Hello Louis, > 1) $ cat /etc/hosts >> 127.0.0.1 localhost >You did setup with DHCP, so you remove 127.0.1.1 sambawb, is possible, >but better is. This is because https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member tells: "On debian related systems you wil see 127.0.1.1 hostname also in /etc/hosts remove it before you install samba."
>172.16.0.209 sambawb.work.company sambawb I had it in /etc/hosts before and removed it following wiki.samba.org. I will put it back. > ( recommended turn of dhcp, use static ips for the servers ) I will think about it. But just to be clear: what exactly do you mean with 'server'? My debian machines are only 'domain members' and are not providing any shares or printers to the network. I think 'server' is samba terminology meaning that it is providing services e.g. to PAM on the local machine. Right? > 2) Setup and enable the username map. > username map = /etc/samba/samba_usermapping > ( needs content : !root = WORK\Administrator WORK\administrator ) It's changed. > # Now here its interresting, this tell me something. >> Jun 07 21:33:18 sambawb sshd[502]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.0.1 user=domainuser >> ^^ Guessing, also correctly rejected, if you did not give root a password at install or your sshd_config has : PermitRootLogin no (or without-password) > Most interresting part. >> Jun 07 21:33:18 sambawb sshd[502]: pam_winbind(sshd:auth): getting password (0x00000388) >> Jun 07 21:33:18 sambawb sshd[502]: pam_winbind(sshd:auth): pam_get_item returned a password >> Jun 07 21:33:19 sambawb sshd[502]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS_LOGON_FAILURE, Error message was: Logon failure >> Jun 07 21:33:19 sambawb sshd[502]: pam_winbind(sshd:auth): user 'domainuser' denied access (incorrect password or invalid membership) >> Jun 07 21:33:20 sambawb sshd[502]: Failed password for invalid user domainuser from 172.16.0.1 port 54474 ssh2 > Are you are loggin in as user "root" (id=0) or as "Administrator" here? > Or you created a users and assigned id 0, in all cases, this is in my opinion wrong to do. No, that's not the case. I see 'uid=0' but my username is just an ordinary domain user. It's neither "root" nor "Administrator". The domain user isn't a domain admin, too - it's a restricted domain account. I have several domain accounts to test and whenever it fails I see 'uid=0', too. Doesn't matter what (unprivilged) account I use. I remove the homedir on logout and recreate it on logon with pam_mkhomedir. > I recommend not enabling root logins on ssh, but thats your choice. > You can not, never ever, assign user Administrator an uid, especialy user Adminsitrator. > Uid 0 = root and only root, now this is why you need the username mapping. Okay, I think that is the point: When it fails I see: Jun 10 22:21:50 COMPUTERXY sshd[3207]: Invalid user domainuser from 172.16.0.235 Jun 10 22:21:50 COMPUTERXY sshd[3207]: input_userauth_request: invalid user domainuser [preauth] Jun 10 22:21:52 COMPUTERXY sshd[3207]: pam_krb5(sshd:auth): authentication failure; logname=domainuser uid=0 euid=0 tty=ssh ruser= rhost=computer.work.company and on success it is (same machine, same user, just some time later, e.g. after a local user logged in): Jun 10 23:23:22 COMPUTERXY sshd[9459]: pam_krb5(sshd:auth): user domainuser authenticated as domainuser@WORK.COMPANY Jun 10 23:23:22 COMPUTERXY pam-script[9459]: can not stat /usr/share/libpam-script/pam_script_acct Jun 10 23:23:22 COMPUTERXY sshd[9459]: Accepted password for domainuser from 172.16.0.1 port 43841 ssh2 I will have a look at it with changed username mapping. > Now where did it go wrong. You have a few options to check. > First, check the time sync on the DC's and the member servers. > A common problem with login problems. Check this first. # net ads info -P LDAP server: 172.16.0.2 LDAP server name: ADDC.WORK.company Realm: WORK.COMPANY Bind Path: dc=WORK,dc=COMPANY LDAP port: 389 Server time: Sa, 10 Jun 2017 23:37:11 CEST KDC server: 172.16.0.2 Server time offset: 0 # grep server /etc/ntp.conf server 172.16.0.2 iburst # grep GSS /etc/ssh/sshd_config # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes I will change it to: GSSAPIAuthentication yes GSSAPICleanupCredentials yes > And if you use groups member checks in sshd_conf, test if all these groups have GID. # grep -i group /etc/ssh/sshd_config <nothing> >> I also noticed that in this cases 'wbinfo -u' or 'kinit >> domainuser' succeeds, but 'getent passwd' only shows local users. >> And yes, libpam-winbind and libnss-winbind are installed and >> nsswitch.conf has 'passwd: compat winbind' > Yes, this is confusing.. ;-) > wbinfo -u shows all you users. >getent passwd not, but `getent passwd username`, should show your user. No, it isn't. 'getent passwd' shows domainusers, too, but I tested 'getent passwd domainuser' as well: I'm logged in as root and testing 'getent passwd' or 'getent passwd domainuser'. When 'getent passwd' (or 'getent passwd domainuser') shows 'domainuser' then I can log in as domainuser, too. When 'getent passwd' (or 'getent passwd domainuser') does not show 'domainuser' then I can't log in as domainuser. Thank you for your help, Christian
