[OpenIndiana-discuss] AD Authentication and Samba 4 Active Directory

Marc Jakob marc at planet-sun.net
Wed Sep 17 17:30:43 UTC 2014


On 17.09.2014, at 16:37, Andrew Martin <amartin at xes-inc.com> wrote:

> ----- Original Message -----
>> From: "Marc Jakob" <marc at planet-sun.net>
>> To: "Discussion list for OpenIndiana" <openindiana-discuss at openindiana.org>
>> Sent: Wednesday, September 17, 2014 6:10:01 AM
>> Subject: Re: [OpenIndiana-discuss] AD Authentication and Samba 4 Active	Directory
>> 
>> Hi Andrew,
>> 
>> did you put the following in nsswitch.conf:
>> 
>> passwd:     files ad
>> group:      files ad
>> 
>> having joined to my samba4 AD controller ssh login works using putty and
>> GSSAPI login (Kerberos token from AD login) using my windows user name -
>> which has to exist in passwd or you use ldap client bindings to retrieve
>> shell and so on.
> 
> Hi Marc,
> 
> Yes, I have my nsswitch.conf configured as follows:
> passwd:     files ldap
> group:      files ldap
> 
> 
> getent passwd <user-in-ad> returns the expected information:
> aduser:x:10000:10004:aduser:/home/aduser:/bin/sh
> 
> Moreover, I added the exact lines to /etc/pam.conf as detailed here:
> http://wiki.openindiana.org/oi/Kerberos+and+LDAP#KerberosandLDAP-PAM
> 
> When running an sshd instance in debug mode, I am still denied:
> debug2: input_userauth_request: try method keyboard-interactive
> debug1: keyboard-interactive devs
> debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
> debug2: Calling pam_authenticate()
> debug2: PAM echo off prompt: Password:
> debug2: Nesting dispatch_run loop
> debug1: got 1 responses
> debug2: Nested dispatch_run loop exited
> debug1: PAM conv function returns PAM_SUCCESS
> Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
> 
> What else should I try?
> 
> Thanks,
> 
> Andrew
> 
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss

I don’t use LDAP als backend for users, so I don’t really know what could be the issue.

If you connect using ssh in verbose mode (after getting a kerberos ticket using kinit), what does the log say?

Kind regards,

marc



More information about the openindiana-discuss mailing list