I got a little farther. After creating the home directory , /home/MS/johns And fixing the path to the default shell, I can ssh in with: ssh 192.168.60.189 -l MS\+johns But not with this: ssh 192.168.60.189 -l johns My smb.conf definitely has: winbind use default domain = Yes
How can I make ssh work with the short user name? On Fri, 2005-05-20 at 14:27 -0700, jstile wrote: > Configuration: > Samba 3.0.14a-1 (on debian 3.1) + winbind 3.0.14a-1 + krb5-user 1.3.6-2 > > I need help debugging pam_winbind.so in /etc/pam.d/ssh on debian. > > Samba is a member of an AD domain, authenticating access to shares via > winbind+nsswitch.conf. Authentication to shares works great. Now I > want winbind to authenticate ssh users as a pam module and it's failing. > Below I show the output of an ssh attempt with the auth.log and winbind > (in debug 3). If you see any problems with the configs/logs below, our > you need any other confgs/logs, please let me know. Thank you very > much. > > No problem with any of the following tests: > smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs. > wbinfo -u # Shows winbind is doing lookups from ADS > johns > wbinfo -g # Shows winbind is doing lookups from ADS > getent passwd # Shows nsswitch is correct, to resolve > ADSusers. > johns:x:10000:10000:John Stile:/home/MS/johns:/usr/local/bin/bash > getent group # Shows nsswitch is correct, to resolve ADS > groups. > net ads info # Show AD info > LDAP server: 192.168.50.42 > LDAP server name: stan > Realm: MS.STILEN.COM > Bind Path: dc=MS,dc=STILEN,dc=COM > LDAP port: 389 > Server time: Fri, 20 May 2005 21:15:29 GMT > KDC server: 192.168.50.42 > Server time offset: 0 > net ads join -Ujohns%passwd # Joined the domain > net ads testjoin # Shows join is ok > wbinfo -a johns%password # Test if winbind can authenticate > plaintext password authentication succeeded > challenge/response password authentication succeeded > kinit johns # Test kerberose authentication > Password for [EMAIL PROTECTED]: > <ends without any response> > smbclient -L localhost -U ms\\johns%password # list shares using > passwd > > Configuration: > Samba 3.0.14a-1 (on debian 3.1) + winbind 3.0.14a-1 + krb5-user 1.3.6-2 > > Ran winbind in debug mode during a ssh attempt > winbindd -d 3 -i > [ 3195]: request interface version > [ 3195]: request location of privileged pipe > [ 3195]: pam auth johns > cm_get_ipc_userpass: No auth-user defined > Doing spnego session setup (blob length=105) > got OID=1 2 840 48018 1 2 2 > got OID=1 2 840 113554 1 2 2 > got OID=1 2 840 113554 1 2 2 3 > got OID=1 3 6 1 4 1 311 2 2 10 > got [EMAIL PROTECTED] > Doing kerberos session setup > Ticket in ccache[MEMORY:cliconnect] expiration Sat, 21 May 2005 06:58:43 GMT > Plain-text authentication for user johns returned NT_STATUS_WRONG_PASSWORD > (PAM: 7) > --------------------------------- > Authlog > ==> /var/log/auth.log <== > May 20 20:58:31 localhost sshd[3195]: Illegal user johns from > ::ffff:192.168.60.161 > May 20 20:58:43 localhost pam_winbind[3195]: request failed: Wrong > Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD > May 20 20:58:43 localhost pam_winbind[3195]: user `johns' denied access > (incorrect password or invalid membership) > --------------------------------- > Only added the winbind stuff to default debian /etc/pam.d/ssh > # PAM configuration for the Secure Shell service > auth sufficient pam_winbind.so > auth required pam_nologin.so > auth required pam_env.so # [1] > @include common-auth > account sufficient pam_winbind.so > @include common-account > session required pam_mkhomedir.so skel=/etc/skel umask=0022 > @include common-session > session optional pam_motd.so # [1] > session optional pam_mail.so standard noenv # [1] > session required pam_limits.so > @include common-password > --------------------------------- > [global] > realm = MS.STILEN.COM > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template homedir = /home/%D/%U > template shell = /usr/local/bin/bash > winbind enum users = yes > winbind enum groups = yes > winbind nested groups = Yes > winbind use default domain = Yes > winbind separator = + > workgroup = MS > security = ADS > password server = stan.ms.stilen.com > wins support = yes > wins server = stan.ms.stilen.com > server string = %h server (Samba %v) > dns proxy = no > ldap ssl = no > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > encrypt passwords = true > passdb backend = tdbsam guest > obey pam restrictions = no > invalid users = root Debian-exim daemon bin sys adm lp listen noaccess > www-data > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n . > load printers = no > --------------------------------- > /etc/resolv.conf > search ms.stilen.com > --------------------------------- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
