >>> On 3/21/22 21:52, Gaiseric Vandal via samba wrote: >>>> On 3/21/2022 3:19 PM, Rowland Penny via samba wrote: >>>>> On Mon, 2022-03-21 at 15:08 -0400, Gaiseric Vandal via samba >>>>> wrote: >>>>>> On 3/21/22 13:38, Rowland Penny via samba wrote: >>>>>>> On Mon, 2022-03-21 at 13:17 -0400, Gaiseric Vandal via samba >>>>>>> wrote: >>>>>>>> LDAP is used for user and group lookups at the Unix/Linux >>>>>>>> level. >>>>>>>> This >>>>>>>> includes nfs and ssh.? The authentication itself is >>>>>>>> typically >>>>>>>> kerberos.?? Presumably if nsswitch.conf pointed to winbind >>>>>>>> but >>>>>>>> not >>>>>>>> ldap >>>>>>>> it everything would continue to work. >>>>>>> Got to ask this, why are you using ldap for Unix user & group >>>>>>> lookups ? >>>>>>> I presume that the ldap lookups are searching for RFC2307 >>>>>>> attributes, >>>>>>> if so, ldap is a bit redundant, your 'ad' backend will use >>>>>>> the same >>>>>>> IDs >>>>>>> >>>>>>> While there a numerous superfluous lines in your smb.conf, it >>>>>>> is >>>>>>> basically sound. >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> >>>>>> A lot of the engineering/scientific software we use runs on >>>>>> Linux. >>>>>> A >>>>>> lot of the software development we do is also on Linux, so the >>>>>> focus >>>>>> of >>>>>> services on Solaris machines was to support Linux clients >>>>>> first, and >>>>>> Windows clients 2nd.??? I am fairly confident that if I >>>>>> configure >>>>>> /etc/nsswitch.conf to use winbind (not ldap) network users and >>>>>> groups >>>>>> that ssh login would still work. >>>>> I am absolutely positive it will work, it is how I run Samba on >>>>> Linux. >>>>> >>>>>> ??? but I don't know about NFS (which is >>>>>> dependent on kerberos security.) >>>>> This should also work, I do not use NFS, but kerberos works well >>>>> on >>>>> Linux, not sure about Solaris. If this was Debian, I would advise >>>>> installing the libnss-winbind, libpam-winbind and libpam-krb5 >>>>> packages, >>>>> does Solaris have similar packages ? >>>>> >>>>> Rowland >>>>> >>>>> >>>> With /etc/nsswitch.conf set to use >>>> >>>> >>>> ????? passwd: files winbind >>>> ????? group:? files winbind >>>> >>>> >>>> Ssh logins fail, and the log shows the following >>>> >>>> >>>> ???????? Mar 21 20:41:00 server1 sshd[28725]: [ID 800047 auth.error] >>>> ???????? error: PAM: Authentication failed for myname from 192.x.x.x >>>> >>>> ???????? Mar 21 20:41:06 server1 sshd[28725]: [ID 720393 auth.error] >>>> ???????? PAM-KRB5 (setcred): pam_setcred failed for myname (Failure >>>> ???????? setting user credentials). >>>> >>>> ???????? Mar 21 20:43:43 server1 sshd[29042]: [ID 800047 auth.error] >>>> ???????? error: PAM: User account has expired for myname from >>>> 192.x.x.x >>>> >>>> ???????? Mar 21 20:43:51 server1 sshd[29046]: [ID 800047 auth.error] >>>> ???????? error: PAM: User account has expired for myname from >>>> 192.x.x.x >>>> >>>> >>> >>> For ssh to authenticate against AD, you will need to have >>> /etc/pam.d/sssd configured to use pam_winbind.so. >> >> No you don't, I do not use sssd anywhere and I can ssh into any of my >> Linux machines. >> > > Um, that was a typo:? I meant to say /etc/pam.d/sshd > > The reference to pam_winbind.so should have given this away. > > >> /var/log/auth.log >> >> Mar 22 16:32:09 rpidc2 sshd[31208]: Authorized to rowland, krb5 >> principal rowland at SAMDOM.EXAMPLE.COM (krb5_kuserok) >> Mar 22 16:32:09 rpidc2 sshd[31208]: Accepted gssapi-with-mic for >> rowland from 192.168.0.49 port 45704 ssh2: rowland at SAMDOM.EXAMPLE.COM >> Mar 22 16:32:10 rpidc2 sshd[31208]: pam_unix(sshd:session): session >> opened for user rowland by (uid=0) >> Mar 22 16:32:10 rpidc2 systemd-logind[404]: New session 1190 of user >> SAMDOM\rowland. >> Mar 22 16:32:10 rpidc2 systemd: pam_unix(systemd-user:session): session >> opened for user SAMDOM\rowland by (uid=0) >>> >> >>Yes, Solaris has PAM.??? the ssh module? (assuming password authentication is needed) should call the pam_unix module, with in turn looks at /etc/nsswitch.conf.?????? I am guessing the issue is that somewhere in the stack something is looking for a shadow entry to see if the account has expired.