asked on 2/23/2007

Problems with SSH and ADS authentication

Environment: RedHat Linux RHEL4, Windows 2003 SP1, SAMBA 3

I have SAMBA (winbind) authenticating users from the console against active directory. However I am unable to get SSHD to authenticate user that are located in ADS. For local users, those in passwd, sshd lets them right in.

The error I am seeing in /etc/var/messages is:
<date> <node> sshd[pid]: pam_ldap: ldap_search_s Operations error
<date> <node> sshd[pid]: pam_krb5[pid]: error getting information about '<username>'

getent passwrd returns the list of users from the domain
getent group returns the list of groups from the domain
wbinfo -u returns the users
wbinfo -g returns the groups
net ads testjoin returns Join is OK

Help...I need to get SSH working.

Server Software Linux Networking Network Operations

Last Comment

ygoutham

2/27/2007

ygoutham

2/24/2007

take a look at the authentication used in

/etc/pam.d/sshd

setting it similar to that of samba in the same directory.

jchauncey60

2/24/2007

ASKER

/etc/pam.d/sshd
#%PAM-1.0
auth sufficient /lib/security/pam_winbind.so
session required /lib/security/pam_mkhomedir.so
auth required pam_stack.so service=system-auth
auth required pam_shells.so
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
~
/etc/pam.d/samba
#%PAM-1.0
auth sufficient /lib/security/pam_winbind.so
session required /lib/security/pam_mkhomedir.so
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
~
Message from /var/log/messages
Feb 24 13:11:24 dnocc5010 sshd: pam_ldap: ldap_search_s Operations error

ygoutham

2/26/2007

are you using a separate smbpasswd file or using ldap authentication??? i am no expert with tweaking pam. so kindly treat my suggestions with caution.

sshd still seems to be using /lib/security/pam_ldap

jchauncey60

2/26/2007

ASKER

I'm new at this also...I am trying to use Active Directory for authnication. But I would have to agree from the error message that sshd is still looking in ldap. Ideas on using a smbpasswd file? Thanks

ygoutham

2/26/2007

that comes withing the /etc/samba/smb.conf

mine for example

##########
# Global parameters
[global]
workgroup = xxx.com
netbios name = xxxzzz
server string = samba server
passdb backend = tdbsam #<---------THIS IS THE LINE
username map = /etc/samba/smbusers
log file = /var/log/samba/smbd.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

#########

you have to manually add users with a

smbpasswd -a <username>

but that would work only for samba and not for the ssh option that you are looking at.

what exactly do you want??? authenticate users from ADS? then home directories ???

if you were to let people from the ADS directory, then they should be mapped to a specific home directory? which is more like a NIS or configuration at /etc/nsswitch.conf

i am confused here...

jchauncey60

2/26/2007

ASKER

Thanks again for your help!

I have users authenicating from ADS at the console, works great. I have created their home directories, with the appropriate permissions. i need now to have the user authenicate when logging in via ssh, where I would want them to have the same home directory. Does this make it a little clearer?

jchauncey60

2/26/2007

ASKER

Additional information. From the Linux command line if I try to add a user that is in ADS it tells me the user already exists. So at least from the O/S level it is seeing ADS. SSHD is just not finding it.

ASKER CERTIFIED SOLUTION

ygoutham

2/27/2007

THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

ygoutham

2/27/2007

did it work?