-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Message: 7
Date: Fri, 21 Nov 2003 09:06:50 -0600
From: sambalists [EMAIL PROTECTED]
Subject: [Samba] Winbindd and SSH (just disconnects after login)
To: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=iso-8859-1
It looks like I've gotten the majority of things working in regards to
Winbind. Users are being authenticated by the NT4 PDC when connecting to
shares, but I can't seem to get things set up correctly to allow
logging in
via SSH(OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f). It
appears as though I'm successfully authenticated by the PDC, but then the
connection is immediately closed.
(I'm running Mandrake Linux v9.2 and Samba Version 3.0.1pre3.)
[EMAIL PROTECTED] testuser]$ ssh -lTESTDOM.COM\\testuser linuxsmb
[EMAIL PROTECTED]'s password:
Last login: Fri Nov 21 08:40:09 2003 from linuxsmb.TESTDOM.COM
Connection to linuxsmb closed.
[EMAIL PROTECTED] testuser]$ ssh -lTESTDOM.COM\\testuser linuxsmb
[EMAIL PROTECTED]'s password:
Last login: Fri Nov 21 08:40:44 2003 from linuxsmb.TESTDOM.COM
Connection to linuxsmb closed.
Here you can see by the Last Login: that is displayed, that I am being
authenticated when I try connecting via ssh 2 times back to back:
Here's a smbclient session being authenticated via the NT PDC:
[EMAIL PROTECTED] testuser]$ smbclient
//linuxsmb/testuser -UTESTDOM.COM\\testuser -c 'ls *.txt'
Password:
SSD55287.txt 41401 Fri Nov 7 04:36:57 2003
New Text Document.txt A0 Thu Nov 20 15:08:26 2003
64860 blocks of size 32768. 63759 blocks available
So it appears that things are working ??
When I try connecting via SSH, no dice. *sigh*
Here's a snippet from my /var/log/auth.log
Nov 21 08:34:52 linuxsmb pam_winbind[2842]: request failed: Wrong
Password,
PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Nov 21 08:34:52 linuxsmb pam_winbind[2842]: user `TESTDOM.COM\testuser'
denied access (incorrect password)
Nov 21 08:34:52 linuxsmb sshd(pam_unix)[2842]: check pass; user unknown
Nov 21 08:34:52 linuxsmb sshd(pam_unix)[2842]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=linuxsmb.TESTDOM.COM
Nov 21 08:34:57 linuxsmb pam_winbind[2842]: user 'TESTDOM.COM\testuser'
granted acces
Nov 21 08:34:57 linuxsmb pam_winbind[2842]: user 'TESTDOM.COM\testuser'
granted acces
Nov 21 08:34:57 linuxsmb sshd[2842]: Accepted password for
TESTDOM.COM\\testuser from 198.246.197.240 port 32810 ssh2
/etc/pam.d/sshd
auth required pam_nologin.so
auth sufficient pam_winbind.so
auth required pam_unix.so use_first_pass shadow
Change this line to try_first_pass.
auth required pam_env.so # [1]
accountsufficient pam_winbind.so
accountrequired pam_unix.so use_first_pass
You might need try_first_pass here too.
sessionsufficient pam_mkhomedir.so skel=/etc/skel umask=0022
sessionrequired pam_unix.so
sessionoptional pam_lastlog.so # [1]
sessionoptional pam_motd.so # [1]
sessionoptional pam_mail.so standard noenv # [1]
sessionrequired pam_limits.so
password required pam_unix.so
What am I missing here or doing wrong? Not sure if any other settings are
relevant, and hate blasting the list with a bunch of useless/unwanted
text.
openssh's approach to solving the longer delay for a valid user account
(account discovery bug) was to give a pam authentication failure first
for any connection (as I understand this). So, your use_first_pass is
getting a bad password, and you aren't allowing it to prompt for a 2nd
attempt.
BTW, you don't see this with public key authentication ... so the
default /etc/pam.d/system-auth is broken for ssh too if you use drakauth
to setup winbind :-(.
Regards,
Buchan
- --
|--Another happy Mandrake Club member--|
Buchan MilneMechanical Engineer, Network Manager
Cellphone * Work+27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/w0j+rJK6UGDSBKcRAthMAJ4/eA659ONifoMt1Fh5DTk8+WXIIQCeLL1R
WiHMdIr4PIvrXEMno3XfYaM=
=aJGl
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
