| View previous topic :: View next topic |
| Author |
Message |
aman
Apprentice
Joined: 07 Sep 2003
Posts: 198
Location: Bay Area, California
|
 Posted: Tue Jan 25, 2005 7:37 pm Post subject: Active Directory Authentication for sshd |
 |
|
Hello, currently I have winbind semi-working on one of my gentoo servers. But I cannot get the pam configs to let me ssh into the server with a windows 2003 server active directory account.
From a unix root login I can | Code: | | su - ADDOMAIN+adUsername |
and it will login to that users shell and I got it to automount that users home directory with samba for when I do that.
And if I | Code: | | getent password or getent group |
it lists all the active directory users or active directory groups from my domain controller. But I still cant get it to let me login via ssh with an active directory account. If you can check over my configs and maybe suggest any changes I would be very thankfull.
/etc/pam.d/sshd
| Code: | #%PAM-1.0
auth sufficient /lib/security/pam_winbind.so debug
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_shells.so
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password sufficient /lib/security/pam_winbind.so debug
password required /lib/security/pam_stack.so service=system-auth
session sufficient /lib/security/pam_winbind.so
session required /lib/security/pam_stack.so service=system-auth
|
/etc/pam.d/system-auth
| Code: |
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so likeauth nullok try_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_winbind.so debug
account required /lib/security/pam_unix.so
password required /lib/security/pam_winbind.so debug
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password required /lib/security/pam_deny.so
session sufficient /lib/security/pam_winbind.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
|
/etc/pam.d/system-auth-winbind
| Code: |
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_unix.so
password sufficient /lib/security/pam_winbind.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
|
/etc/samba/smb.conf
| Code: |
[global]
netbios name = CUX
socket options = TCP_NODELAY SO_RCVBUG=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = WKGROUP
os level = 20
winbind enum groups = yes
# socket address = 192.168.1.201
password server = 192.168.1.201
preferred master = no
winbind separator = +
max log size = 1024
log file = /var/log/samba/%m.log
encrypt passwords = yes
dns proxy = no
realm = REALM.DOMAIN.COM
security = ADS
wins server = 192.168.1.201
wins proxy = no
template shell = /bin/bash
template primary group = "Domain Admins"
# Shares
[Home]
comment = Home directorys on cux
writeable = no
path = /home
force user = nobody
|
I have tried using the winbind.so and the krb5.so module for authentication in the pam.d configs with no luck on logging in with ssh. Thanks for looking!
Adam
_________________
Yes, I do run Gentoo on production servers... |
|
| Back to top |
|
 |
ronaldmoes
n00b
Joined: 03 Oct 2003
Posts: 48
|
| Posted: Tue Jan 25, 2005 8:06 pm Post subject: |
|
|
| Did you set 'UsePam yes' in your sshd_config and did you merge openssh with the 'pam' use-flag? |
|
| Back to top |
|
|
aman
Apprentice
Joined: 07 Sep 2003
Posts: 198
Location: Bay Area, California
|
| Posted: Tue Jan 25, 2005 8:25 pm Post subject: |
|
|
yes to both, good thing to check though thanks!
_________________
Yes, I do run Gentoo on production servers... |
|
| Back to top |
|
|
cpdsaorg
Guru
Joined: 16 Oct 2003
Posts: 359
|
| Posted: Fri Mar 04, 2005 11:27 am Post subject: |
|
|
I would like to have this functionallity as well please. any howto on it available anywhere?
_________________
PentiumM 2.0 GHz, MSI 915GM Speedster-FA4, Seagate ST3500641AS SATA 400GB |
|
| Back to top |
|
|
NorthWoodsman
Tux's lil' helper
Joined: 25 Apr 2003
Posts: 134
|
| Posted: Thu Mar 10, 2005 2:57 am Post subject: |
|
|
| Edit the /etc/pam.d/login and /etc/pam.d/sshd and change all the instances of 'system-auth' to 'system-auth-winbind' |
|
| Back to top |
|
|
humbletech99
Veteran
Joined: 26 May 2005
Posts: 1229
Location: London
|
| Posted: Wed Dec 21, 2005 4:47 pm Post subject: |
|
|
I've got the same problem. I wanna know where you source this info before I break my system....
Ok. I've read up and I've sure that you don't need system-auth-winbind. I don't have one anyway, so I'm not changing system-auth to system-auth-winbind because it's the system-auth that controls authentication and is sourced by the other pam.d/configs
The weird thing is that shows the long list of them but if I do | Code: | | getent passwd username |
with username exactly as it appear in the previous command, I get nothing....!
did anyone find a solution for this? |
|
| Back to top |
|
|
|
Networking & Security
