[Samba] SSH and winbind authentication on Solaris 10
Burris, Celeste Suliin
with Active Directory and winbindd, particularly on Solaris 10. I have it
working on Solaris 8 with telnet, but I'm trying to break my users of
telnet.
Has anyone got it working? If so, would you be willing to share the global
section of your smb.conf and pam.conf with me? Is there something I need to
put in one of the ssh configuration files?
Celeste Suliin Burris
Systems Administrator
Community and Economic Development Department
Phone - 253-591-5093
Email - csbu...@ci.tacoma.wa.us
URL - http://www.cityofdestiny.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Gerald (Jerry) Carter
Hash: SHA1
Burris, Celeste Suliin wrote:
> I've googled my heart out, but I cannot see an example
> of ssh authentication with Active Directory and winbindd,
> particularly on Solaris 10. I have it working on Solaris
> 8 with telnet, but I'm trying to break my users of
> telnet.
There's not much to it besides adding pam_winbind.so to
your pam file and make sure to set 'template shell'
to a valid shell on your system. The default in
/bin/false.
cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" -->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFEwDBpIR7qMdg1EfYRAqxpAKCn3oERV/11rUBUUAabPVPwGOJfVgCfTaYC
I+bI7ZzC2qgouEYNnAoLlSE=
=mupj
-----END PGP SIGNATURE-----
Burris, Celeste Suliin
my guinea pig to my Mac, had her log in via SSH one time, and now she can
log in from putty.
Stefan Varga
krb5.conf
[libdefaults]
default_realm = ADS.SK
[realms]
ADS.UNIT.SK = {
kdc = windows.ads.unit.sk
}
[domain_realms]
.kerberos.server = WINDOWS.ADS.SK
smb.conf
[global]
#host settings
netbios name = SOLARIS
server string = Test Server for join to ADS
workgroup = ADS
os level = 20
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
#winbind conofiguration
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind gid = 10000-20000
winbind cache time = 20
winbind separator = +
#server
socket address = ip
password server = ip
preferred master = no
realm = ADS.SK
security = ADS
encrypt passwords = yes
dns proxy = no
#logging
max log size = 50
log level = 1
log file = /var/samba/log/log.%m
template homedir = /export/home/%D.%U
template shell = /bin/bash
pam.conf
login auth sufficient pam_winbind.so.1
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth sufficient pam_winbind.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account sufficient pam_winbind.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
#other session optional pam_mkhomedir.so skel=/etc/skel umask=0022
other session required pam_unix_session.so.1
#other session sufficient pam_winbind.so
Any commnets, suggestions are welcome.
root and AD users are able to login by ssh, telnet, dtlogin ..
I have only 2 problems:
1. if root logs in pam gives me(but root can log in):
Jul 21 09:55:30 solaris pam_winbind[885]: [ID 744057 auth.error] request
failed: Logon failure, PAM error was Authentication failed (9), NT error
was NT_STATUS_LOGON_FAILURE
Jul 21 09:55:30 solaris pam_winbind[885]: [ID 912734 auth.error] request
failed, but PAM error 0!
Jul 21 09:55:30 solaris pam_winbind[885]: [ID 799888 auth.error]
internal module error (retval = 3, user = `root')
Can you give me some suggestions how to avoid this ?
2. I cannot use pam_mkhomedir, if pam_mk_homedir is commented out users
cannot log in, because the sun box drops the ssh connetions.
Do you see guys some misconfiguration here ?
Thanks
Stefan
Burris, Celeste Suliin wrote:
> I've googled my heart out, but I cannot see an example of ssh authentication
> with Active Directory and winbindd, particularly on Solaris 10. I have it
> working on Solaris 8 with telnet, but I'm trying to break my users of
> telnet.
>
> Has anyone got it working? If so, would you be willing to share the global
> section of your smb.conf and pam.conf with me? Is there something I need to
> put in one of the ssh configuration files?
>
> Celeste Suliin Burris
> Systems Administrator
> Community and Economic Development Department
> Phone - 253-591-5093
> Email - csbu...@ci.tacoma.wa.us
> URL - http://www.cityofdestiny.com
>
>
>
--
+----------------------------------------------+
| Stefan Varga TEMPEST a.s. |
| Systems Engineer IT Services |
| +421908 760617 Plynarenska 7/B |
| Stefan...@tempest.sk Bratislava |
| Sun Microsystems Enterprise system provider |
+----------------------------------------------+