Web lists-archives.com

Re: [Samba] Cannot log into Samba4 AD/DC with ssh as domain user




Got it working! I did download the openssh source from https://www.openssh.com/

I added the --with-kerberos5 option to the configure script and otherwise used the options that
Slackware uses to build the package:

export CFLAGS="-O2 -fPIC" 
export ARCH=`uname -m`    

./configure \
  --prefix=/usr \
  --mandir=/usr/man \
  --sysconfdir=/etc/ssh \
  --without-pam \
  --with-kerberos5 \   
  --with-md5-passwords \
  --with-tcp-wrappers \
  --with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin \
  --with-privsep-path=/var/empty \
  --with-privsep-user=sshd \
  --build=$ARCH-slackware-linux

make
make install

That worked. I was able to ssh from a Linux domain member to the AC/DC as a domain user and was
plopped into the home directory as specified by 'getent passwd'.

--Mark

-----Original Message-----
Date: Sun, 02 Dec 2018 13:46:51 -0500
Organization: Ohio Highway Patrol Retirement System
To: samba@xxxxxxxxxxxxxxx
Subject: Re: [Samba] Cannot log into Samba4 AD/DC with ssh as domain user

On Sun, 2 Dec 2018 08:52:19 Rowland Penny wrote:
>
> On Sat, 1 Dec 2018 20:38:58 -0500
> Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote:
>
> > On Sat, Dec 1, 2018 at 4:17 PM Rowland Penny via samba
> > <samba@xxxxxxxxxxxxxxx> wrote:
> > >
> > > On Sat, 01 Dec 2018 15:23:36 -0500
> > > Mark Foley <mfoley@xxxxxxxxx> wrote:
> > >
> > > > On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote:
> > > > >
> > > > > On Sat, 01 Dec 2018 06:26:42 -0500
> > > > > Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > > > >
> > > > > > From either a Linux or Mac domain member, I have tried logging
> > > > > > into the Samba4 AD server as a domain user:
> > > > > >
> > > > > > labmac:~ mark$ ssh mark@mail pwd
> > > > > > mark@mail's password:
> > > > > > Permission denied, please try again.
> > > > > >
> > > > > > where 'mail' is the AD/DC.
> > > > > >
> > > > > > It also fails if I am on the AD/DC an try the same ssh.
> > > > > >
> > > > > > I've tried setting either the GSSAPIAuthentication or
> > > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those
> > > > > > don't help. I get:
> > > > > >
> > > > > > Dec  1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option
> > > > > > GSSAPIAuthentication Dec  1 06:09:19 mail sshd[8645]: reprocess
> > > > > > 
> > > > > > Dec  1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported
> > > > > > option KerberosAuthentication Dec  1 06:16:54 mail sshd[21898]:

> > 
> > Stop here. If you have root privileges, add a *local* account on the
> > relevant system, and log in using the Kerberos credentials. If those
> > don't work, you have other issues.
>
> Just how is that going to work when the KDC is a Samba AD DC and a
> local account is just that, a local account that is unknown to
> kerberos ?

I was wondering the same.

> > Also, just because a host is an AD server does not mean that it is
> > configured to allow AD based logins. What is the OS of the AD server
> > you are trying to log into?
>
> Did you miss the part where the OP said he could login as an AD user ?
>
> My gut feeling is that he is suffering from an old problem, he is using
> Slackware without PAM.

I'm thinking the same. The domain member Slackware systems do have PAM installed. The AD/DC
does not. There is no problem logging onto the domain members.

>> Email clients on the domain members use kerberos/GSSAPI to
>> authenticate with the Dovecot mail server on the AD/DC. Perhaps this
>> is a clue?

> Doesn't Dovecot use ldap to authenticate (via kerberos) ?

The dovecot wiki lists various authentication methods, one of which is "GSSAPI: Kerberos v5
support." ldap is not mentioned, but is perhaps at some underlying level.

I think I'll try two things:

1. Rebuild sshd with KerberosAuthentication and KerberosAuthentication.

2. Install PAM

#1 seems like the quickest test. #2 I worry about. Although that works fine on the domain
members, PAM affects a number of different program and might be a bit more difficult to undo.

Supposedly, Slackware will include PAM in the next release.

I report back on the results.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba