> Am 17.09.2014 um 22:23 schrieb Andrew Martin <[email protected]>: > > ----- Original Message ----- >> From: "Marc Jakob" <[email protected]> >> To: "Discussion list for OpenIndiana" <[email protected]> >> Sent: Wednesday, September 17, 2014 12:30:43 PM >> Subject: Re: [OpenIndiana-discuss] AD Authentication and Samba 4 Active >> Directory >> >> I don’t use LDAP als backend for users, so I don’t really know what could be >> the issue. >> >> If you connect using ssh in verbose mode (after getting a kerberos ticket >> using kinit), what does the log say? > > Getting a kerberos ticket works: > [root@server:~]# kinit aduser > Password for [email protected]: > [root@server:~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 17/09/2014 13:36 17/09/2014 23:36 krbtgt/[email protected] > renew until 24/09/2014 13:36 > > I then set up a separate ssh daemon listening on port 222 in debug mode: > sshd -ddd -p 222 -f /tmp/sshd_config > > And tried to connect from the client using -vvv. > > Server output: > debug1: userauth-request for user aduser service ssh-connection method > keyboard-interactive > debug1: attempt 2 initial attempt 0 failures 2 initial failures 0 > debug2: input_userauth_request: try method keyboard-interactive > debug1: keyboard-interactive devs > debug2: Starting PAM service sshd-kbdint for method keyboard-interactive > debug2: Calling pam_authenticate() > debug2: PAM echo off prompt: Password: > debug2: Nesting dispatch_run loop > debug1: got 1 responses > debug2: Nested dispatch_run loop exited > debug1: PAM conv function returns PAM_SUCCESS > Keyboard-interactive (PAM) userauth failed[9] while authenticating: > Authentication failed > Failed keyboard-interactive for aduser from 192.168.1.2 port 44390 ssh2 > debug1: userauth-request for user aduser service ssh-connection method > keyboard-interactive > debug1: attempt 3 initial attempt 1 failures 3 initial failures 1 > debug2: input_userauth_request: try method keyboard-interactive > debug1: keyboard-interactive devs > debug2: Starting PAM service sshd-kbdint for method keyboard-interactive > debug2: Calling pam_authenticate() > debug2: PAM echo off prompt: Password: > debug2: Nesting dispatch_run loop > > Client output: > debug1: Next authentication method: keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: > debug3: packet_send2: adding 32 (len 23 padlen 9 extra_pad 64) > debug1: Authentications that can continue: > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive > debug3: start over, passed a different list > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive > debug3: preferred > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: > gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_lookup keyboard-interactive > debug3: remaining preferred: password > debug3: authmethod_is_enabled keyboard-interactive > > This makes me think that something is mis-configured in pam.conf since PAM > reports > an authentication failure. > > Thanks, > > Andrew > > _______________________________________________ > openindiana-discuss mailing list > [email protected] > http://openindiana.org/mailman/listinfo/openindiana-discuss
For me it looks like kerberos it not in use. Do you have the possibility to connect using a Windows client integrated in Active Directory using putty with GSSAPI auth enabled? As far as I remember, you have to change some config options in sshd client config... But I'm not sure which. Also the server log message Failed keyboard-interactive for aduser sounds a little strange to me. Kind regards, Marc _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
