[Solved] Cannot login as Active Directory Users on AD-Member-Server

mober · 2015-04-30 16:15:44

Hi!

Maybe someone can help me with the following problem - maybe I'm just too blind to see the issue (after hours and days of trying).

The problem:
I can ssh-login as an ad-user to the machine that is the PDC, but not to a host joined the domain as a member-server.

The scenario:
ARCH-based PDC with samba 4 - PDC
ARCH-based Machine joined domain - MachineA

Pam-, nsswitch- and winbind-settings are the same on both machines.

[xxx@MachineA ~]$ cat /etc/security/pam_winbind.conf 
debug=no
debug_state=no
try_first_pass=yes
krb5_auth=yes
krb5_cache_type=FILE
cached_login=yes
silent=no
mkhomedir=yes
warn_pwd_expire=14
[xxx@MachineA ~]$ cat /etc/nsswitch.conf 
# Begin /etc/nsswitch.conf

passwd: files winbind
group: files winbind
shadow: files winbind

publickey: files

hosts: files dns wins
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

# End /etc/nsswitch.conf
[xxx@MachineA ~]$ cat /etc/pam.d/system-auth 
#%PAM-1.0

#auth      required  pam_unix.so     try_first_pass nullok
auth      [success=1 default=ignore] pam_localuser.so
auth      [success=2 default=die]    pam_winbind.so
auth      [success=1 default=die]    pam_unix.so        nullok
auth      requisite                  pam_deny.so
auth      optional                   pam_permit.so
auth      required                   pam_env.so

account   sufficient                 pam_unix.so
account   [success=1 default=ignore] pam_localuser.so
account   sufficient                 pam_winbind.so
account   optional                   pam_permit.so
account   required                   pam_time.so

#password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  [success=1 default=ignore] pam_localuser.so
password  [success=2 default=die]    pam_winbind.so
password  [success=1 default=die]    pam_unix.so        sha512 shadow
password  requisite                  pam_deny.so
password  optional  pam_permit.so

session   required  pam_mkhomedir.so    skel=/etc/skel/ umask=0077
session   required  pam_limits.so
session   required  pam_unix.so
session   [success=1 default=ignore]    pam_localuser.so
session   required                      pam_winbind.so
session   optional  pam_permit.so
[xxx@MachineA ~]$ cat /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = DOMAIN
        security = ADS
        realm = DOMAIN.TLD
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

        idmap config *:backend = tdb
        idmap config *:range = 2000000-2999999
        idmap config DOMAIN:backend = ad
        idmap config DOMAIN:schema_mode = rfc2307
        idmap config DOMAIN:range = 3000000-3999999

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind expand groups = 4
        winbind normalize names = yes
        domain master = no
        local master = no
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        winbind separator = +

SSH-Login on the PDC works for AD-users.

[xxx@bla ~]$ ssh ad-user@PDC

[xxx@PDC ~]$ sudo journalctl --unit sshd
Apr 30 17:42:48 PDC sshd[13127]: pam_winbind(sshd:auth): getting password (0x00000000)
Apr 30 17:42:49 PDC sshd[13127]: pam_winbind(sshd:auth): user 'ad-user' granted access
Apr 30 17:42:49 PDC sshd[13127]: pam_winbind(sshd:account): user 'ad-user' granted access
Apr 30 17:42:49 PDC sshd[13127]: Accepted password for ad-user from 192.168.1.198 port 41419 ssh2
Apr 30 17:42:49 PDC sshd[13127]: pam_unix(sshd:session): session opened for user ad-user by (uid=0)

I can not ssh-login as an AD-user on the second machine (MachineA).

[xxx@bla ~]$ ssh ad-user@PDC

[xxx@MachineA ~]$ sudo journalctl --unit sshd
Apr 30 17:27:35 MachineA sshd[5269]: Invalid user ad-user from 192.168.1.198
Apr 30 17:27:35 MachineA sshd[5269]: input_userauth_request: invalid user ad-user [preauth]
Apr 30 17:27:38 MachineA sshd[5269]: pam_tally(sshd:auth): pam_get_uid; no such user
Apr 30 17:27:38 MachineA sshd[5269]: pam_winbind(sshd:auth): getting password (0x00000000)
Apr 30 17:27:38 MachineA sshd[5269]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Apr 30 17:27:38 MachineA sshd[5269]: Failed password for invalid user ad-user from 192.168.1.198 port 46455 ssh2
Apr 30 17:27:42 MachineA sshd[5269]: pam_tally(sshd:auth): pam_get_uid; no such user
Apr 30 17:27:42 MachineA sshd[5269]: pam_winbind(sshd:auth): getting password (0x00000000)
Apr 30 17:27:42 MachineA sshd[5269]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Apr 30 17:27:42 MachineA sshd[5269]: Failed password for invalid user ad-user from 192.168.1.198 port 46455 ssh2
Apr 30 17:27:46 MachineA sshd[5269]: pam_tally(sshd:auth): pam_get_uid; no such user
Apr 30 17:27:46 MachineA sshd[5269]: pam_winbind(sshd:auth): getting password (0x00000000)
Apr 30 17:27:46 MachineA sshd[5269]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Apr 30 17:27:46 MachineA sshd[5269]: Failed password for invalid user ad-user from 192.168.1.198 port 46455 ssh2
Apr 30 17:27:46 MachineA sshd[5269]: Connection closed by 192.168.1.198 [preauth]


[xxx@bla ~]$ ssh DOMAIN+ad-user@PDC

[xxx@MachineA ~]$ sudo journalctl --unit sshd
Apr 30 17:27:55 MachineA sshd[5277]: pam_winbind(sshd:auth): getting password (0x00000000)
Apr 30 17:27:55 MachineA sshd[5277]: pam_winbind(sshd:auth): user 'DOMAIN+ad-user' granted access
Apr 30 17:27:55 MachineA sshd[5277]: pam_unix(sshd:account): could not identify user (from getpwnam(max))
Apr 30 17:27:55 MachineA sshd[5277]: Failed password for DOMAIN+ad-user from 192.168.1.198 port 46459 ssh2
Apr 30 17:27:55 MachineA sshd[5277]: fatal: Access denied for user DOMAIN+ad-user by PAM account configuration [preauth]
Apr 30 17:28:48 MachineA sshd[5290]: pam_winbind(sshd:auth): getting password (0x00000000)
Apr 30 17:28:49 MachineA sshd[5290]: pam_winbind(sshd:auth): user 'DOMAIN+ad-user' granted access
Apr 30 17:28:49 MachineA sshd[5290]: pam_unix(sshd:account): could not identify user (from getpwnam(max))
Apr 30 17:28:49 MachineA sshd[5290]: Failed password for DOMAIN+ad-user from 192.168.1.198 port 46468 ssh2
Apr 30 17:28:49 MachineA sshd[5290]: fatal: Access denied for user DOMAIN+ad-user by PAM account configuration [preauth]

Getent passwd returns all local, but no ad-users on PDC. But it returns correct values if I select an ad-user.

[xxx@PDC ~]$ sudo getent passwd 
[sudo] password for xxx: 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/usr/bin/nologin
daemon:x:2:2:daemon:/:/usr/bin/nologin
mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
http:x:33:33:http:/srv/http:/usr/bin/nologin
uuidd:x:68:68:uuidd:/:/usr/bin/nologin
dbus:x:81:81:dbus:/:/usr/bin/nologin
nobody:x:99:99:nobody:/:/usr/bin/nologin
systemd-journal-gateway:x:191:191:systemd-journal-gateway:/:/usr/bin/nologin
systemd-timesync:x:192:192:systemd-timesync:/:/usr/bin/nologin
systemd-network:x:193:193:systemd-network:/:/usr/bin/nologin
systemd-bus-proxy:x:194:194:systemd-bus-proxy:/:/usr/bin/nologin
systemd-resolve:x:195:195:systemd-resolve:/:/usr/bin/nologin
systemd-journal-remote:x:999:999:systemd Journal Remote:/:/sbin/nologin
systemd-journal-upload:x:998:998:systemd Journal Upload:/:/sbin/nologin
xxx:x:1000:1000::/home/xxx:/bin/bash
git:x:997:997:git daemon user:/:/bin/bash
polkitd:x:102:102:Policy Kit Daemon:/:/bin/false
ntp:x:87:87:Network Time Protocol:/var/lib/ntp:/bin/false
named:x:40:40:BIND DNS Server:/var/named:/sbin/nologin
ldap:x:439:439:LDAP Server:/var/lib/openldap:/sbin/nologin
avahi:x:84:84:avahi:/:/bin/false
munin:x:996:996:Munin system monitor:/var/lib/munin:/bin/false
mysql:x:89:89::/var/lib/mysql:/bin/false
[xxx@PDC ~]$ sudo getent passwd ad-user
ad-user:*:3000010:3000000:Full Name:/home/DOMAIN/ad-user:/bin/bash

On MachineA getent passwd returns all local and ad-users, to select an ad-user I have to add the domain.

[xxx@MachineA ~]$ sudo getent passwd 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/usr/bin/nologin
daemon:x:2:2:daemon:/:/usr/bin/nologin
mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
http:x:33:33:http:/srv/http:/usr/bin/nologin
uuidd:x:68:68:uuidd:/:/usr/bin/nologin
dbus:x:81:81:dbus:/:/usr/bin/nologin
nobody:x:99:99:nobody:/:/usr/bin/nologin
systemd-journal-gateway:x:191:191:systemd-journal-gateway:/:/usr/bin/nologin
systemd-timesync:x:192:192:systemd-timesync:/:/usr/bin/nologin
systemd-network:x:193:193:systemd-network:/:/usr/bin/nologin
systemd-bus-proxy:x:194:194:systemd-bus-proxy:/:/usr/bin/nologin
systemd-resolve:x:195:195:systemd-resolve:/:/usr/bin/nologin
systemd-journal-remote:x:998:998:systemd Journal Remote:/:/sbin/nologin
systemd-journal-upload:x:999:999:systemd Journal Upload:/:/sbin/nologin
xxx:x:1000:1000::/home/xxx:/bin/bash
nvidia-persistenced:x:143:143:NVIDIA Persistence Daemon:/:/sbin/nologin
avahi:x:84:84:avahi:/:/bin/nologin
munin:x:997:997:Munin system monitor:/var/lib/munin:/bin/false
ad-user:*:3000010:3000000:Full Name:/home/DOMAIN/ad-user:/bin/bash
[xxx@MachineA ~]$ sudo getent passwd ad-user
[xxx@MachineA ~]$ sudo getent passwd DOMAIN+ad-user
ad-user:*:3000010:3000000:Full Name:/home/DOMAIN/ad-user:/bin/bash

Anyone fought with a similar issue and has some tips for me?

P.S.: Local login or su brings the message "User not known to the underlying authentication module".

Last edited by mober (2015-05-06 18:02:34)

nomorewindows · 2015-04-30 16:18:22

I think you have to authenticate against the PDC to be able to use the Member Server. It seems to me that member servers can be promoted to PDC if the PDC goes down. I haven't kept up with the AD system, and apparently it takes more to manage than the AD system is supposed to automatically provide.

Last edited by nomorewindows (2015-04-30 16:18:40)

mober · 2015-05-06 16:13:33

I was able to solve the issue by using sssd instead of winbind.

This Bug-Report brought me to the idea to try out sssd: https://bugzilla.samba.org/show_bug.cgi?id=9780#c8

With the help of this sites I was able to setup my configuration:
https://help.ubuntu.com/lts/serverguide/sssd-ad.html
https://wiki.samba.org/index.php/Local_ … ation/sssd
https://wiki.archlinux.org/index.php/LD … _with_SSSD
http://serverfault.com/questions/631657 … -directory

What does my setup look like now?
First I installed sssd. I added /etc/sssd/sssd.conf (see below), and adopted /etc/nsswitch.conf, /etc/pam.d/system-auth. Also I exported a keytab for MachineA from the PDC. Then I started and enabled sssd.service.

samba-tool domain exportkeytab /tmp/krb5.sssd.keytab --principal=MachineA$

#/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = DOMAIN

[nss]

[pam]

[domain/DOMAIN]
# Using id_provider=ad sets the best defaults on its own
id_provider = ad
# In sssd, the default access provider is always 'permit'. The AD access
# provider by default checks for account expiration
access_provider = ad

# Uncomment to use POSIX attributes on the server
ldap_id_mapping = false

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = dc1.samdom.example.com

# Uncomment if DNS SRV resolution is not working
# ad_server = dc1.samdom.example.com

# Uncomment if the domain section is named differently than your Samba domain
# ad_domain = samdom.example.com

# Enumeration is discouraged for performance reasons.
enumerate = true

# location of the keytab
krb5_keytab=/etc/krb5.sssd.keytab

#/etc/nsswitch.conf 
# Begin /etc/nsswitch.conf

passwd: files sss
group: files sss
shadow: files sss

publickey: files

hosts: files dns wins
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

# End /etc/nsswitch.conf

#/etc/pam.d/system-auth 
#%PAM-1.0

auth sufficient pam_sss.so
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so

account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so

password sufficient pam_sss.so use_authtok
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so

session required pam_mkhomedir.so    skel=/etc/skel/ umask=0077
session required pam_limits.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_permit.so

nomorewindows · 2015-05-06 17:08:39

Haven't even heard of sssd. Be sure to mark as solved.

Arch Linux

#1 2015-04-30 16:15:44

[Solved] Cannot login as Active Directory Users on AD-Member-Server

#2 2015-04-30 16:18:22

Re: [Solved] Cannot login as Active Directory Users on AD-Member-Server

#3 2015-05-06 16:13:33

Re: [Solved] Cannot login as Active Directory Users on AD-Member-Server

#4 2015-05-06 17:08:39

Re: [Solved] Cannot login as Active Directory Users on AD-Member-Server

Board footer