Re: [OpenIndiana-discuss] AD Authentication and Samba 4 Active Directory

[Andrew Martin]

----- Original Message -----
> From: "Marc Jakob" <m...@planet-sun.net>
> To: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org>
> Sent: Wednesday, September 17, 2014 12:30:43 PM
> Subject: Re: [OpenIndiana-discuss] AD Authentication and Samba 4      Active  
> Directory
> 
> I don’t use LDAP als backend for users, so I don’t really know what could be
> the issue.
> 
> If you connect using ssh in verbose mode (after getting a kerberos ticket
> using kinit), what does the log say?
> 

Getting a kerberos ticket works:
[root@server:~]# kinit aduser
Password for aduser@TEST.LOCAL: 
[root@server:~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: aduser@TEST.LOCAL

Valid starting               Expires               Service principal
17/09/2014 13:36  17/09/2014 23:36  krbtgt/TEST.LOCAL@TEST.LOCAL
        renew until 24/09/2014 13:36

I then set up a separate ssh daemon listening on port 222 in debug mode:
sshd -ddd -p 222 -f /tmp/sshd_config

And tried to connect from the client using -vvv. 

Server output:
debug1: userauth-request for user aduser service ssh-connection method 
keyboard-interactive
debug1: attempt 2 initial attempt 0 failures 2 initial failures 0
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
debug2: Calling pam_authenticate()
debug2: PAM echo off prompt: Password:
debug2: Nesting dispatch_run loop
debug1: got 1 responses
debug2: Nested dispatch_run loop exited
debug1: PAM conv function returns PAM_SUCCESS
Keyboard-interactive (PAM) userauth failed[9] while authenticating: 
Authentication failed
Failed keyboard-interactive for aduser from 192.168.1.2 port 44390 ssh2
debug1: userauth-request for user aduser service ssh-connection method 
keyboard-interactive
debug1: attempt 3 initial attempt 1 failures 3 initial failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
debug2: Calling pam_authenticate()
debug2: PAM echo off prompt: Password:
debug2: Nesting dispatch_run loop

Client output:
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 23 padlen 9 extra_pad 64)
debug1: Authentications that can continue: 
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
debug3: start over, passed a different list 
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
debug3: preferred 
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: 
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive

This makes me think that something is mis-configured in pam.conf since PAM 
reports
an authentication failure. 

Thanks,

Andrew

_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss