Discussion:
[Samba] Problem with Active Directory authentication
Kaplan, Andrew H.
2016-06-08 19:46:00 UTC
Permalink
Hello --

We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure:

http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/>

Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries:

https://help.ubuntu.com/lts/serverguide/sssd-ad.html

The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following:

ssh -v -l <username>@<domainname> <fully qualified domain name>

The output that was generated is the following:

OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
debug1: Connection established.
debug1: identity file /home/knoppix/.ssh/id_rsa type -1
debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_dsa type -1
debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key.
debug1: Found key in /home/knoppix/.ssh/known_hosts:29
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/knoppix/.ssh/id_rsa
debug1: Trying private key: /home/knoppix/.ssh/id_dsa
debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
debug1: Next authentication method: password
<username>@<domainname>@<fully qualified domain name>'s password:
Connection closed by <ip address>

Does anyone have thoughts on this?

Thanks.


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-06-08 22:12:31 UTC
Permalink
What does "getent passwd <username>@<domainname>" return on the server for
the login shell. By default a samba AD DC sets the login shell for all
Active Directory user accounts to /bin/false. The only way I've found to
change this, is to override that globally with the "template shell =
/bin/bash" option in smb.conf, which enables it globally for all Active
Directory users (probably not desired).

Mike E.


On Wed, Jun 8, 2016 at 3:46 PM, Kaplan, Andrew H. <***@partners.org>
wrote:

> Hello --
>
> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a
> Vmware appliance. The goal of the installation is to create a Samba server
> that utilizes Active Directory authentication. To that end I utilized the
> following procedure:
>
> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<
> http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/
> >
>
> Afterwards, I referenced the following documentation to confirm that all
> configuration files had the appropriate entries:
>
> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>
> The problem is the following: I am unable to log into the server from the
> console or via SSH using my Active Directory user account. The syntax that
> I use when doing an SSH connection is the following:
>
> ssh -v -l <username>@<domainname> <fully qualified domain name>
>
> The output that was generated is the following:
>
> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
> debug1: Connection established.
> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ECDSA
> ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
> debug1: Host '<fully qualified domain name>' is known and matches the
> ECDSA host key.
> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
> debug1: ssh_ecdsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey,password
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
> debug1: Next authentication method: password
> <username>@<domainname>@<fully qualified domain name>'s password:
> Connection closed by <ip address>
>
> Does anyone have thoughts on this?
>
> Thanks.
>
>
> The information in this e-mail is intended only for the person to whom it
> is
> addressed. If you believe this e-mail was sent to you in error and the
> e-mail
> contains patient information, please contact the Partners Compliance
> HelpLine at
> http://www.partners.org/complianceline . If the e-mail was sent to you in
> error
> but does not contain patient information, please contact the sender and
> properly
> dispose of the e-mail.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Miguel Medalha
2016-06-08 22:38:05 UTC
Permalink
> (...) By default a samba AD DC sets the login shell for all
> Active Directory user accounts to /bin/false. The only way I've found to
> change this, is to override that globally with the "template shell =
> /bin/bash" option in smb.conf, which enables it globally for all Active
> Directory users (probably not desired).

Using RFC2307 you can give each user its own shell and home directory.
Read here:

https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-06-08 22:55:53 UTC
Permalink
The problem is that on a Samba AD DC you only get 'uidNumber' & 'gidNumber'
attributes from winbindd, all other rfc2307 attributes are ignored, so the
shell set in the RFC2307 attributes will not be honored on a DC. I'm not
sure why this is, but it is. Maybe a Samba dev can chime in on why it is
necessary for a DC to act this way.? It's caused me plenty of headaches.

Mike E.
On Jun 8, 2016 6:38 PM, "Miguel Medalha" <***@sapo.pt> wrote:

>
> (...) By default a samba AD DC sets the login shell for all
>> Active Directory user accounts to /bin/false. The only way I've found to
>> change this, is to override that globally with the "template shell =
>> /bin/bash" option in smb.conf, which enables it globally for all Active
>> Directory users (probably not desired).
>>
>
> Using RFC2307 you can give each user its own shell and home directory.
> Read here:
>
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-09 15:00:23 UTC
Permalink
Hello --

The output of the getent passwd command was the following:

<username>@<domainname>:*:##########:##########::/PHShome/<username>:/bin/PHSshell


________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com]
Sent: Wednesday, June 08, 2016 6:12 PM
To: Kaplan, Andrew H.
Cc: samba-***@lists.samba.org; ***@lists.samba.org
Subject: Re: [Samba] Problem with Active Directory authentication

What does "getent passwd <username>@<domainname>" return on the server for the login shell. By default a samba AD DC sets the login shell for all Active Directory user accounts to /bin/false. The only way I've found to change this, is to override that globally with the "template shell = /bin/bash" option in smb.conf, which enables it globally for all Active Directory users (probably not desired).

Mike E.


On Wed, Jun 8, 2016 at 3:46 PM, Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
Hello --

We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure:

http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/>

Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries:

https://help.ubuntu.com/lts/serverguide/sssd-ad.html

The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following:

ssh -v -l <username>@<domainname> <fully qualified domain name>

The output that was generated is the following:

OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
debug1: Connection established.
debug1: identity file /home/knoppix/.ssh/id_rsa type -1
debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_dsa type -1
debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key.
debug1: Found key in /home/knoppix/.ssh/known_hosts:29
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/knoppix/.ssh/id_rsa
debug1: Trying private key: /home/knoppix/.ssh/id_dsa
debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
debug1: Next authentication method: password
<username>@<domainname>@<fully qualified domain name>'s password:
Connection closed by <ip address>

Does anyone have thoughts on this?

Thanks.


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-09 15:19:39 UTC
Permalink
A thought came to me:

The smb.conf file on the system has the following entry:

template shell = /bin/bash

Would creating a symbolic link with the name PHSshell pointing to the /bin/bash shell solve the problem?

________________________________
From: Kaplan, Andrew H.
Sent: Thursday, June 09, 2016 11:00 AM
To: Data Control Systems - Mike Elkevizth
Cc: samba-***@lists.samba.org; ***@lists.samba.org
Subject: RE: [Samba] Problem with Active Directory authentication

Hello --

The output of the getent passwd command was the following:

<username>@<domainname>:*:##########:##########::/PHShome/<username>:/bin/PHSshell


________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com]
Sent: Wednesday, June 08, 2016 6:12 PM
To: Kaplan, Andrew H.
Cc: samba-***@lists.samba.org; ***@lists.samba.org
Subject: Re: [Samba] Problem with Active Directory authentication

What does "getent passwd <username>@<domainname>" return on the server for the login shell. By default a samba AD DC sets the login shell for all Active Directory user accounts to /bin/false. The only way I've found to change this, is to override that globally with the "template shell = /bin/bash" option in smb.conf, which enables it globally for all Active Directory users (probably not desired).

Mike E.


On Wed, Jun 8, 2016 at 3:46 PM, Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
Hello --

We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure:

http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/>

Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries:

https://help.ubuntu.com/lts/serverguide/sssd-ad.html

The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following:

ssh -v -l <username>@<domainname> <fully qualified domain name>

The output that was generated is the following:

OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
debug1: Connection established.
debug1: identity file /home/knoppix/.ssh/id_rsa type -1
debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_dsa type -1
debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key.
debug1: Found key in /home/knoppix/.ssh/known_hosts:29
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/knoppix/.ssh/id_rsa
debug1: Trying private key: /home/knoppix/.ssh/id_dsa
debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
debug1: Next authentication method: password
<username>@<domainname>@<fully qualified domain name>'s password:
Connection closed by <ip address>

Does anyone have thoughts on this?

Thanks.


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-06-09 17:11:26 UTC
Permalink
Hi,

Try using the format <domainname><winbind separator><username> to login
instead of <username>@<domainname>. I'm not sure why, and don't have time
to check into it right now, but ssh doesn't like the
<username>@<domainname> format for me either. The default winbind
separator is a backslash "\", so you'll have to escape it, or quote it,
like <domainname>\\<username> or '<domainname>\<username>'. Hope that does
the trick.

Mike E.


On Thu, Jun 9, 2016 at 11:19 AM Kaplan, Andrew H. <***@partners.org>
wrote:

> A thought came to me:
>
> The smb.conf file on the system has the following entry:
>
> template shell = /bin/bash
>
> Would creating a symbolic link with the name PHSshell pointing to the
> /bin/bash shell solve the problem?
>
> ------------------------------
> *From:* Kaplan, Andrew H.
> *Sent:* Thursday, June 09, 2016 11:00 AM
> *To:* Data Control Systems - Mike Elkevizth
> *Cc:* samba-***@lists.samba.org; ***@lists.samba.org
> *Subject:* RE: [Samba] Problem with Active Directory authentication
>
> Hello --
>
> The output of the getent passwd command was the following:
>
>
> <username>@<domainname>:*:##########:##########::/PHShome/<username>:/bin/PHSshell
>
>
> ------------------------------
> *From:* Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com
> ]
> *Sent:* Wednesday, June 08, 2016 6:12 PM
> *To:* Kaplan, Andrew H.
> *Cc:* samba-***@lists.samba.org; ***@lists.samba.org
> *Subject:* Re: [Samba] Problem with Active Directory authentication
>
> What does "getent passwd <username>@<domainname>" return on the server
> for the login shell. By default a samba AD DC sets the login shell for all
> Active Directory user accounts to /bin/false. The only way I've found to
> change this, is to override that globally with the "template shell =
> /bin/bash" option in smb.conf, which enables it globally for all Active
> Directory users (probably not desired).
>
> Mike E.
>
>
> On Wed, Jun 8, 2016 at 3:46 PM, Kaplan, Andrew H. <***@partners.org>
> wrote:
>
>> Hello --
>>
>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a
>> Vmware appliance. The goal of the installation is to create a Samba server
>> that utilizes Active Directory authentication. To that end I utilized the
>> following procedure:
>>
>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<
>> http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/
>> >
>>
>> Afterwards, I referenced the following documentation to confirm that all
>> configuration files had the appropriate entries:
>>
>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>>
>> The problem is the following: I am unable to log into the server from the
>> console or via SSH using my Active Directory user account. The syntax that
>> I use when doing an SSH connection is the following:
>>
>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>>
>> The output that was generated is the following:
>>
>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>> debug1: Connecting to <fully qualified domain name> [<ip address>] port
>> 22.
>> debug1: Connection established.
>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>> debug1: Remote protocol version 2.0, remote software version
>> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug1: kex: server->client aes128-ctr hmac-md5 none
>> debug1: kex: client->server aes128-ctr hmac-md5 none
>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>> debug1: Server host key: ECDSA
>> ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>> debug1: Host '<fully qualified domain name>' is known and matches the
>> ECDSA host key.
>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>> debug1: ssh_ecdsa_verify: signature correct
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: Roaming not allowed by server
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug1: Authentications that can continue: publickey,password
>> debug1: Next authentication method: publickey
>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>> debug1: Next authentication method: password
>> <username>@<domainname>@<fully qualified domain name>'s password:
>> Connection closed by <ip address>
>>
>> Does anyone have thoughts on this?
>>
>> Thanks.
>>
>>
>> The information in this e-mail is intended only for the person to whom it
>> is
>> addressed. If you believe this e-mail was sent to you in error and the
>> e-mail
>> contains patient information, please contact the Partners Compliance
>> HelpLine at
>> http://www.partners.org/complianceline . If the e-mail was sent to you
>> in error
>> but does not contain patient information, please contact the sender and
>> properly
>> dispose of the e-mail.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-09 17:28:18 UTC
Permalink
Hello --

I tried the two methods listed in your e-mail, and unfortunately neither worked.

The connection simply closed, or timed out, after about a minute.

I mentioned the possibility of creating a symbolic link to the bash shell in my previous e-mail,
could that be part of the solution?

Thanks.


________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com]
Sent: Thursday, June 09, 2016 1:11 PM
To: Kaplan, Andrew H.
Cc: samba-***@lists.samba.org; ***@lists.samba.org
Subject: Re: FW: [Samba] Problem with Active Directory authentication

Hi,

Try using the format <domainname><winbind separator><username> to login instead of <username>@<domainname>. I'm not sure why, and don't have time to check into it right now, but ssh doesn't like the <username>@<domainname> format for me either. The default winbind separator is a backslash "\", so you'll have to escape it, or quote it, like <domainname>\\<username> or '<domainname>\<username>'. Hope that does the trick.

Mike E.


On Thu, Jun 9, 2016 at 11:19 AM Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
A thought came to me:

The smb.conf file on the system has the following entry:

template shell = /bin/bash

Would creating a symbolic link with the name PHSshell pointing to the /bin/bash shell solve the problem?

________________________________
From: Kaplan, Andrew H.
Sent: Thursday, June 09, 2016 11:00 AM
To: Data Control Systems - Mike Elkevizth
Cc: samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>; ***@lists.samba.org<mailto:***@lists.samba.org>
Subject: RE: [Samba] Problem with Active Directory authentication

Hello --

The output of the getent passwd command was the following:

<username>@<domainname>:*:##########:##########::/PHShome/<username>:/bin/PHSshell


________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com<mailto:***@datacontrolsystems.com>]
Sent: Wednesday, June 08, 2016 6:12 PM
To: Kaplan, Andrew H.
Cc: samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>; ***@lists.samba.org<mailto:***@lists.samba.org>
Subject: Re: [Samba] Problem with Active Directory authentication

What does "getent passwd <username>@<domainname>" return on the server for the login shell. By default a samba AD DC sets the login shell for all Active Directory user accounts to /bin/false. The only way I've found to change this, is to override that globally with the "template shell = /bin/bash" option in smb.conf, which enables it globally for all Active Directory users (probably not desired).

Mike E.


On Wed, Jun 8, 2016 at 3:46 PM, Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
Hello --

We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure:

http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/>

Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries:

https://help.ubuntu.com/lts/serverguide/sssd-ad.html

The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following:

ssh -v -l <username>@<domainname> <fully qualified domain name>

The output that was generated is the following:

OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
debug1: Connection established.
debug1: identity file /home/knoppix/.ssh/id_rsa type -1
debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_dsa type -1
debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key.
debug1: Found key in /home/knoppix/.ssh/known_hosts:29
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/knoppix/.ssh/id_rsa
debug1: Trying private key: /home/knoppix/.ssh/id_dsa
debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
debug1: Next authentication method: password
<username>@<domainname>@<fully qualified domain name>'s password:
Connection closed by <ip address>

Does anyone have thoughts on this?

Thanks.


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-06-09 18:00:05 UTC
Permalink
Hi,

If you have the "template = /bin/bash" option, I think it is more likely
something wrong with the way ssh is trying to authenticate the username.
Do a "getent passwd" and then try "ssh -v '<username exactly as getent
returns it (case sensitive)>'@<fqdn of server>. If it doesn't work, post
the output of what ssh generates.


Mike E.


On Thu, Jun 9, 2016 at 1:28 PM, Kaplan, Andrew H. <***@partners.org>
wrote:

> Hello --
>
> I tried the two methods listed in your e-mail, and unfortunately neither
> worked.
>
> The connection simply closed, or timed out, after about a minute.
>
> I mentioned the possibility of creating a symbolic link to the bash shell
> in my previous e-mail,
> could that be part of the solution?
>
> Thanks.
>
>
> ------------------------------
> *From:* Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com
> ]
> *Sent:* Thursday, June 09, 2016 1:11 PM
> *To:* Kaplan, Andrew H.
> *Cc:* samba-***@lists.samba.org; ***@lists.samba.org
> *Subject:* Re: FW: [Samba] Problem with Active Directory authentication
>
> Hi,
>
> Try using the format <domainname><winbind separator><username> to login
> instead of <username>@<domainname>. I'm not sure why, and don't have time
> to check into it right now, but ssh doesn't like the
> <username>@<domainname> format for me either. The default winbind
> separator is a backslash "\", so you'll have to escape it, or quote it,
> like <domainname>\\<username> or '<domainname>\<username>'. Hope that does
> the trick.
>
> Mike E.
>
>
> On Thu, Jun 9, 2016 at 11:19 AM Kaplan, Andrew H. <***@partners.org>
> wrote:
>
>> A thought came to me:
>>
>> The smb.conf file on the system has the following entry:
>>
>> template shell = /bin/bash
>>
>> Would creating a symbolic link with the name PHSshell pointing to the
>> /bin/bash shell solve the problem?
>>
>> ------------------------------
>> *From:* Kaplan, Andrew H.
>> *Sent:* Thursday, June 09, 2016 11:00 AM
>> *To:* Data Control Systems - Mike Elkevizth
>> *Cc:* samba-***@lists.samba.org; ***@lists.samba.org
>> *Subject:* RE: [Samba] Problem with Active Directory authentication
>>
>> Hello --
>>
>> The output of the getent passwd command was the following:
>>
>>
>> <username>@<domainname>:*:##########:##########::/PHShome/<username>:/bin/PHSshell
>>
>>
>> ------------------------------
>> *From:* Data Control Systems - Mike Elkevizth [
>> ***@datacontrolsystems.com]
>> *Sent:* Wednesday, June 08, 2016 6:12 PM
>> *To:* Kaplan, Andrew H.
>> *Cc:* samba-***@lists.samba.org; ***@lists.samba.org
>> *Subject:* Re: [Samba] Problem with Active Directory authentication
>>
>> What does "getent passwd <username>@<domainname>" return on the server
>> for the login shell. By default a samba AD DC sets the login shell for all
>> Active Directory user accounts to /bin/false. The only way I've found to
>> change this, is to override that globally with the "template shell =
>> /bin/bash" option in smb.conf, which enables it globally for all Active
>> Directory users (probably not desired).
>>
>> Mike E.
>>
>>
>> On Wed, Jun 8, 2016 at 3:46 PM, Kaplan, Andrew H. <***@partners.org>
>> wrote:
>>
>>> Hello --
>>>
>>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a
>>> Vmware appliance. The goal of the installation is to create a Samba server
>>> that utilizes Active Directory authentication. To that end I utilized the
>>> following procedure:
>>>
>>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<
>>> http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/
>>> >
>>>
>>> Afterwards, I referenced the following documentation to confirm that all
>>> configuration files had the appropriate entries:
>>>
>>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>>>
>>> The problem is the following: I am unable to log into the server from
>>> the console or via SSH using my Active Directory user account. The syntax
>>> that I use when doing an SSH connection is the following:
>>>
>>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>>>
>>> The output that was generated is the following:
>>>
>>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>>> debug1: Connecting to <fully qualified domain name> [<ip address>] port
>>> 22.
>>> debug1: Connection established.
>>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>>> debug1: Remote protocol version 2.0, remote software version
>>> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>>> debug1: Enabling compatibility mode for protocol 2.0
>>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>>> debug1: SSH2_MSG_KEXINIT sent
>>> debug1: SSH2_MSG_KEXINIT received
>>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>>> debug1: Server host key: ECDSA
>>> ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>>> debug1: Host '<fully qualified domain name>' is known and matches the
>>> ECDSA host key.
>>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>>> debug1: ssh_ecdsa_verify: signature correct
>>> debug1: SSH2_MSG_NEWKEYS sent
>>> debug1: expecting SSH2_MSG_NEWKEYS
>>> debug1: SSH2_MSG_NEWKEYS received
>>> debug1: Roaming not allowed by server
>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> debug1: Authentications that can continue: publickey,password
>>> debug1: Next authentication method: publickey
>>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>>> debug1: Next authentication method: password
>>> <username>@<domainname>@<fully qualified domain name>'s password:
>>> Connection closed by <ip address>
>>>
>>> Does anyone have thoughts on this?
>>>
>>> Thanks.
>>>
>>>
>>> The information in this e-mail is intended only for the person to whom
>>> it is
>>> addressed. If you believe this e-mail was sent to you in error and the
>>> e-mail
>>> contains patient information, please contact the Partners Compliance
>>> HelpLine at
>>> http://www.partners.org/complianceline . If the e-mail was sent to you
>>> in error
>>> but does not contain patient information, please contact the sender and
>>> properly
>>> dispose of the e-mail.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-09 19:54:15 UTC
Permalink
Hello --

Per your instructions, I ran the getent command with the following syntax:

sudo getent passwd ***@partners.org
***@partners.org:*:1896272477:1896200513:ahk:/PHShome/ahk:/bin/PHSshell

The command syntax that I used to connect to the server was the following:

ssh -v ***@partners.org@rorecovery1.partners.org

The output was as follows:

OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to rorecovery1.partners.org [172.27.171.221] port 22.
debug1: Connection established.
debug1: identity file /home/knoppix/.ssh/id_rsa type -1
debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_dsa type -1
debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
debug1: Host 'rorecovery1.partners.org' is known and matches the ECDSA host key.
debug1: Found key in /home/knoppix/.ssh/known_hosts:29
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/knoppix/.ssh/id_rsa
debug1: Trying private key: /home/knoppix/.ssh/id_dsa
debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
debug1: Next authentication method: password
***@partners.org@rorecovery1.partners.org's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
***@partners.org@rorecovery1.partners.org's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
***@partners.org@rorecovery1.partners.org's password:
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).

I entered the password serveral times, but was unable to get into the system.

A check of the auth.log file listed the following entries:

Jun 9 15:50:55 rorecovery1 sshd[6325]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=microknoppix.mgh.harvard.edu user=***@partners.org
Jun 9 15:50:55 rorecovery1 sshd[6325]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun 9 15:50:55 rorecovery1 sshd[6325]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 9 15:50:55 rorecovery1 sshd[6325]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=microknoppix.mgh.harvard.edu user=***@partners.org
Jun 9 15:51:55 rorecovery1 sshd[6325]: Failed password for ***@partners.org from 132.183.12.181 port 42505 ssh2
Jun 9 15:51:55 rorecovery1 sshd[6325]: fatal: Access denied for user ***@partners.org by PAM account configuration [preauth]



________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com]
Sent: Thursday, June 09, 2016 2:00 PM
To: Kaplan, Andrew H.
Cc: ***@lists.samba.org
Subject: Re: FW: [Samba] Problem with Active Directory authentication

Hi,

If you have the "template = /bin/bash" option, I think it is more likely something wrong with the way ssh is trying to authenticate the username. Do a "getent passwd" and then try "ssh -v '<username exactly as getent returns it (case sensitive)>'@<fqdn of server>. If it doesn't work, post the output of what ssh generates.


Mike E.


On Thu, Jun 9, 2016 at 1:28 PM, Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
Hello --

I tried the two methods listed in your e-mail, and unfortunately neither worked.

The connection simply closed, or timed out, after about a minute.

I mentioned the possibility of creating a symbolic link to the bash shell in my previous e-mail,
could that be part of the solution?

Thanks.


________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com<mailto:***@datacontrolsystems.com>]
Sent: Thursday, June 09, 2016 1:11 PM
To: Kaplan, Andrew H.
Cc: samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>; ***@lists.samba.org<mailto:***@lists.samba.org>
Subject: Re: FW: [Samba] Problem with Active Directory authentication

Hi,

Try using the format <domainname><winbind separator><username> to login instead of <username>@<domainname>. I'm not sure why, and don't have time to check into it right now, but ssh doesn't like the <username>@<domainname> format for me either. The default winbind separator is a backslash "\", so you'll have to escape it, or quote it, like <domainname>\\<username> or '<domainname>\<username>'. Hope that does the trick.

Mike E.


On Thu, Jun 9, 2016 at 11:19 AM Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
A thought came to me:

The smb.conf file on the system has the following entry:

template shell = /bin/bash

Would creating a symbolic link with the name PHSshell pointing to the /bin/bash shell solve the problem?

________________________________
From: Kaplan, Andrew H.
Sent: Thursday, June 09, 2016 11:00 AM
To: Data Control Systems - Mike Elkevizth
Cc: samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>; ***@lists.samba.org<mailto:***@lists.samba.org>
Subject: RE: [Samba] Problem with Active Directory authentication

Hello --

The output of the getent passwd command was the following:

<username>@<domainname>:*:##########:##########::/PHShome/<username>:/bin/PHSshell


________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com<mailto:***@datacontrolsystems.com>]
Sent: Wednesday, June 08, 2016 6:12 PM
To: Kaplan, Andrew H.
Cc: samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>; ***@lists.samba.org<mailto:***@lists.samba.org>
Subject: Re: [Samba] Problem with Active Directory authentication

What does "getent passwd <username>@<domainname>" return on the server for the login shell. By default a samba AD DC sets the login shell for all Active Directory user accounts to /bin/false. The only way I've found to change this, is to override that globally with the "template shell = /bin/bash" option in smb.conf, which enables it globally for all Active Directory users (probably not desired).

Mike E.


On Wed, Jun 8, 2016 at 3:46 PM, Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
Hello --

We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure:

http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/>

Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries:

https://help.ubuntu.com/lts/serverguide/sssd-ad.html

The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following:

ssh -v -l <username>@<domainname> <fully qualified domain name>

The output that was generated is the following:

OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
debug1: Connection established.
debug1: identity file /home/knoppix/.ssh/id_rsa type -1
debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_dsa type -1
debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key.
debug1: Found key in /home/knoppix/.ssh/known_hosts:29
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/knoppix/.ssh/id_rsa
debug1: Trying private key: /home/knoppix/.ssh/id_dsa
debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
debug1: Next authentication method: password
<username>@<domainname>@<fully qualified domain name>'s password:
Connection closed by <ip address>

Does anyone have thoughts on this?

Thanks.


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-06-10 05:42:08 UTC
Permalink
Jun  9 15:51:55 rorecovery1 sshd[6325]: fatal: Access denied for user ***@partners.org by PAM account configuration [preauth]




on the ssh server system run pam-auth-update
select kerberos auth


if its not there install pam-krb5 


and try again.


gr
Louis



Op 9 jun. 2016 om 21:56 heeft Kaplan, Andrew H. <***@PARTNERS.ORG> het volgende geschreven:


Jun  9 15:51:55 rorecovery1 sshd[6325]: fatal: Access denied for user ***@partners.org by PAM account configuration [preauth]


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-10 11:19:05 UTC
Permalink
Hello --

When I ran the pam-auth-update command, the PAM configuration window did list Winbind NT/Active Directory authentication as being enabled. This was in addition to the following also being active:

Pwquality password strength checking
Unix authentication
SSS authentication
LDAP Authentication
Register user sessions in the systemd control group hierarchy
Inheritable Capabilites Management

I ran the apt-get install pam-krb5 command syntax, but there is no listing of the package for the 14.04 release
of Ubuntu. Is there another package name that I can install?

Thanks.


________________________________________
From: samba [samba-***@lists.samba.org] on behalf of L.P.H. van Belle [***@bazuin.nl]
Sent: Friday, June 10, 2016 1:42 AM
To: ***@lists.samba.org
Subject: Re: [Samba] FW: Problem with Active Directory authentication

Jun 9 15:51:55 rorecovery1 sshd[6325]: fatal: Access denied for user ***@partners.org by PAM account configuration [preauth]




on the ssh server system run pam-auth-update
select kerberos auth


if its not there install pam-krb5


and try again.


gr
Louis



Op 9 jun. 2016 om 21:56 heeft Kaplan, Andrew H. <***@PARTNERS.ORG> het volgende geschreven:


Jun 9 15:51:55 rorecovery1 sshd[6325]: fatal: Access denied for user ***@partners.org by PAM account configuration [preauth]


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-10 11:47:45 UTC
Permalink
Hello --

I started a thread on the list that you suggested in your e-mail, and thank-you for the reference.

Also, I checked the auth.log file on the server, and the following entries were present:

I checked the auth.log file, and the following entries were present:

Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=<username>@<domainname>
Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=username>@<domainname>
Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): received for user username>@<domainname> 17 (Failure setting user credentials)
Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)
Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to LDAP server...
Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid user username>@<domainname>from <ip address> port 49847 ssh2


________________________________________
From: Sumit Bose [***@redhat.com]
Sent: Friday, June 10, 2016 4:44 AM
To: Kaplan, Andrew H.
Cc: samba-***@lists.samba.org; ***@lists.samba.org
Subject: Re: Problem with Active Directory authentication

On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
> Hello --
>
> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure:
>
> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/>
>
> Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries:
>
> https://help.ubuntu.com/lts/serverguide/sssd-ad.html

The sssd-users list
https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org/
might be more appropriate for your question.

As a general comment, the PAM configuration is important here. Please
check the system logs which PAM module was consulted during the login
attempt and which cause the rejection.

HTH

bye,
Sumit

>
> The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following:
>
> ssh -v -l <username>@<domainname> <fully qualified domain name>
>
> The output that was generated is the following:
>
> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
> debug1: Connection established.
> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
> debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key.
> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
> debug1: ssh_ecdsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey,password
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
> debug1: Next authentication method: password
> <username>@<domainname>@<fully qualified domain name>'s password:
> Connection closed by <ip address>
>
> Does anyone have thoughts on this?
>
> Thanks.
>
>
> The information in this e-mail is intended only for the person to whom it is
> addressed. If you believe this e-mail was sent to you in error and the e-mail
> contains patient information, please contact the Partners Compliance HelpLine at
> http://www.partners.org/complianceline . If the e-mail was sent to you in error
> but does not contain patient information, please contact the sender and properly
> dispose of the e-mail.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-10 12:46:13 UTC
Permalink
Hello --

The winbind packages that are installed on the server are the following:

Package Description
libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba nameservice integration plugins
libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows domain authentication integration plugin
libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba winbind client library
winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 service to resolve user and group information from Windows NT servers

Similarly, the ldap PAM packages are as follows:

Package Description
ldap-auth-client 0.5.3 all meta-package for LDAP authentication
ldap-auth-config 0.5.3 all Config package for LDAP authentication
ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP utilities
libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP libraries
libldb1 1.1.24-0ubuntu0.14.04.1 amd64 LDAP-like embedded database - shared library
libnss-ldap 264-2.2ubuntu4.14.04.1 amd64 NSS module for using LDAP as a naming service
libpam-ldap 184-8.5ubuntu3 amd64 Pluggable Authentication Module for LDAP
sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end

Finally, the sssd packages are the following:

Package Description
libsss-idmap0 1.11.5-1ubuntu3 amd64 ID mapping library for SSSD
sssd 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- metapackage
sssd-ad 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Active Directory back end
sssd-ad-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- PAC responder
sssd-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- common files
sssd-ipa 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- IPA back end
sssd-krb5 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos back end
sssd-krb5-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos helpers
sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end
sssd-proxy 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- proxy back end
sssd-tools 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- tools

Will removing all packages for the first two groups solve this problem?

From: samba [samba-***@lists.samba.org] on behalf of Rowland penny [***@samba.org]
Sent: Friday, June 10, 2016 8:29 AM
To: ***@lists.samba.org
Subject: Re: [Samba] Problem with Active Directory authentication

On 10/06/16 12:47, Kaplan, Andrew H. wrote:
> Hello --
>
> I started a thread on the list that you suggested in your e-mail, and thank-you for the reference.
>
> Also, I checked the auth.log file on the server, and the following entries were present:
>
> I checked the auth.log file, and the following entries were present:
>
> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=<username>@<domainname>
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): getting password (0x00000388)
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): pam_get_item returned a password
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=username>@<domainname>
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): received for user username>@<domainname> 17 (Failure setting user credentials)
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to LDAP server...
> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid user username>@<domainname>from <ip address> port 49847 ssh2
>
>
> ________________________________________
> From: Sumit Bose [***@redhat.com]
> Sent: Friday, June 10, 2016 4:44 AM
> To: Kaplan, Andrew H.
> Cc: samba-***@lists.samba.org; ***@lists.samba.org
> Subject: Re: Problem with Active Directory authentication
>
> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
>> Hello --
>>
>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure:
>>
>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/>
>>
>> Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries:
>>
>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
> The sssd-users list
> https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org/
> might be more appropriate for your question.
>
> As a general comment, the PAM configuration is important here. Please
> check the system logs which PAM module was consulted during the login
> attempt and which cause the rejection.
>
> HTH
>
> bye,
> Sumit
>
>> The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following:
>>
>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>>
>> The output that was generated is the following:
>>
>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>> debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
>> debug1: Connection established.
>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug1: kex: server->client aes128-ctr hmac-md5 none
>> debug1: kex: client->server aes128-ctr hmac-md5 none
>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>> debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>> debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key.
>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>> debug1: ssh_ecdsa_verify: signature correct
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: Roaming not allowed by server
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug1: Authentications that can continue: publickey,password
>> debug1: Next authentication method: publickey
>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>> debug1: Next authentication method: password
>> <username>@<domainname>@<fully qualified domain name>'s password:
>> Connection closed by <ip address>
>>
>> Does anyone have thoughts on this?
>>
>> Thanks.
>>
>>
>> The information in this e-mail is intended only for the person to whom it is
>> addressed. If you believe this e-mail was sent to you in error and the e-mail
>> contains patient information, please contact the Partners Compliance HelpLine at
>> http://www.partners.org/complianceline . If the e-mail was sent to you in error
>> but does not contain patient information, please contact the sender and properly
>> dispose of the e-mail.

As Sumit has said, this should be on the sssd mailing list.
From your log fragment, it looks like you have the winbind and ldap PAM
packages installed, you do not need them.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-06-10 14:45:03 UTC
Permalink
Hi,

I have a feeling that Rowland is correct that all the different
authentication methods are interfering with one another. I can say all I
have is winbind and it works fine for me. My relevant pam-auth-update
modules are:

[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login

My relevant excerpt from /etc/nsswitch.conf is:

passwd: compat winbind
group: compat winbind

If your smb.conf file includes the "template shell = /bin/bash" as you
indicated earlier, but your getent password is returning /bin/PHSshell
instead, I think the information is being returned by a service other than
winbind. Depending on how pam is configured, generally the order listed
when you run pam-auth-update will be the order in which the services are
tried. So the first one listed there is probably the one returning the
info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and
server) doesn't like the username in the format <username>@<domainname> and
this isn't the format that winbind would return the information, at least
not by default. For me getent passwd <username>@<domainname> would return
the user as <domainname>\<username>. I would try running pam-auth-update
and disabling the LDAP and SSSD authentication methods and see if getent
passwd returns different info.

Your first post looked to me like the authentication was succeeding, but
then the shell was wrong and so you were immediately logged out. Like you
mentioned in a previous post, the /bin/PHSshell is probably one the issue
because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash
would fix this, but more than likely, it is a configuration issue that is
returning the wrong shell in the first place. Is PHS your netbios domain
name? If it is, it's probably the LDAP or SSSD configuration that is
retuning the shell using a substitution that isn't set up correctly.

Good luck,

Mike E.

On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <***@samba.org> wrote:

> On 10/06/16 13:46, Kaplan, Andrew H. wrote:
> > Hello --
> >
> > The winbind packages that are installed on the server are the following:
> >
> > Package
> Description
> > libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
> Samba nameservice integration plugins
> > libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows
> domain authentication integration plugin
> > libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
> Samba winbind client library
> > winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
> service to resolve user and group information from Windows NT servers
> >
> > Similarly, the ldap PAM packages are as follows:
> >
> > Package
> Description
> > ldap-auth-client 0.5.3
> all meta-package for LDAP authentication
> > ldap-auth-config 0.5.3 all Config
> package for LDAP authentication
> > ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64
> OpenLDAP utilities
> > libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64
> OpenLDAP libraries
> > libldb1 1.1.24-0ubuntu0.14.04.1
> amd64 LDAP-like embedded database - shared library
> > libnss-ldap 264-2.2ubuntu4.14.04.1 amd64 NSS
> module for using LDAP as a naming service
> > libpam-ldap 184-8.5ubuntu3 amd64
> Pluggable Authentication Module for LDAP
> > sssd-ldap 1.11.5-1ubuntu3 amd64
> System Security Services Daemon -- LDAP back end
> >
> > Finally, the sssd packages are the following:
> >
> > Package
> Description
> > libsss-idmap0 1.11.5-1ubuntu3 amd64 ID
> mapping library for SSSD
> > sssd 1.11.5-1ubuntu3 amd64
> System Security Services Daemon -- metapackage
> > sssd-ad 1.11.5-1ubuntu3
> amd64 System Security Services Daemon -- Active Directory back end
> > sssd-ad-common 1.11.5-1ubuntu3 amd64 System
> Security Services Daemon -- PAC responder
> > sssd-common 1.11.5-1ubuntu3 amd64
> System Security Services Daemon -- common files
> > sssd-ipa 1.11.5-1ubuntu3
> amd64 System Security Services Daemon -- IPA back end
> > sssd-krb5 1.11.5-1ubuntu3 amd64
> System Security Services Daemon -- Kerberos back end
> > sssd-krb5-common 1.11.5-1ubuntu3 amd64
> System Security Services Daemon -- Kerberos helpers
> > sssd-ldap 1.11.5-1ubuntu3
> amd64 System Security Services Daemon -- LDAP back end
> > sssd-proxy 1.11.5-1ubuntu3 amd64
> System Security Services Daemon -- proxy back end
> > sssd-tools 1.11.5-1ubuntu3 amd64
> System Security Services Daemon -- tools
> >
> > Will removing all packages for the first two groups solve this problem?
> >
> > From: samba [samba-***@lists.samba.org] on behalf of Rowland penny [
> ***@samba.org]
> > Sent: Friday, June 10, 2016 8:29 AM
> > To: ***@lists.samba.org
> > Subject: Re: [Samba] Problem with Active Directory authentication
> >
> > On 10/06/16 12:47, Kaplan, Andrew H. wrote:
> >> Hello --
> >>
> >> I started a thread on the list that you suggested in your e-mail, and
> thank-you for the reference.
> >>
> >> Also, I checked the auth.log file on the server, and the following
> entries were present:
> >>
> >> I checked the auth.log file, and the following entries were present:
> >>
> >> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
> user=<username>@<domainname>
> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
> getting password (0x00000388)
> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
> pam_get_item returned a password
> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
> user=username>@<domainname>
> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): received
> for user username>@<domainname> 17 (Failure setting user credentials)
> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open
> secret file /etc/ldap.secret (No such file or directory)
> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind
> Can't contact LDAP server
> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to
> LDAP server...
> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind
> Can't contact LDAP server
> >> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid
> user username>@<domainname>from <ip address> port 49847 ssh2
> >>
> >>
> >> ________________________________________
> >> From: Sumit Bose [***@redhat.com]
> >> Sent: Friday, June 10, 2016 4:44 AM
> >> To: Kaplan, Andrew H.
> >> Cc: samba-***@lists.samba.org; ***@lists.samba.org
> >> Subject: Re: Problem with Active Directory authentication
> >>
> >> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
> >>> Hello --
> >>>
> >>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on
> a Vmware appliance. The goal of the installation is to create a Samba
> server that utilizes Active Directory authentication. To that end I
> utilized the following procedure:
> >>>
> >>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<
> http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/
> >
> >>>
> >>> Afterwards, I referenced the following documentation to confirm that
> all configuration files had the appropriate entries:
> >>>
> >>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
> >> The sssd-users list
> >>
> https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org/
> >> might be more appropriate for your question.
> >>
> >> As a general comment, the PAM configuration is important here. Please
> >> check the system logs which PAM module was consulted during the login
> >> attempt and which cause the rejection.
> >>
> >> HTH
> >>
> >> bye,
> >> Sumit
> >>
> >>> The problem is the following: I am unable to log into the server from
> the console or via SSH using my Active Directory user account. The syntax
> that I use when doing an SSH connection is the following:
> >>>
> >>> ssh -v -l <username>@<domainname> <fully qualified domain name>
> >>>
> >>> The output that was generated is the following:
> >>>
> >>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
> >>> debug1: Reading configuration data /etc/ssh/ssh_config
> >>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> >>> debug1: Connecting to <fully qualified domain name> [<ip address>]
> port 22.
> >>> debug1: Connection established.
> >>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
> >>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
> >>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
> >>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
> >>> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
> >>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
> >>> debug1: Enabling compatibility mode for protocol 2.0
> >>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
> >>> debug1: SSH2_MSG_KEXINIT sent
> >>> debug1: SSH2_MSG_KEXINIT received
> >>> debug1: kex: server->client aes128-ctr hmac-md5 none
> >>> debug1: kex: client->server aes128-ctr hmac-md5 none
> >>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> >>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> >>> debug1: Server host key: ECDSA
> ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
> >>> debug1: Host '<fully qualified domain name>' is known and matches the
> ECDSA host key.
> >>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
> >>> debug1: ssh_ecdsa_verify: signature correct
> >>> debug1: SSH2_MSG_NEWKEYS sent
> >>> debug1: expecting SSH2_MSG_NEWKEYS
> >>> debug1: SSH2_MSG_NEWKEYS received
> >>> debug1: Roaming not allowed by server
> >>> debug1: SSH2_MSG_SERVICE_REQUEST sent
> >>> debug1: SSH2_MSG_SERVICE_ACCEPT received
> >>> debug1: Authentications that can continue: publickey,password
> >>> debug1: Next authentication method: publickey
> >>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
> >>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
> >>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
> >>> debug1: Next authentication method: password
> >>> <username>@<domainname>@<fully qualified domain name>'s password:
> >>> Connection closed by <ip address>
> >>>
> >>> Does anyone have thoughts on this?
> >>>
> >>> Thanks.
> >>>
> >>>
> >>> The information in this e-mail is intended only for the person to whom
> it is
> >>> addressed. If you believe this e-mail was sent to you in error and the
> e-mail
> >>> contains patient information, please contact the Partners Compliance
> HelpLine at
> >>> http://www.partners.org/complianceline . If the e-mail was sent to
> you in error
> >>> but does not contain patient information, please contact the sender
> and properly
> >>> dispose of the e-mail.
> > As Sumit has said, this should be on the sssd mailing list.
> > From your log fragment, it looks like you have the winbind and ldap PAM
> > packages installed, you do not need them.
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
> I am not entirely sure, what I can say is that you are using three
> different methods of authentication, winbindd, ldap and sssd, surely you
> don't need all three ?
>
> If you decide to use sssd, then ask on their mailing list what sssd
> packages you need and what you should remove.
> If you decide to use LDAP, then this probably entails using nslcd, find
> their mailing list and ask them.
> If you decide to use winbindd (the Samba recommended way), then this is
> the place to ask and I would suggest you have a look here:
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-10 16:49:57 UTC
Permalink
Hello --

I removed the ldap and sssd packages from the server, and I am trying to get winbind to work on the system.

The configuration of the /etc/samba/smb.conf file's global section is the following:

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
security = ads
realm = <domain name>
workgroup = <domain>
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth =yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2

While that of the /etc/nsswitch.conf file reads as follows:

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns
...

The /etc/krb5.conf file has the domain name in capital letters for the default_realm entry in capital letters.

I was able to join the server with the domain.

When I ran the getent <username>@<DOMAINNAME> command, the output was the following:

<DOMAINNAME>\<username>:*:10000:10005:<lastname>, <firstname>.:/home/<DOMAIN>/<username>:/bin/false

I attempted to log into the system via ssh using the following command syntax:

ssh -l <username>@<DOMAINNAME> <server fqdn>

The connection was made, but it was immediately closed. I am guessing the /bin/false shell could be what is causing the problem.

The auth.log file also had the following entries:

Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=microknoppix.mgh.harvard.edu user=***@PARTNERS.ORG
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): user '<DOMAINNAME>\<username>' granted access
Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for <username>@<DOMAINNAME> from <ip address> port 54879 ssh2
Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): session opened for user <DOMAINNAME>\<username> by (uid=0)
Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session): Failed to create session: No such file or directory
Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): unknown option: umask
Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): unknown option: 0022
Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from <ip address>: disconnected by user
Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): session closed for user <DOMAINNAME>\<username>
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred): user '<DOMAINNAME>\<username>' OK

The pam-auth-update command indicated the following were enabled:

Unix authentication
Winbind NT/Active Directory authentication
Register user sessions in the systemd control group hierarchy
Inheritable Capabilities Management







________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com]
Sent: Friday, June 10, 2016 10:45 AM
To: Kaplan, Andrew H.; ***@lists.samba.org
Cc: Rowland penny
Subject: Re: [Samba] Problem with Active Directory authentication

Hi,

I have a feeling that Rowland is correct that all the different authentication methods are interfering with one another. I can say all I have is winbind and it works fine for me. My relevant pam-auth-update modules are:

[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login

My relevant excerpt from /etc/nsswitch.conf is:

passwd: compat winbind
group: compat winbind

If your smb.conf file includes the "template shell = /bin/bash" as you indicated earlier, but your getent password is returning /bin/PHSshell instead, I think the information is being returned by a service other than winbind. Depending on how pam is configured, generally the order listed when you run pam-auth-update will be the order in which the services are tried. So the first one listed there is probably the one returning the info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and server) doesn't like the username in the format <username>@<domainname> and this isn't the format that winbind would return the information, at least not by default. For me getent passwd <username>@<domainname> would return the user as <domainname>\<username>. I would try running pam-auth-update and disabling the LDAP and SSSD authentication methods and see if getent passwd returns different info.

Your first post looked to me like the authentication was succeeding, but then the shell was wrong and so you were immediately logged out. Like you mentioned in a previous post, the /bin/PHSshell is probably one the issue because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash would fix this, but more than likely, it is a configuration issue that is returning the wrong shell in the first place. Is PHS your netbios domain name? If it is, it's probably the LDAP or SSSD configuration that is retuning the shell using a substitution that isn't set up correctly.

Good luck,

Mike E.

On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <***@samba.org<mailto:***@samba.org>> wrote:
On 10/06/16 13:46, Kaplan, Andrew H. wrote:
> Hello --
>
> The winbind packages that are installed on the server are the following:
>
> Package Description
> libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba nameservice integration plugins
> libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows domain authentication integration plugin
> libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba winbind client library
> winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 service to resolve user and group information from Windows NT servers
>
> Similarly, the ldap PAM packages are as follows:
>
> Package Description
> ldap-auth-client 0.5.3 all meta-package for LDAP authentication
> ldap-auth-config 0.5.3 all Config package for LDAP authentication
> ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP utilities
> libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP libraries
> libldb1 1.1.24-0ubuntu0.14.04.1 amd64 LDAP-like embedded database - shared library
> libnss-ldap 264-2.2ubuntu4.14.04.1 amd64 NSS module for using LDAP as a naming service
> libpam-ldap 184-8.5ubuntu3 amd64 Pluggable Authentication Module for LDAP
> sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end
>
> Finally, the sssd packages are the following:
>
> Package Description
> libsss-idmap0 1.11.5-1ubuntu3 amd64 ID mapping library for SSSD
> sssd 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- metapackage
> sssd-ad 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Active Directory back end
> sssd-ad-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- PAC responder
> sssd-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- common files
> sssd-ipa 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- IPA back end
> sssd-krb5 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos back end
> sssd-krb5-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos helpers
> sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end
> sssd-proxy 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- proxy back end
> sssd-tools 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- tools
>
> Will removing all packages for the first two groups solve this problem?
>
> From: samba [samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>] on behalf of Rowland penny [***@samba.org<mailto:***@samba.org>]
> Sent: Friday, June 10, 2016 8:29 AM
> To: ***@lists.samba.org<mailto:***@lists.samba.org>
> Subject: Re: [Samba] Problem with Active Directory authentication
>
> On 10/06/16 12:47, Kaplan, Andrew H. wrote:
>> Hello --
>>
>> I started a thread on the list that you suggested in your e-mail, and thank-you for the reference.
>>
>> Also, I checked the auth.log file on the server, and the following entries were present:
>>
>> I checked the auth.log file, and the following entries were present:
>>
>> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=<username>@<domainname>
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): getting password (0x00000388)
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): pam_get_item returned a password
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=username>@<domainname>
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): received for user username>@<domainname> 17 (Failure setting user credentials)
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to LDAP server...
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
>> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid user username>@<domainname>from <ip address> port 49847 ssh2
>>
>>
>> ________________________________________
>> From: Sumit Bose [***@redhat.com<mailto:***@redhat.com>]
>> Sent: Friday, June 10, 2016 4:44 AM
>> To: Kaplan, Andrew H.
>> Cc: samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>; ***@lists.samba.org<mailto:***@lists.samba.org>
>> Subject: Re: Problem with Active Directory authentication
>>
>> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
>>> Hello --
>>>
>>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure:
>>>
>>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/>
>>>
>>> Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries:
>>>
>>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>> The sssd-users list
>> https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org/
>> might be more appropriate for your question.
>>
>> As a general comment, the PAM configuration is important here. Please
>> check the system logs which PAM module was consulted during the login
>> attempt and which cause the rejection.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>>> The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following:
>>>
>>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>>>
>>> The output that was generated is the following:
>>>
>>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>>> debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
>>> debug1: Connection established.
>>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>>> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>>> debug1: Enabling compatibility mode for protocol 2.0
>>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>>> debug1: SSH2_MSG_KEXINIT sent
>>> debug1: SSH2_MSG_KEXINIT received
>>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>>> debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>>> debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key.
>>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>>> debug1: ssh_ecdsa_verify: signature correct
>>> debug1: SSH2_MSG_NEWKEYS sent
>>> debug1: expecting SSH2_MSG_NEWKEYS
>>> debug1: SSH2_MSG_NEWKEYS received
>>> debug1: Roaming not allowed by server
>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> debug1: Authentications that can continue: publickey,password
>>> debug1: Next authentication method: publickey
>>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>>> debug1: Next authentication method: password
>>> <username>@<domainname>@<fully qualified domain name>'s password:
>>> Connection closed by <ip address>
>>>
>>> Does anyone have thoughts on this?
>>>
>>> Thanks.
>>>
>>>
>>> The information in this e-mail is intended only for the person to whom it is
>>> addressed. If you believe this e-mail was sent to you in error and the e-mail
>>> contains patient information, please contact the Partners Compliance HelpLine at
>>> http://www.partners.org/complianceline . If the e-mail was sent to you in error
>>> but does not contain patient information, please contact the sender and properly
>>> dispose of the e-mail.
> As Sumit has said, this should be on the sssd mailing list.
> From your log fragment, it looks like you have the winbind and ldap PAM
> packages installed, you do not need them.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

I am not entirely sure, what I can say is that you are using three
different methods of authentication, winbindd, ldap and sssd, surely you
don't need all three ?

If you decide to use sssd, then ask on their mailing list what sssd
packages you need and what you should remove.
If you decide to use LDAP, then this probably entails using nslcd, find
their mailing list and ask them.
If you decide to use winbindd (the Samba recommended way), then this is
the place to ask and I would suggest you have a look here:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-06-10 17:40:28 UTC
Permalink
Hi,

What version of Samba are you running (samba --version)? Some of the
smb.conf parameters have changed in more recent versions. I'm running the
standard version supplied with Ubuntu which is currently 4.3.9. My
configuration on member servers is as follows:

[global]
# Base options
workgroup = <NETBIOS DOMAIN>
realm = <AD DOMAIN>
netbios name = <THIS MACHINE'S NETBIOS NAME>
security = ADS

# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 3000000-3999999

idmap config for domain <NETBIOS DOMAIN>
idmap config <NETBIOS DOMAIN>:backend = ad
idmap config <NETBIOS DOMAIN>:schema_mode = rfc2307
idmap config <NETBIOS DOMAIN>:range = 10000-20000

# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes

# Log options
log level = 1

I think it looks like you're real issue now is the /bin/false shell, which
is the default if it isn't specifically set. The newer way to set the
shell is using rfc2307 attributes. See
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and
https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC.
With a configuration similar to mine, and the correct shell set up in the
rfc2307 attributes for the user, I think you'll be all set.

Mike E.

On Fri, Jun 10, 2016 at 12:50 PM Kaplan, Andrew H. <***@partners.org>
wrote:

> Hello --
>
> I removed the ldap and sssd packages from the server, and I am trying to
> get winbind to work on the system.
>
> The configuration of the /etc/samba/smb.conf file's global section is the
> following:
>
> [global]
>
> ## Browsing/Identification ###
>
> # Change this to the workgroup/NT-domain name your Samba server will part
> of
> security = ads
> realm = <domain name>
> workgroup = <domain>
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%D/%U
> template shell = /bin/bash
> client use spnego = yes
> client ntlmv2 auth =yes
> encrypt passwords = yes
> winbind use default domain = yes
> restrict anonymous = 2
>
> While that of the /etc/nsswitch.conf file reads as follows:
>
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
>
> hosts: files dns
> ...
>
> The /etc/krb5.conf file has the domain name in capital letters for the
> default_realm entry in capital letters.
>
> I was able to join the server with the domain.
>
> When I ran the getent <username>@<DOMAINNAME> command, the output was the
> following:
>
> <DOMAINNAME>\<username>:*:10000:10005:<lastname>,
> <firstname>.:/home/<DOMAIN>/<username>:/bin/false
>
> I attempted to log into the system via ssh using the following command
> syntax:
>
> ssh -l <username>@<DOMAINNAME> <server fqdn>
>
> The connection was made, but it was immediately closed. I am guessing the
> /bin/false shell could be what is causing the problem.
>
> The auth.log file also had the following entries:
>
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
> microknoppix.mgh.harvard.edu user=***@PARTNERS.ORG
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
> getting password (0x00000388)
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
> pam_get_item returned a password
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): user
> '<DOMAINNAME>\<username>' granted access
> Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for
> <username>@<DOMAINNAME> from <ip address> port 54879 ssh2
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session):
> session opened for user <DOMAINNAME>\<username> by (uid=0)
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session):
> Failed to create session: No such file or directory
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session):
> unknown option: umask
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session):
> unknown option: 0022
> Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from <ip
> address>: disconnected by user
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session):
> session closed for user <DOMAINNAME>\<username>
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred):
> user '<DOMAINNAME>\<username>' OK
>
> The pam-auth-update command indicated the following were enabled:
>
> Unix authentication
> Winbind NT/Active Directory authentication
>
> Register user sessions in the systemd control group hierarchy
> Inheritable Capabilities Management
>
>
>
>
>
>
>
> ------------------------------
> *From:* Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com
> ]
> *Sent:* Friday, June 10, 2016 10:45 AM
> *To:* Kaplan, Andrew H.; ***@lists.samba.org
> *Cc:* Rowland penny
>
> *Subject:* Re: [Samba] Problem with Active Directory authentication
> Hi,
>
> I have a feeling that Rowland is correct that all the different
> authentication methods are interfering with one another. I can say all I
> have is winbind and it works fine for me. My relevant pam-auth-update
> modules are:
>
> [*] Unix authentication
> [*] Winbind NT/Active Directory authentication
> [*] Register user sessions in the systemd control group hierarchy
> [*] Create home directory on login
>
> My relevant excerpt from /etc/nsswitch.conf is:
>
> passwd: compat winbind
> group: compat winbind
>
> If your smb.conf file includes the "template shell = /bin/bash" as you
> indicated earlier, but your getent password is returning /bin/PHSshell
> instead, I think the information is being returned by a service other than
> winbind. Depending on how pam is configured, generally the order listed
> when you run pam-auth-update will be the order in which the services are
> tried. So the first one listed there is probably the one returning the
> info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and
> server) doesn't like the username in the format <username>@<domainname> and
> this isn't the format that winbind would return the information, at least
> not by default. For me getent passwd <username>@<domainname> would return
> the user as <domainname>\<username>. I would try running pam-auth-update
> and disabling the LDAP and SSSD authentication methods and see if getent
> passwd returns different info.
>
> Your first post looked to me like the authentication was succeeding, but
> then the shell was wrong and so you were immediately logged out. Like you
> mentioned in a previous post, the /bin/PHSshell is probably one the issue
> because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash
> would fix this, but more than likely, it is a configuration issue that is
> returning the wrong shell in the first place. Is PHS your netbios domain
> name? If it is, it's probably the LDAP or SSSD configuration that is
> retuning the shell using a substitution that isn't set up correctly.
>
> Good luck,
>
> Mike E.
>
> On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <***@samba.org> wrote:
>
>> On 10/06/16 13:46, Kaplan, Andrew H. wrote:
>> > Hello --
>> >
>> > The winbind packages that are installed on the server are the following:
>> >
>> > Package
>> Description
>> > libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>> Samba nameservice integration plugins
>> > libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows
>> domain authentication integration plugin
>> > libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>> Samba winbind client library
>> > winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>> service to resolve user and group information from Windows NT servers
>> >
>> > Similarly, the ldap PAM packages are as follows:
>> >
>> > Package
>> Description
>> > ldap-auth-client 0.5.3
>> all meta-package for LDAP authentication
>> > ldap-auth-config 0.5.3 all
>> Config package for LDAP authentication
>> > ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64
>> OpenLDAP utilities
>> > libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64
>> OpenLDAP libraries
>> > libldb1 1.1.24-0ubuntu0.14.04.1
>> amd64 LDAP-like embedded database - shared library
>> > libnss-ldap 264-2.2ubuntu4.14.04.1 amd64 NSS
>> module for using LDAP as a naming service
>> > libpam-ldap 184-8.5ubuntu3 amd64
>> Pluggable Authentication Module for LDAP
>> > sssd-ldap 1.11.5-1ubuntu3 amd64
>> System Security Services Daemon -- LDAP back end
>> >
>> > Finally, the sssd packages are the following:
>> >
>> > Package
>> Description
>> > libsss-idmap0 1.11.5-1ubuntu3 amd64 ID
>> mapping library for SSSD
>> > sssd 1.11.5-1ubuntu3 amd64
>> System Security Services Daemon -- metapackage
>> > sssd-ad 1.11.5-1ubuntu3
>> amd64 System Security Services Daemon -- Active Directory back end
>> > sssd-ad-common 1.11.5-1ubuntu3 amd64 System
>> Security Services Daemon -- PAC responder
>> > sssd-common 1.11.5-1ubuntu3 amd64
>> System Security Services Daemon -- common files
>> > sssd-ipa 1.11.5-1ubuntu3
>> amd64 System Security Services Daemon -- IPA back end
>> > sssd-krb5 1.11.5-1ubuntu3 amd64
>> System Security Services Daemon -- Kerberos back end
>> > sssd-krb5-common 1.11.5-1ubuntu3 amd64
>> System Security Services Daemon -- Kerberos helpers
>> > sssd-ldap 1.11.5-1ubuntu3
>> amd64 System Security Services Daemon -- LDAP back end
>> > sssd-proxy 1.11.5-1ubuntu3 amd64
>> System Security Services Daemon -- proxy back end
>> > sssd-tools 1.11.5-1ubuntu3 amd64
>> System Security Services Daemon -- tools
>> >
>> > Will removing all packages for the first two groups solve this problem?
>> >
>> > From: samba [samba-***@lists.samba.org] on behalf of Rowland penny
>> [***@samba.org]
>> > Sent: Friday, June 10, 2016 8:29 AM
>> > To: ***@lists.samba.org
>> > Subject: Re: [Samba] Problem with Active Directory authentication
>> >
>> > On 10/06/16 12:47, Kaplan, Andrew H. wrote:
>> >> Hello --
>> >>
>> >> I started a thread on the list that you suggested in your e-mail, and
>> thank-you for the reference.
>> >>
>> >> Also, I checked the auth.log file on the server, and the following
>> entries were present:
>> >>
>> >> I checked the auth.log file, and the following entries were present:
>> >>
>> >> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
>> user=<username>@<domainname>
>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
>> getting password (0x00000388)
>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
>> pam_get_item returned a password
>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
>> user=username>@<domainname>
>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
>> received for user username>@<domainname> 17 (Failure setting user
>> credentials)
>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open
>> secret file /etc/ldap.secret (No such file or directory)
>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind
>> Can't contact LDAP server
>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to
>> LDAP server...
>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind
>> Can't contact LDAP server
>> >> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid
>> user username>@<domainname>from <ip address> port 49847 ssh2
>> >>
>> >>
>> >> ________________________________________
>> >> From: Sumit Bose [***@redhat.com]
>> >> Sent: Friday, June 10, 2016 4:44 AM
>> >> To: Kaplan, Andrew H.
>> >> Cc: samba-***@lists.samba.org; ***@lists.samba.org
>> >> Subject: Re: Problem with Active Directory authentication
>> >>
>> >> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
>> >>> Hello --
>> >>>
>> >>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on
>> a Vmware appliance. The goal of the installation is to create a Samba
>> server that utilizes Active Directory authentication. To that end I
>> utilized the following procedure:
>> >>>
>> >>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<
>> http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/
>> >
>> >>>
>> >>> Afterwards, I referenced the following documentation to confirm that
>> all configuration files had the appropriate entries:
>> >>>
>> >>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>> >> The sssd-users list
>> >>
>> https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org/
>> >> might be more appropriate for your question.
>> >>
>> >> As a general comment, the PAM configuration is important here. Please
>> >> check the system logs which PAM module was consulted during the login
>> >> attempt and which cause the rejection.
>> >>
>> >> HTH
>> >>
>> >> bye,
>> >> Sumit
>> >>
>> >>> The problem is the following: I am unable to log into the server from
>> the console or via SSH using my Active Directory user account. The syntax
>> that I use when doing an SSH connection is the following:
>> >>>
>> >>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>> >>>
>> >>> The output that was generated is the following:
>> >>>
>> >>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>> >>> debug1: Reading configuration data /etc/ssh/ssh_config
>> >>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>> >>> debug1: Connecting to <fully qualified domain name> [<ip address>]
>> port 22.
>> >>> debug1: Connection established.
>> >>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>> >>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>> >>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>> >>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>> >>> debug1: Remote protocol version 2.0, remote software version
>> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>> >>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>> >>> debug1: Enabling compatibility mode for protocol 2.0
>> >>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>> >>> debug1: SSH2_MSG_KEXINIT sent
>> >>> debug1: SSH2_MSG_KEXINIT received
>> >>> debug1: kex: server->client aes128-ctr hmac-md5 none
>> >>> debug1: kex: client->server aes128-ctr hmac-md5 none
>> >>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>> >>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>> >>> debug1: Server host key: ECDSA
>> ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>> >>> debug1: Host '<fully qualified domain name>' is known and matches the
>> ECDSA host key.
>> >>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>> >>> debug1: ssh_ecdsa_verify: signature correct
>> >>> debug1: SSH2_MSG_NEWKEYS sent
>> >>> debug1: expecting SSH2_MSG_NEWKEYS
>> >>> debug1: SSH2_MSG_NEWKEYS received
>> >>> debug1: Roaming not allowed by server
>> >>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> >>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> >>> debug1: Authentications that can continue: publickey,password
>> >>> debug1: Next authentication method: publickey
>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>> >>> debug1: Next authentication method: password
>> >>> <username>@<domainname>@<fully qualified domain name>'s password:
>> >>> Connection closed by <ip address>
>> >>>
>> >>> Does anyone have thoughts on this?
>> >>>
>> >>> Thanks.
>> >>>
>> >>>
>> >>> The information in this e-mail is intended only for the person to
>> whom it is
>> >>> addressed. If you believe this e-mail was sent to you in error and
>> the e-mail
>> >>> contains patient information, please contact the Partners Compliance
>> HelpLine at
>> >>> http://www.partners.org/complianceline . If the e-mail was sent to
>> you in error
>> >>> but does not contain patient information, please contact the sender
>> and properly
>> >>> dispose of the e-mail.
>> > As Sumit has said, this should be on the sssd mailing list.
>> > From your log fragment, it looks like you have the winbind and ldap
>> PAM
>> > packages installed, you do not need them.
>> >
>> > Rowland
>> >
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>>
>> I am not entirely sure, what I can say is that you are using three
>> different methods of authentication, winbindd, ldap and sssd, surely you
>> don't need all three ?
>>
>> If you decide to use sssd, then ask on their mailing list what sssd
>> packages you need and what you should remove.
>> If you decide to use LDAP, then this probably entails using nslcd, find
>> their mailing list and ask them.
>> If you decide to use winbindd (the Samba recommended way), then this is
>> the place to ask and I would suggest you have a look here:
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-10 18:11:50 UTC
Permalink
Hello --

The version of Samba that I am running on the server is the 4.3.9 Ubuntu package.

To that end, I reconfigured the smb.conf file to reflect the entries listed in your e-mail.

I added the syntax: default shell = /bin/bash to the smb.conf file, and restarted the samba and winbind daemons.
Unfortunately, the getent passwd command indicated the /bin/false shell was still the default.

What else do I need to do in order to correct this?


________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com]
Sent: Friday, June 10, 2016 1:40 PM
To: Kaplan, Andrew H.; ***@lists.samba.org
Cc: Rowland penny
Subject: Re: [Samba] Problem with Active Directory authentication

Hi,

What version of Samba are you running (samba --version)? Some of the smb.conf parameters have changed in more recent versions. I'm running the standard version supplied with Ubuntu which is currently 4.3.9. My configuration on member servers is as follows:

[global]
# Base options
workgroup = <NETBIOS DOMAIN>
realm = <AD DOMAIN>
netbios name = <THIS MACHINE'S NETBIOS NAME>
security = ADS

# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 3000000-3999999

idmap config for domain <NETBIOS DOMAIN>
idmap config <NETBIOS DOMAIN>:backend = ad
idmap config <NETBIOS DOMAIN>:schema_mode = rfc2307
idmap config <NETBIOS DOMAIN>:range = 10000-20000

# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes

# Log options
log level = 1

I think it looks like you're real issue now is the /bin/false shell, which is the default if it isn't specifically set. The newer way to set the shell is using rfc2307 attributes. See https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC. With a configuration similar to mine, and the correct shell set up in the rfc2307 attributes for the user, I think you'll be all set.

Mike E.

On Fri, Jun 10, 2016 at 12:50 PM Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
Hello --

I removed the ldap and sssd packages from the server, and I am trying to get winbind to work on the system.

The configuration of the /etc/samba/smb.conf file's global section is the following:

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
security = ads
realm = <domain name>
workgroup = <domain>
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth =yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2

While that of the /etc/nsswitch.conf file reads as follows:


passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns
...

The /etc/krb5.conf file has the domain name in capital letters for the default_realm entry in capital letters.

I was able to join the server with the domain.

When I ran the getent <username>@<DOMAINNAME> command, the output was the following:

<DOMAINNAME>\<username>:*:10000:10005:<lastname>, <firstname>.:/home/<DOMAIN>/<username>:/bin/false

I attempted to log into the system via ssh using the following command syntax:

ssh -l <username>@<DOMAINNAME> <server fqdn>

The connection was made, but it was immediately closed. I am guessing the /bin/false shell could be what is causing the problem.

The auth.log file also had the following entries:

Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=microknoppix.mgh.harvard.edu<http://microknoppix.mgh.harvard.edu> user=***@PARTNERS.ORG<mailto:***@PARTNERS.ORG>
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): user '<DOMAINNAME>\<username>' granted access
Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for <username>@<DOMAINNAME> from <ip address> port 54879 ssh2
Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): session opened for user <DOMAINNAME>\<username> by (uid=0)
Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session): Failed to create session: No such file or directory
Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): unknown option: umask
Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): unknown option: 0022
Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from <ip address>: disconnected by user
Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): session closed for user <DOMAINNAME>\<username>
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred): user '<DOMAINNAME>\<username>' OK

The pam-auth-update command indicated the following were enabled:

Unix authentication
Winbind NT/Active Directory authentication

Register user sessions in the systemd control group hierarchy
Inheritable Capabilities Management







________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com<mailto:***@datacontrolsystems.com>]
Sent: Friday, June 10, 2016 10:45 AM
To: Kaplan, Andrew H.; ***@lists.samba.org<mailto:***@lists.samba.org>
Cc: Rowland penny

Subject: Re: [Samba] Problem with Active Directory authentication
Hi,

I have a feeling that Rowland is correct that all the different authentication methods are interfering with one another. I can say all I have is winbind and it works fine for me. My relevant pam-auth-update modules are:

[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login

My relevant excerpt from /etc/nsswitch.conf is:

passwd: compat winbind
group: compat winbind

If your smb.conf file includes the "template shell = /bin/bash" as you indicated earlier, but your getent password is returning /bin/PHSshell instead, I think the information is being returned by a service other than winbind. Depending on how pam is configured, generally the order listed when you run pam-auth-update will be the order in which the services are tried. So the first one listed there is probably the one returning the info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and server) doesn't like the username in the format <username>@<domainname> and this isn't the format that winbind would return the information, at least not by default. For me getent passwd <username>@<domainname> would return the user as <domainname>\<username>. I would try running pam-auth-update and disabling the LDAP and SSSD authentication methods and see if getent passwd returns different info.

Your first post looked to me like the authentication was succeeding, but then the shell was wrong and so you were immediately logged out. Like you mentioned in a previous post, the /bin/PHSshell is probably one the issue because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash would fix this, but more than likely, it is a configuration issue that is returning the wrong shell in the first place. Is PHS your netbios domain name? If it is, it's probably the LDAP or SSSD configuration that is retuning the shell using a substitution that isn't set up correctly.

Good luck,

Mike E.

On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <***@samba.org<mailto:***@samba.org>> wrote:
On 10/06/16 13:46, Kaplan, Andrew H. wrote:
> Hello --
>
> The winbind packages that are installed on the server are the following:
>
> Package Description
> libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba nameservice integration plugins
> libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows domain authentication integration plugin
> libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba winbind client library
> winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 service to resolve user and group information from Windows NT servers
>
> Similarly, the ldap PAM packages are as follows:
>
> Package Description
> ldap-auth-client 0.5.3 all meta-package for LDAP authentication
> ldap-auth-config 0.5.3 all Config package for LDAP authentication
> ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP utilities
> libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP libraries
> libldb1 1.1.24-0ubuntu0.14.04.1 amd64 LDAP-like embedded database - shared library
> libnss-ldap 264-2.2ubuntu4.14.04.1 amd64 NSS module for using LDAP as a naming service
> libpam-ldap 184-8.5ubuntu3 amd64 Pluggable Authentication Module for LDAP
> sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end
>
> Finally, the sssd packages are the following:
>
> Package Description
> libsss-idmap0 1.11.5-1ubuntu3 amd64 ID mapping library for SSSD
> sssd 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- metapackage
> sssd-ad 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Active Directory back end
> sssd-ad-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- PAC responder
> sssd-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- common files
> sssd-ipa 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- IPA back end
> sssd-krb5 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos back end
> sssd-krb5-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos helpers
> sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end
> sssd-proxy 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- proxy back end
> sssd-tools 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- tools
>
> Will removing all packages for the first two groups solve this problem?
>
> From: samba [samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>] on behalf of Rowland penny [***@samba.org<mailto:***@samba.org>]
> Sent: Friday, June 10, 2016 8:29 AM
> To: ***@lists.samba.org<mailto:***@lists.samba.org>
> Subject: Re: [Samba] Problem with Active Directory authentication
>
> On 10/06/16 12:47, Kaplan, Andrew H. wrote:
>> Hello --
>>
>> I started a thread on the list that you suggested in your e-mail, and thank-you for the reference.
>>
>> Also, I checked the auth.log file on the server, and the following entries were present:
>>
>> I checked the auth.log file, and the following entries were present:
>>
>> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=<username>@<domainname>
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): getting password (0x00000388)
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): pam_get_item returned a password
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=username>@<domainname>
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): received for user username>@<domainname> 17 (Failure setting user credentials)
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to LDAP server...
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
>> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid user username>@<domainname>from <ip address> port 49847 ssh2
>>
>>
>> ________________________________________
>> From: Sumit Bose [***@redhat.com<mailto:***@redhat.com>]
>> Sent: Friday, June 10, 2016 4:44 AM
>> To: Kaplan, Andrew H.
>> Cc: samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>; ***@lists.samba.org<mailto:***@lists.samba.org>
>> Subject: Re: Problem with Active Directory authentication
>>
>> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
>>> Hello --
>>>
>>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure:
>>>
>>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/>
>>>
>>> Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries:
>>>
>>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>> The sssd-users list
>> https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org/
>> might be more appropriate for your question.
>>
>> As a general comment, the PAM configuration is important here. Please
>> check the system logs which PAM module was consulted during the login
>> attempt and which cause the rejection.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>>> The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following:
>>>
>>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>>>
>>> The output that was generated is the following:
>>>
>>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>>> debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
>>> debug1: Connection established.
>>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>>> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>>> debug1: Enabling compatibility mode for protocol 2.0
>>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>>> debug1: SSH2_MSG_KEXINIT sent
>>> debug1: SSH2_MSG_KEXINIT received
>>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>>> debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>>> debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key.
>>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>>> debug1: ssh_ecdsa_verify: signature correct
>>> debug1: SSH2_MSG_NEWKEYS sent
>>> debug1: expecting SSH2_MSG_NEWKEYS
>>> debug1: SSH2_MSG_NEWKEYS received
>>> debug1: Roaming not allowed by server
>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> debug1: Authentications that can continue: publickey,password
>>> debug1: Next authentication method: publickey
>>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>>> debug1: Next authentication method: password
>>> <username>@<domainname>@<fully qualified domain name>'s password:
>>> Connection closed by <ip address>
>>>
>>> Does anyone have thoughts on this?
>>>
>>> Thanks.
>>>
>>>
>>> The information in this e-mail is intended only for the person to whom it is
>>> addressed. If you believe this e-mail was sent to you in error and the e-mail
>>> contains patient information, please contact the Partners Compliance HelpLine at
>>> http://www.partners.org/complianceline . If the e-mail was sent to you in error
>>> but does not contain patient information, please contact the sender and properly
>>> dispose of the e-mail.
> As Sumit has said, this should be on the sssd mailing list.
> From your log fragment, it looks like you have the winbind and ldap PAM
> packages installed, you do not need them.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

I am not entirely sure, what I can say is that you are using three
different methods of authentication, winbindd, ldap and sssd, surely you
don't need all three ?

If you decide to use sssd, then ask on their mailing list what sssd
packages you need and what you should remove.
If you decide to use LDAP, then this probably entails using nslcd, find
their mailing list and ask them.
If you decide to use winbindd (the Samba recommended way), then this is
the place to ask and I would suggest you have a look here:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-06-10 19:14:40 UTC
Permalink
Hi,

You need to make sure that the user has the rfc2307 "loginShell:" attribute
set. See
https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC
for how to set it.

Mike E.


On Fri, Jun 10, 2016 at 2:11 PM, Kaplan, Andrew H. <***@partners.org>
wrote:

> Hello --
>
> The version of Samba that I am running on the server is the 4.3.9 Ubuntu
> package.
>
> To that end, I reconfigured the smb.conf file to reflect the entries
> listed in your e-mail.
>
> I added the syntax: default shell = /bin/bash to the smb.conf file, and
> restarted the samba and winbind daemons.
> Unfortunately, the getent passwd command indicated the /bin/false shell
> was still the default.
>
> What else do I need to do in order to correct this?
>
>
> ------------------------------
> *From:* Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com
> ]
> *Sent:* Friday, June 10, 2016 1:40 PM
> *To:* Kaplan, Andrew H.; ***@lists.samba.org
> *Cc:* Rowland penny
> *Subject:* Re: [Samba] Problem with Active Directory authentication
>
> Hi,
>
> What version of Samba are you running (samba --version)? Some of the
> smb.conf parameters have changed in more recent versions. I'm running the
> standard version supplied with Ubuntu which is currently 4.3.9. My
> configuration on member servers is as follows:
>
> [global]
> # Base options
> workgroup = <NETBIOS DOMAIN>
> realm = <AD DOMAIN>
> netbios name = <THIS MACHINE'S NETBIOS NAME>
> security = ADS
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 3000000-3999999
>
> idmap config for domain <NETBIOS DOMAIN>
> idmap config <NETBIOS DOMAIN>:backend = ad
> idmap config <NETBIOS DOMAIN>:schema_mode = rfc2307
> idmap config <NETBIOS DOMAIN>:range = 10000-20000
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
> winbind offline logon = yes
>
> # Log options
> log level = 1
>
> I think it looks like you're real issue now is the /bin/false shell, which
> is the default if it isn't specifically set. The newer way to set the
> shell is using rfc2307 attributes. See
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and
> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC.
> With a configuration similar to mine, and the correct shell set up in the
> rfc2307 attributes for the user, I think you'll be all set.
>
> Mike E.
>
> On Fri, Jun 10, 2016 at 12:50 PM Kaplan, Andrew H. <***@partners.org>
> wrote:
>
>> Hello --
>>
>> I removed the ldap and sssd packages from the server, and I am trying to
>> get winbind to work on the system.
>>
>> The configuration of the /etc/samba/smb.conf file's global section is the
>> following:
>>
>> [global]
>>
>> ## Browsing/Identification ###
>>
>> # Change this to the workgroup/NT-domain name your Samba server will part
>> of
>> security = ads
>> realm = <domain name>
>> workgroup = <domain>
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> winbind enum users = yes
>> winbind enum groups = yes
>> template homedir = /home/%D/%U
>> template shell = /bin/bash
>> client use spnego = yes
>> client ntlmv2 auth =yes
>> encrypt passwords = yes
>> winbind use default domain = yes
>> restrict anonymous = 2
>>
>> While that of the /etc/nsswitch.conf file reads as follows:
>>
>>
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat
>>
>> hosts: files dns
>> ...
>>
>> The /etc/krb5.conf file has the domain name in capital letters for the
>> default_realm entry in capital letters.
>>
>> I was able to join the server with the domain.
>>
>> When I ran the getent <username>@<DOMAINNAME> command, the output was the
>> following:
>>
>> <DOMAINNAME>\<username>:*:10000:10005:<lastname>,
>> <firstname>.:/home/<DOMAIN>/<username>:/bin/false
>>
>> I attempted to log into the system via ssh using the following command
>> syntax:
>>
>> ssh -l <username>@<DOMAINNAME> <server fqdn>
>>
>> The connection was made, but it was immediately closed. I am guessing the
>> /bin/false shell could be what is causing the problem.
>>
>> The auth.log file also had the following entries:
>>
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
>> microknoppix.mgh.harvard.edu user=***@PARTNERS.ORG
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
>> getting password (0x00000388)
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
>> pam_get_item returned a password
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): user
>> '<DOMAINNAME>\<username>' granted access
>> Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for
>> <username>@<DOMAINNAME> from <ip address> port 54879 ssh2
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session):
>> session opened for user <DOMAINNAME>\<username> by (uid=0)
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session):
>> Failed to create session: No such file or directory
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session):
>> unknown option: umask
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session):
>> unknown option: 0022
>> Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from <ip
>> address>: disconnected by user
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session):
>> session closed for user <DOMAINNAME>\<username>
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred):
>> user '<DOMAINNAME>\<username>' OK
>>
>> The pam-auth-update command indicated the following were enabled:
>>
>> Unix authentication
>> Winbind NT/Active Directory authentication
>>
>> Register user sessions in the systemd control group hierarchy
>> Inheritable Capabilities Management
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------
>> *From:* Data Control Systems - Mike Elkevizth [
>> ***@datacontrolsystems.com]
>> *Sent:* Friday, June 10, 2016 10:45 AM
>> *To:* Kaplan, Andrew H.; ***@lists.samba.org
>> *Cc:* Rowland penny
>>
>> *Subject:* Re: [Samba] Problem with Active Directory authentication
>> Hi,
>>
>> I have a feeling that Rowland is correct that all the different
>> authentication methods are interfering with one another. I can say all I
>> have is winbind and it works fine for me. My relevant pam-auth-update
>> modules are:
>>
>> [*] Unix authentication
>> [*] Winbind NT/Active Directory authentication
>> [*] Register user sessions in the systemd control group hierarchy
>> [*] Create home directory on login
>>
>> My relevant excerpt from /etc/nsswitch.conf is:
>>
>> passwd: compat winbind
>> group: compat winbind
>>
>> If your smb.conf file includes the "template shell = /bin/bash" as you
>> indicated earlier, but your getent password is returning /bin/PHSshell
>> instead, I think the information is being returned by a service other than
>> winbind. Depending on how pam is configured, generally the order listed
>> when you run pam-auth-update will be the order in which the services are
>> tried. So the first one listed there is probably the one returning the
>> info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and
>> server) doesn't like the username in the format <username>@<domainname> and
>> this isn't the format that winbind would return the information, at least
>> not by default. For me getent passwd <username>@<domainname> would return
>> the user as <domainname>\<username>. I would try running pam-auth-update
>> and disabling the LDAP and SSSD authentication methods and see if getent
>> passwd returns different info.
>>
>> Your first post looked to me like the authentication was succeeding, but
>> then the shell was wrong and so you were immediately logged out. Like you
>> mentioned in a previous post, the /bin/PHSshell is probably one the issue
>> because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash
>> would fix this, but more than likely, it is a configuration issue that is
>> returning the wrong shell in the first place. Is PHS your netbios domain
>> name? If it is, it's probably the LDAP or SSSD configuration that is
>> retuning the shell using a substitution that isn't set up correctly.
>>
>> Good luck,
>>
>> Mike E.
>>
>> On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <***@samba.org> wrote:
>>
>>> On 10/06/16 13:46, Kaplan, Andrew H. wrote:
>>> > Hello --
>>> >
>>> > The winbind packages that are installed on the server are the
>>> following:
>>> >
>>> > Package
>>> Description
>>> > libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>>> Samba nameservice integration plugins
>>> > libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows
>>> domain authentication integration plugin
>>> > libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>>> Samba winbind client library
>>> > winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>>> service to resolve user and group information from Windows NT servers
>>> >
>>> > Similarly, the ldap PAM packages are as follows:
>>> >
>>> > Package
>>> Description
>>> > ldap-auth-client 0.5.3
>>> all meta-package for LDAP authentication
>>> > ldap-auth-config 0.5.3 all
>>> Config package for LDAP authentication
>>> > ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64
>>> OpenLDAP utilities
>>> > libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64
>>> OpenLDAP libraries
>>> > libldb1 1.1.24-0ubuntu0.14.04.1
>>> amd64 LDAP-like embedded database - shared library
>>> > libnss-ldap 264-2.2ubuntu4.14.04.1 amd64
>>> NSS module for using LDAP as a naming service
>>> > libpam-ldap 184-8.5ubuntu3 amd64
>>> Pluggable Authentication Module for LDAP
>>> > sssd-ldap 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- LDAP back end
>>> >
>>> > Finally, the sssd packages are the following:
>>> >
>>> > Package
>>> Description
>>> > libsss-idmap0 1.11.5-1ubuntu3 amd64 ID
>>> mapping library for SSSD
>>> > sssd 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- metapackage
>>> > sssd-ad 1.11.5-1ubuntu3
>>> amd64 System Security Services Daemon -- Active Directory back end
>>> > sssd-ad-common 1.11.5-1ubuntu3 amd64 System
>>> Security Services Daemon -- PAC responder
>>> > sssd-common 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- common files
>>> > sssd-ipa 1.11.5-1ubuntu3
>>> amd64 System Security Services Daemon -- IPA back end
>>> > sssd-krb5 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- Kerberos back end
>>> > sssd-krb5-common 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- Kerberos helpers
>>> > sssd-ldap 1.11.5-1ubuntu3
>>> amd64 System Security Services Daemon -- LDAP back end
>>> > sssd-proxy 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- proxy back end
>>> > sssd-tools 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- tools
>>> >
>>> > Will removing all packages for the first two groups solve this problem?
>>> >
>>> > From: samba [samba-***@lists.samba.org] on behalf of Rowland
>>> penny [***@samba.org]
>>> > Sent: Friday, June 10, 2016 8:29 AM
>>> > To: ***@lists.samba.org
>>> > Subject: Re: [Samba] Problem with Active Directory authentication
>>> >
>>> > On 10/06/16 12:47, Kaplan, Andrew H. wrote:
>>> >> Hello --
>>> >>
>>> >> I started a thread on the list that you suggested in your e-mail, and
>>> thank-you for the reference.
>>> >>
>>> >> Also, I checked the auth.log file on the server, and the following
>>> entries were present:
>>> >>
>>> >> I checked the auth.log file, and the following entries were present:
>>> >>
>>> >> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth):
>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
>>> user=<username>@<domainname>
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
>>> getting password (0x00000388)
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
>>> pam_get_item returned a password
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
>>> user=username>@<domainname>
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
>>> received for user username>@<domainname> 17 (Failure setting user
>>> credentials)
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open
>>> secret file /etc/ldap.secret (No such file or directory)
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind
>>> Can't contact LDAP server
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to
>>> LDAP server...
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind
>>> Can't contact LDAP server
>>> >> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for
>>> invalid user username>@<domainname>from <ip address> port 49847 ssh2
>>> >>
>>> >>
>>> >> ________________________________________
>>> >> From: Sumit Bose [***@redhat.com]
>>> >> Sent: Friday, June 10, 2016 4:44 AM
>>> >> To: Kaplan, Andrew H.
>>> >> Cc: samba-***@lists.samba.org; ***@lists.samba.org
>>> >> Subject: Re: Problem with Active Directory authentication
>>> >>
>>> >> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
>>> >>> Hello --
>>> >>>
>>> >>> We are running the 14.04.3 LTS 64-bit release as a virtual machine
>>> on a Vmware appliance. The goal of the installation is to create a Samba
>>> server that utilizes Active Directory authentication. To that end I
>>> utilized the following procedure:
>>> >>>
>>> >>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<
>>> http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/
>>> >
>>> >>>
>>> >>> Afterwards, I referenced the following documentation to confirm that
>>> all configuration files had the appropriate entries:
>>> >>>
>>> >>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>>> >> The sssd-users list
>>> >>
>>> https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org/
>>> >> might be more appropriate for your question.
>>> >>
>>> >> As a general comment, the PAM configuration is important here. Please
>>> >> check the system logs which PAM module was consulted during the login
>>> >> attempt and which cause the rejection.
>>> >>
>>> >> HTH
>>> >>
>>> >> bye,
>>> >> Sumit
>>> >>
>>> >>> The problem is the following: I am unable to log into the server
>>> from the console or via SSH using my Active Directory user account. The
>>> syntax that I use when doing an SSH connection is the following:
>>> >>>
>>> >>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>>> >>>
>>> >>> The output that was generated is the following:
>>> >>>
>>> >>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>>> >>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> >>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>>> >>> debug1: Connecting to <fully qualified domain name> [<ip address>]
>>> port 22.
>>> >>> debug1: Connection established.
>>> >>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>>> >>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>>> >>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>>> >>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>>> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>>> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>>> >>> debug1: Remote protocol version 2.0, remote software version
>>> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>>> >>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>>> >>> debug1: Enabling compatibility mode for protocol 2.0
>>> >>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>>> >>> debug1: SSH2_MSG_KEXINIT sent
>>> >>> debug1: SSH2_MSG_KEXINIT received
>>> >>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>> >>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>> >>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>>> >>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>>> >>> debug1: Server host key: ECDSA
>>> ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>>> >>> debug1: Host '<fully qualified domain name>' is known and matches
>>> the ECDSA host key.
>>> >>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>>> >>> debug1: ssh_ecdsa_verify: signature correct
>>> >>> debug1: SSH2_MSG_NEWKEYS sent
>>> >>> debug1: expecting SSH2_MSG_NEWKEYS
>>> >>> debug1: SSH2_MSG_NEWKEYS received
>>> >>> debug1: Roaming not allowed by server
>>> >>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> >>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> >>> debug1: Authentications that can continue: publickey,password
>>> >>> debug1: Next authentication method: publickey
>>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>>> >>> debug1: Next authentication method: password
>>> >>> <username>@<domainname>@<fully qualified domain name>'s password:
>>> >>> Connection closed by <ip address>
>>> >>>
>>> >>> Does anyone have thoughts on this?
>>> >>>
>>> >>> Thanks.
>>> >>>
>>> >>>
>>> >>> The information in this e-mail is intended only for the person to
>>> whom it is
>>> >>> addressed. If you believe this e-mail was sent to you in error and
>>> the e-mail
>>> >>> contains patient information, please contact the Partners Compliance
>>> HelpLine at
>>> >>> http://www.partners.org/complianceline . If the e-mail was sent to
>>> you in error
>>> >>> but does not contain patient information, please contact the sender
>>> and properly
>>> >>> dispose of the e-mail.
>>> > As Sumit has said, this should be on the sssd mailing list.
>>> > From your log fragment, it looks like you have the winbind and ldap
>>> PAM
>>> > packages installed, you do not need them.
>>> >
>>> > Rowland
>>> >
>>> >
>>> > --
>>> > To unsubscribe from this list go to the following URL and read the
>>> > instructions: https://lists.samba.org/mailman/options/samba
>>>
>>> I am not entirely sure, what I can say is that you are using three
>>> different methods of authentication, winbindd, ldap and sssd, surely you
>>> don't need all three ?
>>>
>>> If you decide to use sssd, then ask on their mailing list what sssd
>>> packages you need and what you should remove.
>>> If you decide to use LDAP, then this probably entails using nslcd, find
>>> their mailing list and ask them.
>>> If you decide to use winbindd (the Samba recommended way), then this is
>>> the place to ask and I would suggest you have a look here:
>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-10 19:44:17 UTC
Permalink
The problem that I am now facing is the fact there is no NIS domain that can be selected from the dropdown menu,
which, in turn, prevents the login shell from being modified.


________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com]
Sent: Friday, June 10, 2016 3:14 PM
To: Kaplan, Andrew H.
Cc: ***@lists.samba.org; Rowland penny
Subject: Re: [Samba] Problem with Active Directory authentication

Hi,

You need to make sure that the user has the rfc2307 "loginShell:" attribute set. See https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC for how to set it.

Mike E.


On Fri, Jun 10, 2016 at 2:11 PM, Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
Hello --

The version of Samba that I am running on the server is the 4.3.9 Ubuntu package.

To that end, I reconfigured the smb.conf file to reflect the entries listed in your e-mail.

I added the syntax: default shell = /bin/bash to the smb.conf file, and restarted the samba and winbind daemons.
Unfortunately, the getent passwd command indicated the /bin/false shell was still the default.

What else do I need to do in order to correct this?


________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com<mailto:***@datacontrolsystems.com>]
Sent: Friday, June 10, 2016 1:40 PM
To: Kaplan, Andrew H.; ***@lists.samba.org<mailto:***@lists.samba.org>
Cc: Rowland penny
Subject: Re: [Samba] Problem with Active Directory authentication

Hi,

What version of Samba are you running (samba --version)? Some of the smb.conf parameters have changed in more recent versions. I'm running the standard version supplied with Ubuntu which is currently 4.3.9. My configuration on member servers is as follows:

[global]
# Base options
workgroup = <NETBIOS DOMAIN>
realm = <AD DOMAIN>
netbios name = <THIS MACHINE'S NETBIOS NAME>
security = ADS

# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 3000000-3999999

idmap config for domain <NETBIOS DOMAIN>
idmap config <NETBIOS DOMAIN>:backend = ad
idmap config <NETBIOS DOMAIN>:schema_mode = rfc2307
idmap config <NETBIOS DOMAIN>:range = 10000-20000

# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes

# Log options
log level = 1

I think it looks like you're real issue now is the /bin/false shell, which is the default if it isn't specifically set. The newer way to set the shell is using rfc2307 attributes. See https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC. With a configuration similar to mine, and the correct shell set up in the rfc2307 attributes for the user, I think you'll be all set.

Mike E.

On Fri, Jun 10, 2016 at 12:50 PM Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
Hello --

I removed the ldap and sssd packages from the server, and I am trying to get winbind to work on the system.

The configuration of the /etc/samba/smb.conf file's global section is the following:

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
security = ads
realm = <domain name>
workgroup = <domain>
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth =yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2

While that of the /etc/nsswitch.conf file reads as follows:


passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns
...

The /etc/krb5.conf file has the domain name in capital letters for the default_realm entry in capital letters.

I was able to join the server with the domain.

When I ran the getent <username>@<DOMAINNAME> command, the output was the following:

<DOMAINNAME>\<username>:*:10000:10005:<lastname>, <firstname>.:/home/<DOMAIN>/<username>:/bin/false

I attempted to log into the system via ssh using the following command syntax:

ssh -l <username>@<DOMAINNAME> <server fqdn>

The connection was made, but it was immediately closed. I am guessing the /bin/false shell could be what is causing the problem.

The auth.log file also had the following entries:

Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=microknoppix.mgh.harvard.edu<http://microknoppix.mgh.harvard.edu> user=***@PARTNERS.ORG<mailto:***@PARTNERS.ORG>
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): user '<DOMAINNAME>\<username>' granted access
Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for <username>@<DOMAINNAME> from <ip address> port 54879 ssh2
Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): session opened for user <DOMAINNAME>\<username> by (uid=0)
Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session): Failed to create session: No such file or directory
Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): unknown option: umask
Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): unknown option: 0022
Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from <ip address>: disconnected by user
Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): session closed for user <DOMAINNAME>\<username>
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred): user '<DOMAINNAME>\<username>' OK

The pam-auth-update command indicated the following were enabled:

Unix authentication
Winbind NT/Active Directory authentication

Register user sessions in the systemd control group hierarchy
Inheritable Capabilities Management







________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com<mailto:***@datacontrolsystems.com>]
Sent: Friday, June 10, 2016 10:45 AM
To: Kaplan, Andrew H.; ***@lists.samba.org<mailto:***@lists.samba.org>
Cc: Rowland penny

Subject: Re: [Samba] Problem with Active Directory authentication
Hi,

I have a feeling that Rowland is correct that all the different authentication methods are interfering with one another. I can say all I have is winbind and it works fine for me. My relevant pam-auth-update modules are:

[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login

My relevant excerpt from /etc/nsswitch.conf is:

passwd: compat winbind
group: compat winbind

If your smb.conf file includes the "template shell = /bin/bash" as you indicated earlier, but your getent password is returning /bin/PHSshell instead, I think the information is being returned by a service other than winbind. Depending on how pam is configured, generally the order listed when you run pam-auth-update will be the order in which the services are tried. So the first one listed there is probably the one returning the info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and server) doesn't like the username in the format <username>@<domainname> and this isn't the format that winbind would return the information, at least not by default. For me getent passwd <username>@<domainname> would return the user as <domainname>\<username>. I would try running pam-auth-update and disabling the LDAP and SSSD authentication methods and see if getent passwd returns different info.

Your first post looked to me like the authentication was succeeding, but then the shell was wrong and so you were immediately logged out. Like you mentioned in a previous post, the /bin/PHSshell is probably one the issue because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash would fix this, but more than likely, it is a configuration issue that is returning the wrong shell in the first place. Is PHS your netbios domain name? If it is, it's probably the LDAP or SSSD configuration that is retuning the shell using a substitution that isn't set up correctly.

Good luck,

Mike E.

On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <***@samba.org<mailto:***@samba.org>> wrote:
On 10/06/16 13:46, Kaplan, Andrew H. wrote:
> Hello --
>
> The winbind packages that are installed on the server are the following:
>
> Package Description
> libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba nameservice integration plugins
> libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows domain authentication integration plugin
> libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba winbind client library
> winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 service to resolve user and group information from Windows NT servers
>
> Similarly, the ldap PAM packages are as follows:
>
> Package Description
> ldap-auth-client 0.5.3 all meta-package for LDAP authentication
> ldap-auth-config 0.5.3 all Config package for LDAP authentication
> ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP utilities
> libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP libraries
> libldb1 1.1.24-0ubuntu0.14.04.1 amd64 LDAP-like embedded database - shared library
> libnss-ldap 264-2.2ubuntu4.14.04.1 amd64 NSS module for using LDAP as a naming service
> libpam-ldap 184-8.5ubuntu3 amd64 Pluggable Authentication Module for LDAP
> sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end
>
> Finally, the sssd packages are the following:
>
> Package Description
> libsss-idmap0 1.11.5-1ubuntu3 amd64 ID mapping library for SSSD
> sssd 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- metapackage
> sssd-ad 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Active Directory back end
> sssd-ad-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- PAC responder
> sssd-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- common files
> sssd-ipa 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- IPA back end
> sssd-krb5 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos back end
> sssd-krb5-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos helpers
> sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end
> sssd-proxy 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- proxy back end
> sssd-tools 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- tools
>
> Will removing all packages for the first two groups solve this problem?
>
> From: samba [samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>] on behalf of Rowland penny [***@samba.org<mailto:***@samba.org>]
> Sent: Friday, June 10, 2016 8:29 AM
> To: ***@lists.samba.org<mailto:***@lists.samba.org>
> Subject: Re: [Samba] Problem with Active Directory authentication
>
> On 10/06/16 12:47, Kaplan, Andrew H. wrote:
>> Hello --
>>
>> I started a thread on the list that you suggested in your e-mail, and thank-you for the reference.
>>
>> Also, I checked the auth.log file on the server, and the following entries were present:
>>
>> I checked the auth.log file, and the following entries were present:
>>
>> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=<username>@<domainname>
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): getting password (0x00000388)
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): pam_get_item returned a password
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=username>@<domainname>
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): received for user username>@<domainname> 17 (Failure setting user credentials)
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to LDAP server...
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
>> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid user username>@<domainname>from <ip address> port 49847 ssh2
>>
>>
>> ________________________________________
>> From: Sumit Bose [***@redhat.com<mailto:***@redhat.com>]
>> Sent: Friday, June 10, 2016 4:44 AM
>> To: Kaplan, Andrew H.
>> Cc: samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>; ***@lists.samba.org<mailto:***@lists.samba.org>
>> Subject: Re: Problem with Active Directory authentication
>>
>> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
>>> Hello --
>>>
>>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure:
>>>
>>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/>
>>>
>>> Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries:
>>>
>>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>> The sssd-users list
>> https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org/
>> might be more appropriate for your question.
>>
>> As a general comment, the PAM configuration is important here. Please
>> check the system logs which PAM module was consulted during the login
>> attempt and which cause the rejection.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>>> The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following:
>>>
>>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>>>
>>> The output that was generated is the following:
>>>
>>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>>> debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
>>> debug1: Connection established.
>>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>>> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>>> debug1: Enabling compatibility mode for protocol 2.0
>>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>>> debug1: SSH2_MSG_KEXINIT sent
>>> debug1: SSH2_MSG_KEXINIT received
>>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>>> debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>>> debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key.
>>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>>> debug1: ssh_ecdsa_verify: signature correct
>>> debug1: SSH2_MSG_NEWKEYS sent
>>> debug1: expecting SSH2_MSG_NEWKEYS
>>> debug1: SSH2_MSG_NEWKEYS received
>>> debug1: Roaming not allowed by server
>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> debug1: Authentications that can continue: publickey,password
>>> debug1: Next authentication method: publickey
>>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>>> debug1: Next authentication method: password
>>> <username>@<domainname>@<fully qualified domain name>'s password:
>>> Connection closed by <ip address>
>>>
>>> Does anyone have thoughts on this?
>>>
>>> Thanks.
>>>
>>>
>>> The information in this e-mail is intended only for the person to whom it is
>>> addressed. If you believe this e-mail was sent to you in error and the e-mail
>>> contains patient information, please contact the Partners Compliance HelpLine at
>>> http://www.partners.org/complianceline . If the e-mail was sent to you in error
>>> but does not contain patient information, please contact the sender and properly
>>> dispose of the e-mail.
> As Sumit has said, this should be on the sssd mailing list.
> From your log fragment, it looks like you have the winbind and ldap PAM
> packages installed, you do not need them.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

I am not entirely sure, what I can say is that you are using three
different methods of authentication, winbindd, ldap and sssd, surely you
don't need all three ?

If you decide to use sssd, then ask on their mailing list what sssd
packages you need and what you should remove.
If you decide to use LDAP, then this probably entails using nslcd, find
their mailing list and ask them.
If you decide to use winbindd (the Samba recommended way), then this is
the place to ask and I would suggest you have a look here:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-06-10 20:35:33 UTC
Permalink
Hi,

I'm not 100% sure about this, but that might mean that the NIS Extensions
are not installed in your AD directory. Is the domain controller a Samba
AD DC? If so you can see
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD about adding it.

Mike E.


On Fri, Jun 10, 2016 at 3:44 PM Kaplan, Andrew H. <***@partners.org>
wrote:

> The problem that I am now facing is the fact there is no NIS domain that
> can be selected from the dropdown menu,
> which, in turn, prevents the login shell from being modified.
>
>
> ------------------------------
> *From:* Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com
> ]
> *Sent:* Friday, June 10, 2016 3:14 PM
> *To:* Kaplan, Andrew H.
> *Cc:* ***@lists.samba.org; Rowland penny
>
> *Subject:* Re: [Samba] Problem with Active Directory authentication
> Hi,
>
> You need to make sure that the user has the rfc2307 "loginShell:"
> attribute set. See
> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC
> for how to set it.
>
> Mike E.
>
>
> On Fri, Jun 10, 2016 at 2:11 PM, Kaplan, Andrew H. <***@partners.org>
> wrote:
>
>> Hello --
>>
>> The version of Samba that I am running on the server is the 4.3.9 Ubuntu
>> package.
>>
>> To that end, I reconfigured the smb.conf file to reflect the entries
>> listed in your e-mail.
>>
>> I added the syntax: default shell = /bin/bash to the smb.conf file, and
>> restarted the samba and winbind daemons.
>> Unfortunately, the getent passwd command indicated the /bin/false shell
>> was still the default.
>>
>> What else do I need to do in order to correct this?
>>
>>
>> ------------------------------
>> *From:* Data Control Systems - Mike Elkevizth [
>> ***@datacontrolsystems.com]
>> *Sent:* Friday, June 10, 2016 1:40 PM
>> *To:* Kaplan, Andrew H.; ***@lists.samba.org
>> *Cc:* Rowland penny
>> *Subject:* Re: [Samba] Problem with Active Directory authentication
>>
>> Hi,
>>
>> What version of Samba are you running (samba --version)? Some of the
>> smb.conf parameters have changed in more recent versions. I'm running the
>> standard version supplied with Ubuntu which is currently 4.3.9. My
>> configuration on member servers is as follows:
>>
>> [global]
>> # Base options
>> workgroup = <NETBIOS DOMAIN>
>> realm = <AD DOMAIN>
>> netbios name = <THIS MACHINE'S NETBIOS NAME>
>> security = ADS
>>
>> # Default idmap config used for BUILTIN and local accounts/groups
>> idmap config *:backend = tdb
>> idmap config *:range = 3000000-3999999
>>
>> idmap config for domain <NETBIOS DOMAIN>
>> idmap config <NETBIOS DOMAIN>:backend = ad
>> idmap config <NETBIOS DOMAIN>:schema_mode = rfc2307
>> idmap config <NETBIOS DOMAIN>:range = 10000-20000
>>
>> # Use settings from AD for login shell and home directory
>> winbind nss info = rfc2307
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind offline logon = yes
>>
>> # Log options
>> log level = 1
>>
>> I think it looks like you're real issue now is the /bin/false shell,
>> which is the default if it isn't specifically set. The newer way to set
>> the shell is using rfc2307 attributes. See
>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and
>> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC.
>> With a configuration similar to mine, and the correct shell set up in the
>> rfc2307 attributes for the user, I think you'll be all set.
>>
>> Mike E.
>>
>> On Fri, Jun 10, 2016 at 12:50 PM Kaplan, Andrew H. <***@partners.org>
>> wrote:
>>
>>> Hello --
>>>
>>> I removed the ldap and sssd packages from the server, and I am trying to
>>> get winbind to work on the system.
>>>
>>> The configuration of the /etc/samba/smb.conf file's global section is
>>> the following:
>>>
>>> [global]
>>>
>>> ## Browsing/Identification ###
>>>
>>> # Change this to the workgroup/NT-domain name your Samba server will
>>> part of
>>> security = ads
>>> realm = <domain name>
>>> workgroup = <domain>
>>> idmap uid = 10000-20000
>>> idmap gid = 10000-20000
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> template homedir = /home/%D/%U
>>> template shell = /bin/bash
>>> client use spnego = yes
>>> client ntlmv2 auth =yes
>>> encrypt passwords = yes
>>> winbind use default domain = yes
>>> restrict anonymous = 2
>>>
>>> While that of the /etc/nsswitch.conf file reads as follows:
>>>
>>>
>>> passwd: compat winbind
>>> group: compat winbind
>>> shadow: compat
>>>
>>> hosts: files dns
>>> ...
>>>
>>> The /etc/krb5.conf file has the domain name in capital letters for the
>>> default_realm entry in capital letters.
>>>
>>> I was able to join the server with the domain.
>>>
>>> When I ran the getent <username>@<DOMAINNAME> command, the output was
>>> the following:
>>>
>>> <DOMAINNAME>\<username>:*:10000:10005:<lastname>,
>>> <firstname>.:/home/<DOMAIN>/<username>:/bin/false
>>>
>>> I attempted to log into the system via ssh using the following command
>>> syntax:
>>>
>>> ssh -l <username>@<DOMAINNAME> <server fqdn>
>>>
>>> The connection was made, but it was immediately closed. I am guessing
>>> the /bin/false shell could be what is causing the problem.
>>>
>>> The auth.log file also had the following entries:
>>>
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth):
>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
>>> microknoppix.mgh.harvard.edu user=***@PARTNERS.ORG
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
>>> getting password (0x00000388)
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
>>> pam_get_item returned a password
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): user
>>> '<DOMAINNAME>\<username>' granted access
>>> Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for
>>> <username>@<DOMAINNAME> from <ip address> port 54879 ssh2
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session):
>>> session opened for user <DOMAINNAME>\<username> by (uid=0)
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session):
>>> Failed to create session: No such file or directory
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session):
>>> unknown option: umask
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session):
>>> unknown option: 0022
>>> Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from <ip
>>> address>: disconnected by user
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session):
>>> session closed for user <DOMAINNAME>\<username>
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred):
>>> user '<DOMAINNAME>\<username>' OK
>>>
>>> The pam-auth-update command indicated the following were enabled:
>>>
>>> Unix authentication
>>> Winbind NT/Active Directory authentication
>>>
>>> Register user sessions in the systemd control group hierarchy
>>> Inheritable Capabilities Management
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------
>>> *From:* Data Control Systems - Mike Elkevizth [
>>> ***@datacontrolsystems.com]
>>> *Sent:* Friday, June 10, 2016 10:45 AM
>>> *To:* Kaplan, Andrew H.; ***@lists.samba.org
>>> *Cc:* Rowland penny
>>>
>>> *Subject:* Re: [Samba] Problem with Active Directory authentication
>>> Hi,
>>>
>>> I have a feeling that Rowland is correct that all the different
>>> authentication methods are interfering with one another. I can say all I
>>> have is winbind and it works fine for me. My relevant pam-auth-update
>>> modules are:
>>>
>>> [*] Unix authentication
>>> [*] Winbind NT/Active Directory authentication
>>> [*] Register user sessions in the systemd control group hierarchy
>>> [*] Create home directory on login
>>>
>>> My relevant excerpt from /etc/nsswitch.conf is:
>>>
>>> passwd: compat winbind
>>> group: compat winbind
>>>
>>> If your smb.conf file includes the "template shell = /bin/bash" as you
>>> indicated earlier, but your getent password is returning /bin/PHSshell
>>> instead, I think the information is being returned by a service other than
>>> winbind. Depending on how pam is configured, generally the order listed
>>> when you run pam-auth-update will be the order in which the services are
>>> tried. So the first one listed there is probably the one returning the
>>> info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and
>>> server) doesn't like the username in the format <username>@<domainname> and
>>> this isn't the format that winbind would return the information, at least
>>> not by default. For me getent passwd <username>@<domainname> would return
>>> the user as <domainname>\<username>. I would try running pam-auth-update
>>> and disabling the LDAP and SSSD authentication methods and see if getent
>>> passwd returns different info.
>>>
>>> Your first post looked to me like the authentication was succeeding, but
>>> then the shell was wrong and so you were immediately logged out. Like you
>>> mentioned in a previous post, the /bin/PHSshell is probably one the issue
>>> because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash
>>> would fix this, but more than likely, it is a configuration issue that is
>>> returning the wrong shell in the first place. Is PHS your netbios domain
>>> name? If it is, it's probably the LDAP or SSSD configuration that is
>>> retuning the shell using a substitution that isn't set up correctly.
>>>
>>> Good luck,
>>>
>>> Mike E.
>>>
>>> On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <***@samba.org> wrote:
>>>
>>>> On 10/06/16 13:46, Kaplan, Andrew H. wrote:
>>>> > Hello --
>>>> >
>>>> > The winbind packages that are installed on the server are the
>>>> following:
>>>> >
>>>> > Package
>>>> Description
>>>> > libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>>>> Samba nameservice integration plugins
>>>> > libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows
>>>> domain authentication integration plugin
>>>> > libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>>>> Samba winbind client library
>>>> > winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>>>> service to resolve user and group information from Windows NT servers
>>>> >
>>>> > Similarly, the ldap PAM packages are as follows:
>>>> >
>>>> > Package
>>>> Description
>>>> > ldap-auth-client 0.5.3
>>>> all meta-package for LDAP authentication
>>>> > ldap-auth-config 0.5.3 all
>>>> Config package for LDAP authentication
>>>> > ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64
>>>> OpenLDAP utilities
>>>> > libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64
>>>> OpenLDAP libraries
>>>> > libldb1 1.1.24-0ubuntu0.14.04.1
>>>> amd64 LDAP-like embedded database - shared library
>>>> > libnss-ldap 264-2.2ubuntu4.14.04.1 amd64
>>>> NSS module for using LDAP as a naming service
>>>> > libpam-ldap 184-8.5ubuntu3 amd64
>>>> Pluggable Authentication Module for LDAP
>>>> > sssd-ldap 1.11.5-1ubuntu3
>>>> amd64 System Security Services Daemon -- LDAP back end
>>>> >
>>>> > Finally, the sssd packages are the following:
>>>> >
>>>> > Package
>>>> Description
>>>> > libsss-idmap0 1.11.5-1ubuntu3 amd64
>>>> ID mapping library for SSSD
>>>> > sssd 1.11.5-1ubuntu3 amd64
>>>> System Security Services Daemon -- metapackage
>>>> > sssd-ad 1.11.5-1ubuntu3
>>>> amd64 System Security Services Daemon -- Active Directory back end
>>>> > sssd-ad-common 1.11.5-1ubuntu3 amd64 System
>>>> Security Services Daemon -- PAC responder
>>>> > sssd-common 1.11.5-1ubuntu3 amd64
>>>> System Security Services Daemon -- common files
>>>> > sssd-ipa 1.11.5-1ubuntu3
>>>> amd64 System Security Services Daemon -- IPA back end
>>>> > sssd-krb5 1.11.5-1ubuntu3 amd64
>>>> System Security Services Daemon -- Kerberos back end
>>>> > sssd-krb5-common 1.11.5-1ubuntu3 amd64
>>>> System Security Services Daemon -- Kerberos helpers
>>>> > sssd-ldap 1.11.5-1ubuntu3
>>>> amd64 System Security Services Daemon -- LDAP back end
>>>> > sssd-proxy 1.11.5-1ubuntu3 amd64
>>>> System Security Services Daemon -- proxy back end
>>>> > sssd-tools 1.11.5-1ubuntu3 amd64
>>>> System Security Services Daemon -- tools
>>>> >
>>>> > Will removing all packages for the first two groups solve this
>>>> problem?
>>>> >
>>>> > From: samba [samba-***@lists.samba.org] on behalf of Rowland
>>>> penny [***@samba.org]
>>>> > Sent: Friday, June 10, 2016 8:29 AM
>>>> > To: ***@lists.samba.org
>>>> > Subject: Re: [Samba] Problem with Active Directory authentication
>>>> >
>>>> > On 10/06/16 12:47, Kaplan, Andrew H. wrote:
>>>> >> Hello --
>>>> >>
>>>> >> I started a thread on the list that you suggested in your e-mail,
>>>> and thank-you for the reference.
>>>> >>
>>>> >> Also, I checked the auth.log file on the server, and the following
>>>> entries were present:
>>>> >>
>>>> >> I checked the auth.log file, and the following entries were present:
>>>> >>
>>>> >> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth):
>>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
>>>> user=<username>@<domainname>
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
>>>> getting password (0x00000388)
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
>>>> pam_get_item returned a password
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
>>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
>>>> user=username>@<domainname>
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
>>>> received for user username>@<domainname> 17 (Failure setting user
>>>> credentials)
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open
>>>> secret file /etc/ldap.secret (No such file or directory)
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap:
>>>> ldap_simple_bind Can't contact LDAP server
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to
>>>> LDAP server...
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap:
>>>> ldap_simple_bind Can't contact LDAP server
>>>> >> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for
>>>> invalid user username>@<domainname>from <ip address> port 49847 ssh2
>>>> >>
>>>> >>
>>>> >> ________________________________________
>>>> >> From: Sumit Bose [***@redhat.com]
>>>> >> Sent: Friday, June 10, 2016 4:44 AM
>>>> >> To: Kaplan, Andrew H.
>>>> >> Cc: samba-***@lists.samba.org; ***@lists.samba.org
>>>> >> Subject: Re: Problem with Active Directory authentication
>>>> >>
>>>> >> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
>>>> >>> Hello --
>>>> >>>
>>>> >>> We are running the 14.04.3 LTS 64-bit release as a virtual machine
>>>> on a Vmware appliance. The goal of the installation is to create a Samba
>>>> server that utilizes Active Directory authentication. To that end I
>>>> utilized the following procedure:
>>>> >>>
>>>> >>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<
>>>> http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/
>>>> >
>>>> >>>
>>>> >>> Afterwards, I referenced the following documentation to confirm
>>>> that all configuration files had the appropriate entries:
>>>> >>>
>>>> >>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>>>> >> The sssd-users list
>>>> >>
>>>> https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org/
>>>> >> might be more appropriate for your question.
>>>> >>
>>>> >> As a general comment, the PAM configuration is important here. Please
>>>> >> check the system logs which PAM module was consulted during the login
>>>> >> attempt and which cause the rejection.
>>>> >>
>>>> >> HTH
>>>> >>
>>>> >> bye,
>>>> >> Sumit
>>>> >>
>>>> >>> The problem is the following: I am unable to log into the server
>>>> from the console or via SSH using my Active Directory user account. The
>>>> syntax that I use when doing an SSH connection is the following:
>>>> >>>
>>>> >>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>>>> >>>
>>>> >>> The output that was generated is the following:
>>>> >>>
>>>> >>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>>>> >>> debug1: Reading configuration data /etc/ssh/ssh_config
>>>> >>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>>>> >>> debug1: Connecting to <fully qualified domain name> [<ip address>]
>>>> port 22.
>>>> >>> debug1: Connection established.
>>>> >>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>>>> >>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>>>> >>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>>>> >>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>>>> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>>>> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>>>> >>> debug1: Remote protocol version 2.0, remote software version
>>>> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>>>> >>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>>>> >>> debug1: Enabling compatibility mode for protocol 2.0
>>>> >>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>>>> >>> debug1: SSH2_MSG_KEXINIT sent
>>>> >>> debug1: SSH2_MSG_KEXINIT received
>>>> >>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>>> >>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>>> >>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>>>> >>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>>>> >>> debug1: Server host key: ECDSA
>>>> ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>>>> >>> debug1: Host '<fully qualified domain name>' is known and matches
>>>> the ECDSA host key.
>>>> >>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>>>> >>> debug1: ssh_ecdsa_verify: signature correct
>>>> >>> debug1: SSH2_MSG_NEWKEYS sent
>>>> >>> debug1: expecting SSH2_MSG_NEWKEYS
>>>> >>> debug1: SSH2_MSG_NEWKEYS received
>>>> >>> debug1: Roaming not allowed by server
>>>> >>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>>> >>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>>> >>> debug1: Authentications that can continue: publickey,password
>>>> >>> debug1: Next authentication method: publickey
>>>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>>>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>>>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>>>> >>> debug1: Next authentication method: password
>>>> >>> <username>@<domainname>@<fully qualified domain name>'s password:
>>>> >>> Connection closed by <ip address>
>>>> >>>
>>>> >>> Does anyone have thoughts on this?
>>>> >>>
>>>> >>> Thanks.
>>>> >>>
>>>> >>>
>>>> >>> The information in this e-mail is intended only for the person to
>>>> whom it is
>>>> >>> addressed. If you believe this e-mail was sent to you in error and
>>>> the e-mail
>>>> >>> contains patient information, please contact the Partners
>>>> Compliance HelpLine at
>>>> >>> http://www.partners.org/complianceline . If the e-mail was sent to
>>>> you in error
>>>> >>> but does not contain patient information, please contact the sender
>>>> and properly
>>>> >>> dispose of the e-mail.
>>>> > As Sumit has said, this should be on the sssd mailing list.
>>>> > From your log fragment, it looks like you have the winbind and ldap
>>>> PAM
>>>> > packages installed, you do not need them.
>>>> >
>>>> > Rowland
>>>> >
>>>> >
>>>> > --
>>>> > To unsubscribe from this list go to the following URL and read the
>>>> > instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>> I am not entirely sure, what I can say is that you are using three
>>>> different methods of authentication, winbindd, ldap and sssd, surely you
>>>> don't need all three ?
>>>>
>>>> If you decide to use sssd, then ask on their mailing list what sssd
>>>> packages you need and what you should remove.
>>>> If you decide to use LDAP, then this probably entails using nslcd, find
>>>> their mailing list and ask them.
>>>> If you decide to use winbindd (the Samba recommended way), then this is
>>>> the place to ask and I would suggest you have a look here:
>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-13 13:43:13 UTC
Permalink
Hello --

We are not running a Samba domain controller, rather we are relying on our network engineering group. I am not
sure how willing they are in setting up the NIS extensions feature.

To facilitate matters, would it be better for our either setting up the current system as a samba domain contoller,
or establishing a separate computer that functions exclusively in that capacity?
________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com]
Sent: Friday, June 10, 2016 4:35 PM
To: Kaplan, Andrew H.
Cc: ***@lists.samba.org; Rowland penny
Subject: Re: [Samba] Problem with Active Directory authentication

Hi,

I'm not 100% sure about this, but that might mean that the NIS Extensions are not installed in your AD directory. Is the domain controller a Samba AD DC? If so you can see https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD about adding it.

Mike E.


On Fri, Jun 10, 2016 at 3:44 PM Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
The problem that I am now facing is the fact there is no NIS domain that can be selected from the dropdown menu,
which, in turn, prevents the login shell from being modified.


________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com<mailto:***@datacontrolsystems.com>]
Sent: Friday, June 10, 2016 3:14 PM
To: Kaplan, Andrew H.
Cc: ***@lists.samba.org<mailto:***@lists.samba.org>; Rowland penny

Subject: Re: [Samba] Problem with Active Directory authentication
Hi,

You need to make sure that the user has the rfc2307 "loginShell:" attribute set. See https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC for how to set it.

Mike E.


On Fri, Jun 10, 2016 at 2:11 PM, Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
Hello --

The version of Samba that I am running on the server is the 4.3.9 Ubuntu package.

To that end, I reconfigured the smb.conf file to reflect the entries listed in your e-mail.

I added the syntax: default shell = /bin/bash to the smb.conf file, and restarted the samba and winbind daemons.
Unfortunately, the getent passwd command indicated the /bin/false shell was still the default.

What else do I need to do in order to correct this?


________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com<mailto:***@datacontrolsystems.com>]
Sent: Friday, June 10, 2016 1:40 PM
To: Kaplan, Andrew H.; ***@lists.samba.org<mailto:***@lists.samba.org>
Cc: Rowland penny
Subject: Re: [Samba] Problem with Active Directory authentication

Hi,

What version of Samba are you running (samba --version)? Some of the smb.conf parameters have changed in more recent versions. I'm running the standard version supplied with Ubuntu which is currently 4.3.9. My configuration on member servers is as follows:

[global]
# Base options
workgroup = <NETBIOS DOMAIN>
realm = <AD DOMAIN>
netbios name = <THIS MACHINE'S NETBIOS NAME>
security = ADS

# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 3000000-3999999

idmap config for domain <NETBIOS DOMAIN>
idmap config <NETBIOS DOMAIN>:backend = ad
idmap config <NETBIOS DOMAIN>:schema_mode = rfc2307
idmap config <NETBIOS DOMAIN>:range = 10000-20000

# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes

# Log options
log level = 1

I think it looks like you're real issue now is the /bin/false shell, which is the default if it isn't specifically set. The newer way to set the shell is using rfc2307 attributes. See https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC. With a configuration similar to mine, and the correct shell set up in the rfc2307 attributes for the user, I think you'll be all set.

Mike E.

On Fri, Jun 10, 2016 at 12:50 PM Kaplan, Andrew H. <***@partners.org<mailto:***@partners.org>> wrote:
Hello --

I removed the ldap and sssd packages from the server, and I am trying to get winbind to work on the system.

The configuration of the /etc/samba/smb.conf file's global section is the following:

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
security = ads
realm = <domain name>
workgroup = <domain>
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth =yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2

While that of the /etc/nsswitch.conf file reads as follows:


passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns
...

The /etc/krb5.conf file has the domain name in capital letters for the default_realm entry in capital letters.

I was able to join the server with the domain.

When I ran the getent <username>@<DOMAINNAME> command, the output was the following:

<DOMAINNAME>\<username>:*:10000:10005:<lastname>, <firstname>.:/home/<DOMAIN>/<username>:/bin/false

I attempted to log into the system via ssh using the following command syntax:

ssh -l <username>@<DOMAINNAME> <server fqdn>

The connection was made, but it was immediately closed. I am guessing the /bin/false shell could be what is causing the problem.

The auth.log file also had the following entries:

Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=microknoppix.mgh.harvard.edu<http://microknoppix.mgh.harvard.edu> user=***@PARTNERS.ORG<mailto:***@PARTNERS.ORG>
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): user '<DOMAINNAME>\<username>' granted access
Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for <username>@<DOMAINNAME> from <ip address> port 54879 ssh2
Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): session opened for user <DOMAINNAME>\<username> by (uid=0)
Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session): Failed to create session: No such file or directory
Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): unknown option: umask
Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): unknown option: 0022
Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from <ip address>: disconnected by user
Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): session closed for user <DOMAINNAME>\<username>
Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred): user '<DOMAINNAME>\<username>' OK

The pam-auth-update command indicated the following were enabled:

Unix authentication
Winbind NT/Active Directory authentication

Register user sessions in the systemd control group hierarchy
Inheritable Capabilities Management







________________________________
From: Data Control Systems - Mike Elkevizth [***@datacontrolsystems.com<mailto:***@datacontrolsystems.com>]
Sent: Friday, June 10, 2016 10:45 AM
To: Kaplan, Andrew H.; ***@lists.samba.org<mailto:***@lists.samba.org>
Cc: Rowland penny

Subject: Re: [Samba] Problem with Active Directory authentication
Hi,

I have a feeling that Rowland is correct that all the different authentication methods are interfering with one another. I can say all I have is winbind and it works fine for me. My relevant pam-auth-update modules are:

[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login

My relevant excerpt from /etc/nsswitch.conf is:

passwd: compat winbind
group: compat winbind

If your smb.conf file includes the "template shell = /bin/bash" as you indicated earlier, but your getent password is returning /bin/PHSshell instead, I think the information is being returned by a service other than winbind. Depending on how pam is configured, generally the order listed when you run pam-auth-update will be the order in which the services are tried. So the first one listed there is probably the one returning the info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and server) doesn't like the username in the format <username>@<domainname> and this isn't the format that winbind would return the information, at least not by default. For me getent passwd <username>@<domainname> would return the user as <domainname>\<username>. I would try running pam-auth-update and disabling the LDAP and SSSD authentication methods and see if getent passwd returns different info.

Your first post looked to me like the authentication was succeeding, but then the shell was wrong and so you were immediately logged out. Like you mentioned in a previous post, the /bin/PHSshell is probably one the issue because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash would fix this, but more than likely, it is a configuration issue that is returning the wrong shell in the first place. Is PHS your netbios domain name? If it is, it's probably the LDAP or SSSD configuration that is retuning the shell using a substitution that isn't set up correctly.

Good luck,

Mike E.

On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <***@samba.org<mailto:***@samba.org>> wrote:
On 10/06/16 13:46, Kaplan, Andrew H. wrote:
> Hello --
>
> The winbind packages that are installed on the server are the following:
>
> Package Description
> libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba nameservice integration plugins
> libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows domain authentication integration plugin
> libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba winbind client library
> winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 service to resolve user and group information from Windows NT servers
>
> Similarly, the ldap PAM packages are as follows:
>
> Package Description
> ldap-auth-client 0.5.3 all meta-package for LDAP authentication
> ldap-auth-config 0.5.3 all Config package for LDAP authentication
> ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP utilities
> libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP libraries
> libldb1 1.1.24-0ubuntu0.14.04.1 amd64 LDAP-like embedded database - shared library
> libnss-ldap 264-2.2ubuntu4.14.04.1 amd64 NSS module for using LDAP as a naming service
> libpam-ldap 184-8.5ubuntu3 amd64 Pluggable Authentication Module for LDAP
> sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end
>
> Finally, the sssd packages are the following:
>
> Package Description
> libsss-idmap0 1.11.5-1ubuntu3 amd64 ID mapping library for SSSD
> sssd 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- metapackage
> sssd-ad 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Active Directory back end
> sssd-ad-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- PAC responder
> sssd-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- common files
> sssd-ipa 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- IPA back end
> sssd-krb5 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos back end
> sssd-krb5-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos helpers
> sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end
> sssd-proxy 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- proxy back end
> sssd-tools 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- tools
>
> Will removing all packages for the first two groups solve this problem?
>
> From: samba [samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>] on behalf of Rowland penny [***@samba.org<mailto:***@samba.org>]
> Sent: Friday, June 10, 2016 8:29 AM
> To: ***@lists.samba.org<mailto:***@lists.samba.org>
> Subject: Re: [Samba] Problem with Active Directory authentication
>
> On 10/06/16 12:47, Kaplan, Andrew H. wrote:
>> Hello --
>>
>> I started a thread on the list that you suggested in your e-mail, and thank-you for the reference.
>>
>> Also, I checked the auth.log file on the server, and the following entries were present:
>>
>> I checked the auth.log file, and the following entries were present:
>>
>> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=<username>@<domainname>
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): getting password (0x00000388)
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): pam_get_item returned a password
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=username>@<domainname>
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): received for user username>@<domainname> 17 (Failure setting user credentials)
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to LDAP server...
>> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
>> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid user username>@<domainname>from <ip address> port 49847 ssh2
>>
>>
>> ________________________________________
>> From: Sumit Bose [***@redhat.com<mailto:***@redhat.com>]
>> Sent: Friday, June 10, 2016 4:44 AM
>> To: Kaplan, Andrew H.
>> Cc: samba-***@lists.samba.org<mailto:samba-***@lists.samba.org>; ***@lists.samba.org<mailto:***@lists.samba.org>
>> Subject: Re: Problem with Active Directory authentication
>>
>> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
>>> Hello --
>>>
>>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure:
>>>
>>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/>
>>>
>>> Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries:
>>>
>>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>> The sssd-users list
>> https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org/
>> might be more appropriate for your question.
>>
>> As a general comment, the PAM configuration is important here. Please
>> check the system logs which PAM module was consulted during the login
>> attempt and which cause the rejection.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>>> The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following:
>>>
>>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>>>
>>> The output that was generated is the following:
>>>
>>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>>> debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
>>> debug1: Connection established.
>>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>>> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>>> debug1: Enabling compatibility mode for protocol 2.0
>>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>>> debug1: SSH2_MSG_KEXINIT sent
>>> debug1: SSH2_MSG_KEXINIT received
>>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>>> debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>>> debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key.
>>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>>> debug1: ssh_ecdsa_verify: signature correct
>>> debug1: SSH2_MSG_NEWKEYS sent
>>> debug1: expecting SSH2_MSG_NEWKEYS
>>> debug1: SSH2_MSG_NEWKEYS received
>>> debug1: Roaming not allowed by server
>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> debug1: Authentications that can continue: publickey,password
>>> debug1: Next authentication method: publickey
>>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>>> debug1: Next authentication method: password
>>> <username>@<domainname>@<fully qualified domain name>'s password:
>>> Connection closed by <ip address>
>>>
>>> Does anyone have thoughts on this?
>>>
>>> Thanks.
>>>
>>>
>>> The information in this e-mail is intended only for the person to whom it is
>>> addressed. If you believe this e-mail was sent to you in error and the e-mail
>>> contains patient information, please contact the Partners Compliance HelpLine at
>>> http://www.partners.org/complianceline . If the e-mail was sent to you in error
>>> but does not contain patient information, please contact the sender and properly
>>> dispose of the e-mail.
> As Sumit has said, this should be on the sssd mailing list.
> From your log fragment, it looks like you have the winbind and ldap PAM
> packages installed, you do not need them.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

I am not entirely sure, what I can say is that you are using three
different methods of authentication, winbindd, ldap and sssd, surely you
don't need all three ?

If you decide to use sssd, then ask on their mailing list what sssd
packages you need and what you should remove.
If you decide to use LDAP, then this probably entails using nslcd, find
their mailing list and ask them.
If you decide to use winbindd (the Samba recommended way), then this is
the place to ask and I would suggest you have a look here:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-13 20:42:35 UTC
Permalink
Hello --

I have made considerable progress. When I am at the server console, I am able to enter my domain username and password, and I am able to log into the server. I had several follow-up questions:

1. How can I configure an SSH connection to the server that will utilize the active directory login?

2. When the login completes, I encounter the following error messages:


Unknown parameter encountered: "netbios"
Ignoring unknown parameter "netbios"
Unknown parameter encountered: "winbind allow trusted domains"
Ignoring unknown parameter "winbind allow trusted domains"

I believe these go back to smb.conf file. The lines in question read as follows:

netbios = <hostname>
...
winbind allow trusted domains = no

I checked the syntax of the two lines within the file, and everything looked fine.

Does anyone have any thoughts on this?

Thanks.
________________________________________
From: samba [samba-***@lists.samba.org] on behalf of Rowland penny [***@samba.org]
Sent: Monday, June 13, 2016 11:27 AM
To: ***@lists.samba.org
Subject: Re: [Samba] Problem with Active Directory authentication

On 13/06/16 14:43, Kaplan, Andrew H. wrote:
> Hello --
>
> We are not running a Samba domain controller, rather we are relying on
> our network engineering group. I am not
> sure how willing they are in setting up the NIS extensions feature.
>
> To facilitate matters, would it be better for our either setting up
> the current system as a samba domain contoller,
> or establishing a separate computer that functions exclusively in that
> capacity?
> ------------------------------------------------------------------------
>

If you cannot use the RFC2307 attributes, then you could use the winbind
'rid' backend, see here for more info:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

You will need to follow the relevant link and use the 'template' lines.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-14 14:53:01 UTC
Permalink
Hello --

I was able to get SSH with Active Directory authentication set up on the server. It involved several modifications to the
sshd_config file. I am listing the changes that were made for the benefit of the group:


# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KerberosGetAFSToken yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

There is one more caveat that I need to overcome. So far, one domain user account is able to log into the server at the
console, or through an SSH connection. However, any other user account is not able to do so. When the su - <username>
command is entered at the console, the output reads as follows:

No passwd entry for <username>

The auth.log file has entries that read as follows:

Invalid user <username> from <ip address>
input_userauth_request: invalid user <username> [preauth]
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname =uid=0 eudi=0 tty=ssh ruser= rhost=<hostname>

What step(s) do I need to take in order to get all domain user accounts to be able to log into the server, as opposed to only one?

Thanks.



________________________________________
From: samba [samba-***@lists.samba.org] on behalf of Rowland penny [***@samba.org]
Sent: Monday, June 13, 2016 4:53 PM
To: ***@lists.samba.org
Subject: Re: [Samba] Problem with Active Directory authentication

On 13/06/16 21:42, Kaplan, Andrew H. wrote:
> Hello --
>
> I have made considerable progress. When I am at the server console, I am able to enter my domain username and password, and I am able to log into the server. I had several follow-up questions:
>
> 1. How can I configure an SSH connection to the server that will utilize the active directory login?

If you mean '***@samdom.example.com', then I don't think you can, but
you can use '***@hostname'


>
> 2. When the login completes, I encounter the following error messages:
>
>
> Unknown parameter encountered: "netbios"
> Ignoring unknown parameter "netbios"
> Unknown parameter encountered: "winbind allow trusted domains"
> Ignoring unknown parameter "winbind allow trusted domains"
>
> I believe these go back to smb.conf file. The lines in question read as follows:
>
> netbios = <hostname>

This should be netbios name = <hostname>

> ...
> winbind allow trusted domains = no

I think this should be 'allow trusted domains = no'

Rowland

>
> I checked the syntax of the two lines within the file, and everything looked fine.
>
> Does anyone have any thoughts on this?
>
> Thanks.
>


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-15 12:29:40 UTC
Permalink
Sorry about being a pain in the neck about this. The AD authentication at the console, and through
SSH to the server is working for one domain user account, but no others. The problem is outlined in
the e-mail that I am forwarding to the mailing list.

How can I correct this?

-----Original Message-----
From: samba [mailto:samba-***@lists.samba.org] On Behalf Of Kaplan, Andrew H.
Sent: Tuesday, June 14, 2016 10:53 AM
To: Rowland penny; ***@lists.samba.org
Subject: Re: [Samba] Problem with Active Directory authentication

Hello --

I was able to get SSH with Active Directory authentication set up on the server. It involved several modifications to the sshd_config file. I am listing the changes that were made for the benefit of the group:


# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KerberosGetAFSToken yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

There is one more caveat that I need to overcome. So far, one domain user account is able to log into the server at the
console, or through an SSH connection. However, any other user account is not able to do so. When the su - <username>
command is entered at the console, the output reads as follows:

No passwd entry for <username>

The auth.log file has entries that read as follows:

Invalid user <username> from <ip address>
input_userauth_request: invalid user <username> [preauth]
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname =uid=0 eudi=0 tty=ssh ruser= rhost=<hostname>

What step(s) do I need to take in order to get all domain user accounts to be able to log into the server, as opposed to only one?

Thanks.



________________________________________
From: samba [samba-***@lists.samba.org] on behalf of Rowland penny [***@samba.org]
Sent: Monday, June 13, 2016 4:53 PM
To: ***@lists.samba.org
Subject: Re: [Samba] Problem with Active Directory authentication

On 13/06/16 21:42, Kaplan, Andrew H. wrote:
> Hello --
>
> I have made considerable progress. When I am at the server console, I am able to enter my domain username and password, and I am able to log into the server. I had several follow-up questions:
>
> 1. How can I configure an SSH connection to the server that will utilize the active directory login?

If you mean '***@samdom.example.com', then I don't think you can, but
you can use '***@hostname'


>
> 2. When the login completes, I encounter the following error messages:
>
>
> Unknown parameter encountered: "netbios"
> Ignoring unknown parameter "netbios"
> Unknown parameter encountered: "winbind allow trusted domains"
> Ignoring unknown parameter "winbind allow trusted domains"
>
> I believe these go back to smb.conf file. The lines in question read as follows:
>
> netbios = <hostname>

This should be netbios name = <hostname>

> ...
> winbind allow trusted domains = no

I think this should be 'allow trusted domains = no'

Rowland

>
> I checked the syntax of the two lines within the file, and everything looked fine.
>
> Does anyone have any thoughts on this?
>
> Thanks.
>


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kaplan, Andrew H.
2016-06-15 12:51:50 UTC
Permalink
Hello --

When I run the getent passwd <username> for the account that works, I get output listing information
about the user.

When I run the same command for any other account, there is no output.

-----Original Message-----
From: samba [mailto:samba-***@lists.samba.org] On Behalf Of Rowland penny
Sent: Wednesday, June 15, 2016 8:46 AM
To: ***@lists.samba.org
Subject: Re: [Samba] FW: Problem with Active Directory authentication

On 15/06/16 13:29, Kaplan, Andrew H. wrote:
> Sorry about being a pain in the neck about this. The AD authentication
> at the console, and through SSH to the server is working for one
> domain user account, but no others. The problem is outlined in the e-mail that I am forwarding to the mailing list.
>
> How can I correct this?
>
> -----Original Message-----
> From: samba [mailto:samba-***@lists.samba.org] On Behalf Of Kaplan, Andrew H.
> Sent: Tuesday, June 14, 2016 10:53 AM
> To: Rowland penny; ***@lists.samba.org
> Subject: Re: [Samba] Problem with Active Directory authentication
>
> Hello --
>
> I was able to get SSH with Active Directory authentication set up on the server. It involved several modifications to the sshd_config file. I am listing the changes that were made for the benefit of the group:
>
>
> # Change to no to disable s/key passwords
> ChallengeResponseAuthentication no
>
> # Kerberos options
> KerberosAuthentication yes
> #KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> KerberosGetAFSToken yes
>
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> There is one more caveat that I need to overcome. So far, one domain
> user account is able to log into the server at the console, or through
> an SSH connection. However, any other user account is not able to do so. When the su - <username> command is entered at the console, the output reads as follows:
>
> No passwd entry for <username>
>
> The auth.log file has entries that read as follows:
>
> Invalid user <username> from <ip address>
> input_userauth_request: invalid user <username> [preauth]
> pam_unix(sshd:auth): check pass; user unknown
> pam_unix(sshd:auth): authentication failure; logname =uid=0 eudi=0
> tty=ssh ruser= rhost=<hostname>
>
> What step(s) do I need to take in order to get all domain user accounts to be able to log into the server, as opposed to only one?
>
> Thanks.
>
>
>

What does 'getent passwd <username>' show when run on the server ?

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Loading...