[OpenIndiana-discuss] AD Authentication and Samba 4 Active Directory

Wed Oct 1 19:23:37 UTC 2014

According to a similar ticket I had opened with Oracle, when passwordless
ssh key logins stopped working on Solaris 10 hosts, after we migrated from
DSEE to AD, they suggested the following:

Example pam_conf file for pam_ldap Configured for Account Management Note –
Previously, if you enabled pam_ldap account
management, all users needed to provide a login password for authentication
any time they logged in to the system. Therefore, nonpassword-based logins
using tools such as rsh, rlogin, or ssh would fail.
Now, however, pam_ldap(5), when used with Sun Java System
Directory Servers DS5.2p4 and newer releases, enables users to log in with
rsh, rlogin, rcp and ssh without giving a password.
pam_ldap(5) is now modified to perform account
management and retrieve the account status of users without authenticating
to Directory Server as the user logging in. The new control to this on
Directory
Server is 1.3.6.1.4.1.42.2.27.9.5.8, which is enabled by default.
To
modify this control for other than default, add Access Control Instructions
(ACI) on Directory Server:

The AD is missing the control to validate the user account. That is why all
the ssh password less logins are not working.
We need to reconfigure the pam.conf to make use of pam_unix module instead
of pam_ldap( pam_ldap requires above control)

The system is configured for pam_ldap. so we need to change the config to
pam_unix or pam_krb5 module

Hope this might shed some light.

Ben

On Fri, Sep 19, 2014 at 7:32 AM, Jim Klimov <jimklimov at cos.ru> wrote:

> 17 сентября 2014 г. 16:37:02 CEST, Andrew Martin <amartin at xes-inc.com>
> пишет:
> >----- Original Message -----
> >> From: "Marc Jakob" <marc at planet-sun.net>
> >> To: "Discussion list for OpenIndiana"
> ><openindiana-discuss at openindiana.org>
> >> Sent: Wednesday, September 17, 2014 6:10:01 AM
> >> Subject: Re: [OpenIndiana-discuss] AD Authentication and Samba 4
> >Active Directory
> >>
> >> Hi Andrew,
> >>
> >> did you put the following in nsswitch.conf:
> >>
> >> passwd:     files ad
> >> group:      files ad
> >>
> >> having joined to my samba4 AD controller ssh login works using putty
> >and
> >> GSSAPI login (Kerberos token from AD login) using my windows user
> >name -
> >> which has to exist in passwd or you use ldap client bindings to
> >retrieve
> >> shell and so on.
> >
> >Hi Marc,
> >
> >Yes, I have my nsswitch.conf configured as follows:
> >passwd:     files ldap
> >group:      files ldap
> >
> >
> >getent passwd <user-in-ad> returns the expected information:
> >aduser:x:10000:10004:aduser:/home/aduser:/bin/sh
> >
> >Moreover, I added the exact lines to /etc/pam.conf as detailed here:
> >http://wiki.openindiana.org/oi/Kerberos+and+LDAP#KerberosandLDAP-PAM
> >
> >When running an sshd instance in debug mode, I am still denied:
> >debug2: input_userauth_request: try method keyboard-interactive
> >debug1: keyboard-interactive devs
> >debug2: Starting PAM service sshd-kbdint for method
> >keyboard-interactive
> >debug2: Calling pam_authenticate()
> >debug2: PAM echo off prompt: Password:
> >debug2: Nesting dispatch_run loop
> >debug1: got 1 responses
> >debug2: Nested dispatch_run loop exited
> >debug1: PAM conv function returns PAM_SUCCESS
> >Keyboard-interactive (PAM) userauth failed[9] while authenticating:
> >Authentication failed
> >
> >What else should I try?
> >
> >Thanks,
> >
> >Andrew
> >
> >_______________________________________________
> >openindiana-discuss mailing list
> >openindiana-discuss at openindiana.org
> >http://openindiana.org/mailman/listinfo/openindiana-discuss
>
> Disclaimer: i did not integrate like this, but there is a literal
> discrepancy here: Andrew's snipped does not include "ad" which might be the
> module responsible for gssapi login processing i might guess.
>
> Try
> passwd: files ldap ad
> group: files ldap ad
>
> And see if it helps? Maybe in some other order like 'files ad ldap', etc.
> Google for modifiers like [NOTFOUND=continue] which might also help unite
> disparate userbases.
>
> HTH, Jim
> --
> Typos courtesy of K-9 Mail on my Samsung Android
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>