Web lists-archives.com

Re: [Samba] Cannot log into Samba4 AD/DC with ssh as domain user




On Sat, Dec 1, 2018 at 4:17 PM Rowland Penny via samba
<samba@xxxxxxxxxxxxxxx> wrote:
>
> On Sat, 01 Dec 2018 15:23:36 -0500
> Mark Foley <mfoley@xxxxxxxxx> wrote:
>
> > On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote:
> > >
> > > On Sat, 01 Dec 2018 06:26:42 -0500
> > > Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > >
> > > > From either a Linux or Mac domain member, I have tried logging
> > > > into the Samba4 AD server as a domain user:
> > > >
> > > > labmac:~ mark$ ssh mark@mail pwd
> > > > mark@mail's password:
> > > > Permission denied, please try again.
> > > >
> > > > where 'mail' is the AD/DC.
> > > >
> > > > It also fails if I am on the AD/DC an try the same ssh.
> > > >
> > > > I've tried setting either the GSSAPIAuthentication or
> > > > KerberosAuthentication in /etc/ssh/sshd_config, but those don't
> > > > help. I get:

Stop here. If you have root privileges, add a *local* account on the
relevant system, and log in using the Kerberos credentials. If those
don't work, you have other issues.

Also, just because a host is an AD server does not mean that it is
configured to allow AD based logins. What is the OS of the AD server
you are trying to log into?

> > > > Dec  1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option
> > > > GSSAPIAuthentication Dec  1 06:09:19 mail sshd[8645]: reprocess
> > > > config line 89: Unsupported option GSSAPIAuthentication Dec  1
> > > > 06:09:22 mail sshd[8645]: Failed password for mark from
> > > > 192.168.0.61 port 55802 ssh2 Dec  1 06:09:24 mail sshd[8645]:
> > > > Connection closed by 192.168.0.61 port 55802 [preauth]
> > > >
> > > > Dec  1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported
> > > > option KerberosAuthentication Dec  1 06:16:54 mail sshd[21898]:
> > > > reprocess config line 83: Unsupported option
> > > > KerberosAuthentication Dec  1 06:16:57 mail sshd[21898]: Failed
> > > > password for mark from 192.168.0.61 port 55809 ssh2 Dec  1
> > > > 06:17:00 mail sshd[21898]: Connection closed by 192.168.0.61 port
> > > > 55809 [preauth]
> > > >
> > > > The AD/DC host is Slackware and does not have PAM.
> > > >
> > > > Note that I can log in from the AD to the Linux domain member as a
> > > > domain user.
> > > >
> > > > Is there a way to get domain users to ssh into the the AD? They do
> > > > have home directories on this server?
> > > >
> > > > THX --Mark
> > > >
> > >
> > > Have you set up the libnss-winbind links ?
> > > Or to put it another way, does 'getent passwd mark' produce output
> > > when run on the DC ?
> > >
> > > Rowland
> >
> > Yes, getent passwd on the DC gives:
> >
> > $ getent passwd mark
> > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> >
> > My /etc/nsswitch.conf on the DC has:
> >
> > passwd:         compat winbind
> > shadow:         compat winbind
> > group:          compat winbind
>
> Don't think this has a bearing on the situation, but, on Debian,
> adding winbind to the shadow line gives problems.
>
> >
> > hosts:          files dns
> > networks:       files
> >
> > services:       files
> > protocols:      files
> > rpc:            files
> > ethers:         files
> > netmasks:       files
> > netgroup:       files
> > bootparams:     files
> >
> > automount:      files
> > aliases:        files
> >
> > I suppose when authenticating login from domain members, Windows,
> > Linux or Mac, the login mechanism is somehow communicting with the
> > samba daemon, but ssh must not be using the same authentication
> > mechanism?
>
> Looks like it, it works on Devuan.
>
> >
> > Also, on the DC as a different normal (non-root) user, I cannot 'su -
> > mark'. I get "su: Authentication failure". So, it's not just ssh
> > having an issue.
>
> Very strange
>
> >
> > Email clients on the domain members use kerberos/GSSAPI to
> > authenticate with the Dovecot mail server on the AD/DC. Perhaps this
> > is a clue?
>
> Doesn't Dovecot use ldap to authenticate (via kerberos) ?
>
> >
> > Do I need to recompile sshd so that GSSAPIAuthentication or
> > KerberosAuthentication are not unsupported? Maybe I also have to
> > specify -K (Enables GSSAPI-based authentication) on the client-side
> > ssh?
> >
> > Or, should this just work as is?
>
> Not knowing how openssh is compiled on Slackware, I don't know if you
> need to recompile it, all I can say is, it works for me.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba