On 17.09.2014, at 16:37, Andrew Martin <[email protected]> wrote: > ----- Original Message ----- >> From: "Marc Jakob" <[email protected]> >> To: "Discussion list for OpenIndiana" <[email protected]> >> Sent: Wednesday, September 17, 2014 6:10:01 AM >> Subject: Re: [OpenIndiana-discuss] AD Authentication and Samba 4 Active >> Directory >> >> Hi Andrew, >> >> did you put the following in nsswitch.conf: >> >> passwd: files ad >> group: files ad >> >> having joined to my samba4 AD controller ssh login works using putty and >> GSSAPI login (Kerberos token from AD login) using my windows user name - >> which has to exist in passwd or you use ldap client bindings to retrieve >> shell and so on. > > Hi Marc, > > Yes, I have my nsswitch.conf configured as follows: > passwd: files ldap > group: files ldap > > > getent passwd <user-in-ad> returns the expected information: > aduser:x:10000:10004:aduser:/home/aduser:/bin/sh > > Moreover, I added the exact lines to /etc/pam.conf as detailed here: > http://wiki.openindiana.org/oi/Kerberos+and+LDAP#KerberosandLDAP-PAM > > When running an sshd instance in debug mode, I am still denied: > debug2: input_userauth_request: try method keyboard-interactive > debug1: keyboard-interactive devs > debug2: Starting PAM service sshd-kbdint for method keyboard-interactive > debug2: Calling pam_authenticate() > debug2: PAM echo off prompt: Password: > debug2: Nesting dispatch_run loop > debug1: got 1 responses > debug2: Nested dispatch_run loop exited > debug1: PAM conv function returns PAM_SUCCESS > Keyboard-interactive (PAM) userauth failed[9] while authenticating: > Authentication failed > > What else should I try? > > Thanks, > > Andrew > > _______________________________________________ > openindiana-discuss mailing list > [email protected] > http://openindiana.org/mailman/listinfo/openindiana-discuss
I don’t use LDAP als backend for users, so I don’t really know what could be the issue. If you connect using ssh in verbose mode (after getting a kerberos ticket using kinit), what does the log say? Kind regards, marc _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
