Re: [Samba] Winbindd and SSH (just disconnects after login)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Message: 7 Date: Fri, 21 Nov 2003 09:06:50 -0600 From: sambalists [EMAIL PROTECTED] Subject: [Samba] Winbindd and SSH (just disconnects after login) To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 It looks like I've gotten the majority of things working in regards to Winbind. Users are being authenticated by the NT4 PDC when connecting to shares, but I can't seem to get things set up correctly to allow logging in via SSH(OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f). It appears as though I'm successfully authenticated by the PDC, but then the connection is immediately closed. (I'm running Mandrake Linux v9.2 and Samba Version 3.0.1pre3.) [EMAIL PROTECTED] testuser]$ ssh -lTESTDOM.COM\\testuser linuxsmb [EMAIL PROTECTED]'s password: Last login: Fri Nov 21 08:40:09 2003 from linuxsmb.TESTDOM.COM Connection to linuxsmb closed. [EMAIL PROTECTED] testuser]$ ssh -lTESTDOM.COM\\testuser linuxsmb [EMAIL PROTECTED]'s password: Last login: Fri Nov 21 08:40:44 2003 from linuxsmb.TESTDOM.COM Connection to linuxsmb closed. Here you can see by the Last Login: that is displayed, that I am being authenticated when I try connecting via ssh 2 times back to back: Here's a smbclient session being authenticated via the NT PDC: [EMAIL PROTECTED] testuser]$ smbclient //linuxsmb/testuser -UTESTDOM.COM\\testuser -c 'ls *.txt' Password: SSD55287.txt 41401 Fri Nov 7 04:36:57 2003 New Text Document.txt A0 Thu Nov 20 15:08:26 2003 64860 blocks of size 32768. 63759 blocks available So it appears that things are working ?? When I try connecting via SSH, no dice. *sigh* Here's a snippet from my /var/log/auth.log Nov 21 08:34:52 linuxsmb pam_winbind[2842]: request failed: Wrong Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD Nov 21 08:34:52 linuxsmb pam_winbind[2842]: user `TESTDOM.COM\testuser' denied access (incorrect password) Nov 21 08:34:52 linuxsmb sshd(pam_unix)[2842]: check pass; user unknown Nov 21 08:34:52 linuxsmb sshd(pam_unix)[2842]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=linuxsmb.TESTDOM.COM Nov 21 08:34:57 linuxsmb pam_winbind[2842]: user 'TESTDOM.COM\testuser' granted acces Nov 21 08:34:57 linuxsmb pam_winbind[2842]: user 'TESTDOM.COM\testuser' granted acces Nov 21 08:34:57 linuxsmb sshd[2842]: Accepted password for TESTDOM.COM\\testuser from 198.246.197.240 port 32810 ssh2 /etc/pam.d/sshd auth required pam_nologin.so auth sufficient pam_winbind.so auth required pam_unix.so use_first_pass shadow Change this line to try_first_pass. auth required pam_env.so # [1] accountsufficient pam_winbind.so accountrequired pam_unix.so use_first_pass You might need try_first_pass here too. sessionsufficient pam_mkhomedir.so skel=/etc/skel umask=0022 sessionrequired pam_unix.so sessionoptional pam_lastlog.so # [1] sessionoptional pam_motd.so # [1] sessionoptional pam_mail.so standard noenv # [1] sessionrequired pam_limits.so password required pam_unix.so What am I missing here or doing wrong? Not sure if any other settings are relevant, and hate blasting the list with a bunch of useless/unwanted text. openssh's approach to solving the longer delay for a valid user account (account discovery bug) was to give a pam authentication failure first for any connection (as I understand this). So, your use_first_pass is getting a bad password, and you aren't allowing it to prompt for a 2nd attempt. BTW, you don't see this with public key authentication ... so the default /etc/pam.d/system-auth is broken for ssh too if you use drakauth to setup winbind :-(. Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/w0j+rJK6UGDSBKcRAthMAJ4/eA659ONifoMt1Fh5DTk8+WXIIQCeLL1R WiHMdIr4PIvrXEMno3XfYaM= =aJGl -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbindd and SSH (just disconnects after login)
Buchan, First off, thanks for the reply, it's greatly appreciated. I decided to leave it alone for a day or two and re-visit the configuration and was able to successfully get things working on my first attempt. Here's what I ended up with for my /etc/pam.d/sshd: auth required pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required pam_unix.so use_first_pass shadow auth required pam_env.so accountsufficient /lib/security/pam_winbind.so accountrequired pam_unix.so use_first_pass sessionsufficient pam_mkhomedir.so skel=/etc/skel umask=0022 sessionrequired pam_unix.so sessionoptional pam_lastlog.so sessionoptional pam_motd.so sessionoptional pam_mail.so standard noenv sessionrequired pam_limits.so password sufficient /lib/security/pam_winbind.so password required pam_unix.so So you can see that you were correct in regards to use_pass_first. I'm not sure if everything I have in here is necessary, but it appears to be working, so I may tweak things a little to find out exactly what *is* required. accountrequired pam_unix.so use_first_pass You might need try_first_pass here too. I'll find out today if this is necessary or not. openssh's approach to solving the longer delay for a valid user account (account discovery bug) was to give a pam authentication failure first for any connection (as I understand this). So, your use_first_pass is getting a bad password, and you aren't allowing it to prompt for a 2nd attempt. BTW, you don't see this with public key authentication ... so the default /etc/pam.d/system-auth is broken for ssh too if you use drakauth to setup winbind :-(. Thanks again, -=tim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbindd and SSH (just disconnects after login)
It looks like I've gotten the majority of things working in regards to Winbind. Users are being authenticated by the NT4 PDC when connecting to shares, but I can't seem to get things set up correctly to allow logging in via SSH(OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f). It appears as though I'm successfully authenticated by the PDC, but then the connection is immediately closed. (I'm running Mandrake Linux v9.2 and Samba Version 3.0.1pre3.) [EMAIL PROTECTED] testuser]$ ssh -lTESTDOM.COM\\testuser linuxsmb [EMAIL PROTECTED]'s password: Last login: Fri Nov 21 08:40:09 2003 from linuxsmb.TESTDOM.COM Connection to linuxsmb closed. [EMAIL PROTECTED] testuser]$ ssh -lTESTDOM.COM\\testuser linuxsmb [EMAIL PROTECTED]'s password: Last login: Fri Nov 21 08:40:44 2003 from linuxsmb.TESTDOM.COM Connection to linuxsmb closed. Here you can see by the Last Login: that is displayed, that I am being authenticated when I try connecting via ssh 2 times back to back: Here's a smbclient session being authenticated via the NT PDC: [EMAIL PROTECTED] testuser]$ smbclient //linuxsmb/testuser -UTESTDOM.COM\\testuser -c 'ls *.txt' Password: SSD55287.txt 41401 Fri Nov 7 04:36:57 2003 New Text Document.txt A0 Thu Nov 20 15:08:26 2003 64860 blocks of size 32768. 63759 blocks available So it appears that things are working ?? When I try connecting via SSH, no dice. *sigh* Here's a snippet from my /var/log/auth.log Nov 21 08:34:52 linuxsmb pam_winbind[2842]: request failed: Wrong Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD Nov 21 08:34:52 linuxsmb pam_winbind[2842]: user `TESTDOM.COM\testuser' denied access (incorrect password) Nov 21 08:34:52 linuxsmb sshd(pam_unix)[2842]: check pass; user unknown Nov 21 08:34:52 linuxsmb sshd(pam_unix)[2842]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=linuxsmb.TESTDOM.COM Nov 21 08:34:57 linuxsmb pam_winbind[2842]: user 'TESTDOM.COM\testuser' granted acces Nov 21 08:34:57 linuxsmb pam_winbind[2842]: user 'TESTDOM.COM\testuser' granted acces Nov 21 08:34:57 linuxsmb sshd[2842]: Accepted password for TESTDOM.COM\\testuser from 198.246.197.240 port 32810 ssh2 /etc/pam.d/sshd auth required pam_nologin.so auth sufficient pam_winbind.so auth required pam_unix.so use_first_pass shadow auth required pam_env.so # [1] accountsufficient pam_winbind.so accountrequired pam_unix.so use_first_pass sessionsufficient pam_mkhomedir.so skel=/etc/skel umask=0022 sessionrequired pam_unix.so sessionoptional pam_lastlog.so # [1] sessionoptional pam_motd.so # [1] sessionoptional pam_mail.so standard noenv # [1] sessionrequired pam_limits.so password required pam_unix.so What am I missing here or doing wrong? Not sure if any other settings are relevant, and hate blasting the list with a bunch of useless/unwanted text. Any help/suggestions/insight would be greatly appreciated Best Regards, -=tim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba