samba - Apr 2022 - SSH to Samba server using AD credentials and group membership.

Hi,

I'm looking for a way to authenticate a Samba 4.14.12 (domain controller)
server SSH user with his AD credentials and group memberships.

In this server, I have a SSH config with the statement AllowGroups SysAdmins

I would like to use AD users and groups membership to control this access.
I have created the accounts and groups in AD database and it is working
properly.

Now I need to configure the Samba server to see this relationship. I tried
to use NSLCD and NSCD to do that, but I got the following error on
auth.log:

pam_unix(sshd:account): could not identify user (from
getpwnam(DOMAIN\username))

I already execute the pam-auth-update, but nothing happens.

Can someone give some light on it?

Thanks

-- 
Daniel Lopes de Carvalho
daniel at cepetro.unicamp.br
unisim.cepetro.unicamp.br <https://www.unisim.cepetro.unicamp.br/>
+55 19 3521-1221

On Wed, 2022-04-06 at 14:11 -0300, Daniel Lopes de Carvalho via samba
wrote:
> Hi,
> 
> I'm looking for a way to authenticate a Samba 4.14.12 (domain
> controller)
> server SSH user with his AD credentials and group memberships.
> 
> In this server, I have a SSH config with the statement AllowGroups
> SysAdmins
> 
> I would like to use AD users and groups membership to control this
> access.
> I have created the accounts and groups in AD database and it is
> working
> properly.
> 
> Now I need to configure the Samba server to see this relationship. I
> tried
> to use NSLCD and NSCD to do that, but I got the following error on
> auth.log:
What is wrong with using winbind ?
I ask this because it works for myself:

First with a user that isn't in the SSH AllowGroups group:

Apr  6 18:54:55 deb11 sshd[963]: User user1 from 192.168.0.49 not
allowed because none of user's groups are listed in AllowGroups

Then with a user that is:
Apr  6 18:55:15 deb11 sshd[966]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruserrhost=192.168.0.49  user=user2
Apr  6 18:55:15 deb11 sshd[966]: pam_winbind(sshd:auth): getting
password (0x00000388)
Apr  6 18:55:15 deb11 sshd[966]: pam_winbind(sshd:auth): pam_get_item
returned a password
Apr  6 18:55:15 deb11 sshd[966]: pam_winbind(sshd:auth): user 'user2'
granted access
Apr  6 18:55:16 deb11 sshd[966]: Accepted password for user2 from
192.168.0.49 port 51144 ssh2
Apr  6 18:55:16 deb11 sshd[966]: pam_unix(sshd:session): session opened
for user user2(uid=11107) by (uid=0)
Apr  6 18:55:16 deb11 systemd-logind[334]: New session 4 of user user2.
Apr  6 18:55:16 deb11 systemd: pam_unix(systemd-user:session): session
opened for user user2(uid=11107) by (uid=0)

Finally, you shouldn't be using nscd with winbind, it interferes with
the winbind cache.

Rowland

On Wed, 2022-04-06 at 14:11 -0300, Daniel Lopes de Carvalho via samba
wrote:
> Hi,
> 
> I'm looking for a way to authenticate a Samba 4.14.12 (domain
> controller)
> server SSH user with his AD credentials and group memberships.
> 
> In this server, I have a SSH config with the statement AllowGroups
> SysAdmins
> 
> I would like to use AD users and groups membership to control this
> access.
> I have created the accounts and groups in AD database and it is
> working
> properly.
> 
> Now I need to configure the Samba server to see this relationship. I
> tried
> to use NSLCD and NSCD to do that, but I got the following error on
> auth.log:
> 
> pam_unix(sshd:account): could not identify user (from
> getpwnam(DOMAIN\username))
> 
> I already execute the pam-auth-update, but nothing happens.
> 
> Can someone give some light on it?
You are looking for pam_winbind and nss_winbind.

There is also an require_membership_of option to pam_winbind to deny
authentication unless the user in a particular group, using the
returned groups from the login.  Note that this doesn't apply for SSH
keys, only to password authentication (yes, this sucks, it is a hack).

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions