Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Problem with PAM/SSSD/SAMBA4.1.2
171 views
Skip to first unread message
Bernd Schuhmacher
Nov 28, 2013, 6:30:01 AM11/28/13
to
Hi
I hope that I am not totally wrong when asking this on a Samba list, but
as I followed a tutorial found at the SAMBA wiki I hope I can find
someone how is able to help me.
My goal is to set up a server acting as a SAMBA AD Server with single
sign on for linux users.
I use a Ubuntu Server 13.10 as the base. On top of this I installed a
SAMBA 4.1.2 from GIT, did provisioning, Kerberos installation and so on.
This part seems to work. I can connect a Windows 7 Client to the domain
and work with MS rsat tools on the SAMBA server.
After that I installed SSSD with
apt-get install sssd sssd-tools
and configured this package as found on
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
getnet passwd and getent group do what they should (after adding posix
stuff to groups and users with RSAT)
I did not change anything with any pam configuration as i think that dpk
should do the job when libpam-sss and libnss-sss were installed.
Checking /etc/pam.d/* files show more or less the same as shown in the
tutorial.
When I try to connect with ssh to the server I can not do this
(Permission denied, please try again.). On the server I found in
/var/log/auth the following:
Nov 28 12:17:44 ad-server sshd[1770]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=walhalla-2.fritz.box user=administrator
Nov 28 12:17:44 ad-server sshd[1770]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=walhalla-2.fritz.box
user=administrator
Nov 28 12:17:44 ad-server sshd[1770]: pam_sss(sshd:auth): received for
user administrator: 9 (Authentication service cannot retrieve
authentication info)
Nov 28 12:17:46 ad-server sshd[1770]: Failed password for administrator
from fd00::ca60:ff:fe14:986f port 57260 ssh2
Does anybody have an idea.
Kind regards
Bernd
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I hope that I am not totally wrong when asking this on a Samba list, but
as I followed a tutorial found at the SAMBA wiki I hope I can find
someone how is able to help me.
My goal is to set up a server acting as a SAMBA AD Server with single
sign on for linux users.
I use a Ubuntu Server 13.10 as the base. On top of this I installed a
SAMBA 4.1.2 from GIT, did provisioning, Kerberos installation and so on.
This part seems to work. I can connect a Windows 7 Client to the domain
and work with MS rsat tools on the SAMBA server.
After that I installed SSSD with
apt-get install sssd sssd-tools
and configured this package as found on
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
getnet passwd and getent group do what they should (after adding posix
stuff to groups and users with RSAT)
I did not change anything with any pam configuration as i think that dpk
should do the job when libpam-sss and libnss-sss were installed.
Checking /etc/pam.d/* files show more or less the same as shown in the
tutorial.
When I try to connect with ssh to the server I can not do this
(Permission denied, please try again.). On the server I found in
/var/log/auth the following:
Nov 28 12:17:44 ad-server sshd[1770]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=walhalla-2.fritz.box user=administrator
Nov 28 12:17:44 ad-server sshd[1770]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=walhalla-2.fritz.box
user=administrator
Nov 28 12:17:44 ad-server sshd[1770]: pam_sss(sshd:auth): received for
user administrator: 9 (Authentication service cannot retrieve
authentication info)
Nov 28 12:17:46 ad-server sshd[1770]: Failed password for administrator
from fd00::ca60:ff:fe14:986f port 57260 ssh2
Does anybody have an idea.
Kind regards
Bernd
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Nov 28, 2013, 6:50:02 AM11/28/13
to
> Does anybody have an idea.
>
> Kind regards
> Bernd
This could be a sssd problem rather than a samba one.
>
> Kind regards
> Bernd
I have never tried to login to my S4 server via ssh as Administrator, so
I tried it (note I use winbind on the server)
Nov 28 11:31:10 DC1 sshd[25943]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thinkpad.home.lan
user=Administrator
Nov 28 11:31:10 DC1 sshd[25943]: pam_winbind(sshd:auth): getting
password (0x00000388)
Nov 28 11:31:10 DC1 sshd[25943]: pam_winbind(sshd:auth): pam_get_item
returned a password
Nov 28 11:31:10 DC1 sshd[25943]: pam_winbind(sshd:auth): user
'Administrator' granted access
Nov 28 11:31:10 DC1 sshd[25943]: Accepted password for Administrator
from 192.168.0.204 port 40256 ssh2
Nov 28 11:31:10 DC1 sshd[25943]: pam_unix(sshd:session): session opened
for user HOME\Administrator by (uid=0)
Try stopping sssd on the server and use winbind instead.
Rowland
Rowland Penny
Nov 28, 2013, 9:20:02 AM11/28/13
to
On 28/11/13 14:00, Bernd Schuhmacher wrote:
> Hi Rowland
> I tried winbind ... it even more worse now.
> I did the following:
> service sssd stop
Are you sure sssd is stopped?
>
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
> ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
>
> ldconfig -v | grep winbind
>
> Output: libnss_winbind.so -> libnss_winbind.so.2
This is what I get.
>
> changed /etc/nsswitch.conf:
>
> ...
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> ...
>
> /usr/localsamba/bin/wbinfo -p
> succeeded
>
OK
> /usr/localsamba/bin/wbinfo -u
> shows everything OK.
>
As it should.
> getent passwd only shows the "normal" unix users. Non from the AD :-(
> So I did not go any furteher....
>
> More ideas?
>
Hmm, I get all the users from AD i.e.
HOME\Administrator:*:0:100::/home/HOME/Administrator:/bin/bash
Does 'getent passwd <a domain user>' return anything?
What OS are you using and just confirm that you are using 64bit
Rowland
> Kind regards
> Bernd
>
> --
> nMedien, Schuhmacher & Schuhmacher GbR
> Donaustraße 4
> 66424 Homburg
> Tel.: 06848/730664
> FAX: 06848/72145
> Email: kon...@nmedien.de
> Web: http://www.nmedien.de
> Hi Rowland
> Am 28.11.2013 12:41, schrieb Rowland Penny:
> > On 28/11/13 11:21, Bernd Schuhmacher wrote:
> > ....
> > On 28/11/13 11:21, Bernd Schuhmacher wrote:
> >
> > Try stopping sssd on the server and use winbind instead.
> Thanks for going into my problem.
> > Try stopping sssd on the server and use winbind instead.
> I tried winbind ... it even more worse now.
> I did the following:
> service sssd stop
Are you sure sssd is stopped?
>
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
> ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
>
> ldconfig -v | grep winbind
>
> Output: libnss_winbind.so -> libnss_winbind.so.2
This is what I get.
>
> changed /etc/nsswitch.conf:
>
> ...
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> ...
>
> /usr/localsamba/bin/wbinfo -p
> succeeded
>
OK
> /usr/localsamba/bin/wbinfo -u
> shows everything OK.
>
As it should.
> getent passwd only shows the "normal" unix users. Non from the AD :-(
> So I did not go any furteher....
>
> More ideas?
>
Hmm, I get all the users from AD i.e.
HOME\Administrator:*:0:100::/home/HOME/Administrator:/bin/bash
Does 'getent passwd <a domain user>' return anything?
What OS are you using and just confirm that you are using 64bit
Rowland
> Kind regards
> Bernd
>
> --
> nMedien, Schuhmacher & Schuhmacher GbR
> Donaustraße 4
> 66424 Homburg
> Tel.: 06848/730664
> FAX: 06848/72145
> Email: kon...@nmedien.de
> Web: http://www.nmedien.de
Rowland Penny
Nov 28, 2013, 10:20:02 AM11/28/13
to
On 28/11/13 14:42, Bernd Schuhmacher wrote:
> Hi
> Am 28.11.2013 15:17, schrieb Rowland Penny:
>> ...
> "sssd stop/waiting".
>> ....
> Administrator gives no answer.
>
>
> Kind regards
> Bernd
>
OK, you earlier posted that you did this:
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
Try this:
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
This is what I have on my Linux Mint 13 (aka Ubuntu 12.04) 64 bit server
Rowland
> Hi
> Am 28.11.2013 15:17, schrieb Rowland Penny:
>> ...
>>> I tried winbind ... it even more worse now.
>>> I did the following:
>>> service sssd stop
>> Are you sure sssd is stopped?
> ps awux | grep sssd gives only the grep and service sssd status says
>>> I did the following:
>>> service sssd stop
>> Are you sure sssd is stopped?
> "sssd stop/waiting".
>> ....
>> Does 'getent passwd <a domain user>' return anything?
> No. ATM I only have Administraotr as a user and getent passwd
> Administrator gives no answer.
>>
>> What OS are you using and just confirm that you are using 64bit
> It is Ubuntu 13.10 Server, 64 Bit (cheked with unamae -i)
>> What OS are you using and just confirm that you are using 64bit
>
>
> Kind regards
> Bernd
>
OK, you earlier posted that you did this:
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
This is what I have on my Linux Mint 13 (aka Ubuntu 12.04) 64 bit server
Rowland
Bernd Schuhmacher
Nov 28, 2013, 2:50:02 PM11/28/13
to
Hi
Am 28.11.2013 16:17, schrieb Rowland Penny:
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
That was the problem.
After finding another little error in the guide it works with winbind.
For any other trying to get it working, here are the problems (at least
for ubuntu 13.10, 64 Bit) on the wiki page
(https://wiki.samba.org/index.php/Samba4/Winbind):
1. ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
should be
should be
ln -s /usr/local/samba/lib/security/ /lib/security
or
mkdir /lib/security
ln -s /usr/local/samba/lib/security/pam_winbind.so
/lib/security/pam_winbind.so
After changing those things everything worked for me.
Thanks Rowland for helping.
Am 28.11.2013 16:17, schrieb Rowland Penny:
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
After finding another little error in the guide it works with winbind.
For any other trying to get it working, here are the problems (at least
for ubuntu 13.10, 64 Bit) on the wiki page
(https://wiki.samba.org/index.php/Samba4/Winbind):
1. ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
should be
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
2. ln -s /usr/local/samba/lib/security/pam_winbind.so /lib/security
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
should be
ln -s /usr/local/samba/lib/security/ /lib/security
or
mkdir /lib/security
ln -s /usr/local/samba/lib/security/pam_winbind.so
/lib/security/pam_winbind.so
After changing those things everything worked for me.
Thanks Rowland for helping.
0 new messages