[OpenIndiana-discuss] AD Authentication and Samba 4 Active Directory
Marc Jakob
marc at planet-sun.net
Thu Sep 18 11:07:49 UTC 2014
> Am 17.09.2014 um 22:23 schrieb Andrew Martin <amartin at xes-inc.com>:
>
> ----- Original Message -----
>> From: "Marc Jakob" <marc at planet-sun.net>
>> To: "Discussion list for OpenIndiana" <openindiana-discuss at openindiana.org>
>> Sent: Wednesday, September 17, 2014 12:30:43 PM
>> Subject: Re: [OpenIndiana-discuss] AD Authentication and Samba 4 Active Directory
>>
>> I don’t use LDAP als backend for users, so I don’t really know what could be
>> the issue.
>>
>> If you connect using ssh in verbose mode (after getting a kerberos ticket
>> using kinit), what does the log say?
>
> Getting a kerberos ticket works:
> [root at server:~]# kinit aduser
> Password for aduser at TEST.LOCAL:
> [root at server:~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: aduser at TEST.LOCAL
>
> Valid starting Expires Service principal
> 17/09/2014 13:36 17/09/2014 23:36 krbtgt/TEST.LOCAL at TEST.LOCAL
> renew until 24/09/2014 13:36
>
> I then set up a separate ssh daemon listening on port 222 in debug mode:
> sshd -ddd -p 222 -f /tmp/sshd_config
>
> And tried to connect from the client using -vvv.
>
> Server output:
> debug1: userauth-request for user aduser service ssh-connection method keyboard-interactive
> debug1: attempt 2 initial attempt 0 failures 2 initial failures 0
> debug2: input_userauth_request: try method keyboard-interactive
> debug1: keyboard-interactive devs
> debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
> debug2: Calling pam_authenticate()
> debug2: PAM echo off prompt: Password:
> debug2: Nesting dispatch_run loop
> debug1: got 1 responses
> debug2: Nested dispatch_run loop exited
> debug1: PAM conv function returns PAM_SUCCESS
> Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
> Failed keyboard-interactive for aduser from 192.168.1.2 port 44390 ssh2
> debug1: userauth-request for user aduser service ssh-connection method keyboard-interactive
> debug1: attempt 3 initial attempt 1 failures 3 initial failures 1
> debug2: input_userauth_request: try method keyboard-interactive
> debug1: keyboard-interactive devs
> debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
> debug2: Calling pam_authenticate()
> debug2: PAM echo off prompt: Password:
> debug2: Nesting dispatch_run loop
>
> Client output:
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug3: packet_send2: adding 32 (len 23 padlen 9 extra_pad 64)
> debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
> debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
> debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-keyex
> debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
>
> This makes me think that something is mis-configured in pam.conf since PAM reports
> an authentication failure.
>
> Thanks,
>
> Andrew
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
For me it looks like kerberos it not in use. Do you have the possibility to connect using a Windows client integrated in Active Directory using putty with GSSAPI auth enabled? As far as I remember, you have to change some config options in sshd client config... But I'm not sure which.
Also the server log message Failed keyboard-interactive for aduser sounds a little strange to me.
Kind regards,
Marc
More information about the openindiana-discuss
mailing list