Good morning,
i have already searched for similar issue but no one of the answer are complaining my issue.
I have 2 VMs Ubuntu 14.04 LTS configured Samba + Winbind step by step from documentation but ssh logins doesn't work.
I can query primary AD and one of the trusted AD as you can see:
Query primary AD
id toba1@ad1.com
uid=10004(test) gid=10000(ad\domain users) gruppi=10004(test),10000(ad\domain users)...
Query trusted AD (AD2)
id toba2@ad2.com
uid=4294967295 gid=10059(ad2\domain users) gruppi=4294967295,10059(ad2\domain users)...
first issue, from another linux server (but RHEL) when i query the user on AD2 there are much more groups.
Anyway, the server is correctly joined on AD:
net ads testjoin
Join is OK
wbinfo -g
ad\domain users
ecc
wbinfo -u
ad\toba1
ecc
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: toba1@ad.com
Valid starting Expires Service principal
14/02/2017 11:18:35 14/02/2017 21:18:35 krbtgt/AD.COM@AD.COM
renew until 21/02/2017 11:18:31
NSSWITCH
/etc/nsswitch.conf
#
Example configuration of GNU Name Service Switch functionality.
If you have the glibc-doc-reference' andinfo' packages installed, try:
`info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files
SSH CONFIG
cat /etc/ssh/sshd_config
Package generated configuration file
See the sshd_config(5) manpage for details
What ports, IPs and protocols we listen for
Port 22
Use these options to restrict which interfaces/protocols sshd will bind to
ListenAddress ::
ListenAddress 0.0.0.0
Protocol 2
HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
Privilege Separation is turned on for security
UsePrivilegeSeparation yes
Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
Logging
SyslogFacility AUTH
LogLevel INFO
Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
similar for protocol version 2
HostbasedAuthentication no
Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
IgnoreUserKnownHosts yes
To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no
Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
Kerberos options
KerberosAuthentication yes (ssh login doesn't work even if uncommented)
KerberosGetAFSToken yes (ssh login doesn't work even if uncommented)
KerberosOrLocalPasswd yes (ssh login doesn't work even if uncommented)
KerberosTicketCleanup yes (ssh login doesn't work even if uncommented)
GSSAPI options
GSSAPIAuthentication yes (ssh login doesn't work even if uncommented)
GSSAPICleanupCredentials yes (ssh login doesn't work even if uncommented)
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UseLogin no
useDNS no
MaxStartups 10:30:60
Banner /etc/issue.net
Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Set this to 'yes' to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication. Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to 'no'.
UsePAM yes
SAMBA
[global]
workgroup = AD
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = AD.COM
security = ads
PAM.D / COMMON ACCOUNT
cat /etc/pam.d/common-account
#
/etc/pam.d/common-account - authorization settings common to all services
#
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
here's the fallback if no module succeeds
account requisite pam_deny.so
prime the stack with a positive return value if there isn't one already;
this avoids us returning an error just because nothing sets a success code
since the modules above will each just jump around
account required pam_permit.so
and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
end of pam-auth-update config
PAM.D / COMMON AUTH
cat /etc/pam.d/common-auth
#
/etc/pam.d/common-auth - authentication settings common to all services
#
auth [success=3 default=ignore] pam_unix.so nullok_secure
auth [success=2 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
here's the fallback if no module succeeds
auth requisite pam_deny.so
prime the stack with a positive return value if there isn't one already;
this avoids us returning an error just because nothing sets a success code
since the modules above will each just jump around
auth required pam_permit.so
and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
end of pam-auth-update config
I can't login with AD1 users neither with AD2 users (trusted domains).
tail -f /var/log/auth.log
Login test SSH
username:toba1 NOK
username:ad1+toba1 NOK
username:ad1\toba1 NOK
username:ad1\toba1 it seems it works but then it colesed the putty shell immediately.
Feb 14 12:34:15 vmubuntu sshd[7221]: rexec line 56: Unsupported option KerberosGetAFSToken
Feb 14 12:34:17 vmubuntu sshd[7221]: Invalid user tooah from 10.7.17.21
Feb 14 12:34:17 vmubuntu sshd[7221]: input_userauth_request: invalid user toba1 [preauth]
Feb 14 12:34:21 vmubuntu sshd[7221]: pam_unix(sshd:auth): check pass; user unknown
Feb 14 12:34:21 vmubuntu sshd[7221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.7.17.21
Feb 14 12:34:21 vmubuntu sshd[7221]: pam_winbind(sshd:auth): getting password (0x00000388)
Feb 14 12:34:21 vmubuntu sshd[7221]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 14 12:34:22 vmubuntu sshd[7221]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.7.17.21 user=toba1
Feb 14 12:34:22 vmubuntu sshd[7221]: pam_sss(sshd:auth): received for user toba1 : 13 (User account has expired)
Feb 14 12:34:24 vmubuntu sshd[7221]: Failed password for invalid user toba1 from 10.7.17.21 port 53148 ssh2
Feb 14 12:34:53 vmubuntu sshd[6959]: Invalid user ad1+toba1 from 10.7.17.21
Feb 14 12:34:53 vmubuntu sshd[6959]: input_userauth_request: invalid user ad1+toba1 [preauth]
Feb 14 12:34:59 vmubuntu sshd[6964]: rexec line 56: Unsupported option KerberosGetAFSToken
Feb 14 12:35:11 vmubuntu sshd[6964]: Invalid user ad1\\toba1 from 10.7.17.21
Feb 14 12:35:11 vmubuntu sshd[6964]: input_userauth_request: invalid user ad1\\\\toba1 [preauth]
Feb 14 12:35:15 vmubuntu sshd[6966]: rexec line 56: Unsupported option KerberosGetAFSToken
Feb 14 12:35:41 vmubuntu sshd[6966]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.7.17.21 user=ad1\toba1
Feb 14 12:35:41 vmubuntu sshd[6966]: pam_winbind(sshd:auth): getting password (0x00000388)
Feb 14 12:35:41 vmubuntu sshd[6966]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 14 12:35:41 vmubuntu sshd[6966]: pam_winbind(sshd:auth): user 'ivecoeurope\toba1 ' granted access
Feb 14 12:35:42 vmubuntu sshd[6966]: Accepted password for ivecoeurope\toba1 from 10.7.17.21 port 52992 ssh2
Feb 14 12:35:42 vmubuntu sshd[6966]: pam_unix(sshd:session): session opened for user ad1\toba1 by (uid=0)
Feb 14 12:35:42 vmubuntu systemd-logind[936]: New session 57 of user test.
Feb 14 12:35:44 vmubuntu sshd[6966]: pam_unix(sshd:session): session closed for user ad1\toba1
Feb 14 12:35:44 vmubuntu sshd[6966]: pam_winbind(sshd:setcred): user 'ad1\toba1 ' OK
Feb 14 12:35:52 vmubuntu sshd[6964]: Connection closed by 10.7.17.21 [preauth]
Feb 14 12:35:54 vmubuntu sshd[6959]: Connection closed by 10.7.17.21 [preauth]
Feb 14 12:36:01 vmubuntu sshd[7107]: rexec line 56: Unsupported option KerberosGetAFSToken
Feb 14 12:36:12 vmubuntu sshd[7107]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.7.17.21 user=toba1 @ad1
Feb 14 12:36:12 vmubuntu sshd[7107]: pam_winbind(sshd:auth): getting password (0x00000388)
Feb 14 12:36:12 vmubuntu sshd[7107]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 14 12:36:13 vmubuntu sshd[7107]: pam_winbind(sshd:auth): user 'ad1\toba1 ' granted access
Feb 14 12:36:16 vmubuntu sshd[7107]: Accepted password for toba1 @ivecoeurope from 10.7.17.21 port 53011 ssh2
Feb 14 12:36:16 vmubuntu sshd[7107]: pam_unix(sshd:session): session opened for user ad1\toba1 by (uid=0)
Feb 14 12:36:16 vmubuntu systemd-logind[936]: Removed session 57.
Feb 14 12:36:16 vmubuntu systemd-logind[936]: New session 58 of user test.
Feb 14 12:36:17 vmubuntu sshd[7107]: pam_unix(sshd:session): session closed for user ad1\toba1
Feb 14 12:36:17 vmubuntu sshd[7107]: pam_winbind(sshd:setcred): user 'ad1\toba1 ' OK --> It close the Putty immediately!
Any help would be really appreciated.
Thank you.