Am 26.08.2013 16:11, schrieb Bruno Vane:
Marc, sorry to bother you with this, but I can not access a SSH server
using these settings.
Could you take a look if you have time to find out if my settings are wrong?
When I do a "ssh -l nslcd-connect" (or any other user) to the server, i
got this in /var/log/auth.log:
Aug 26 11:09:14 ldap sshd[4642]: Invalid user nslcd-connect from MY_MACHINE
Aug 26 11:09:14 ldap sshd[4642]: input_userauth_request: invalid user
nslcd-connect [preauth]
Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): check pass; user
unknown
Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_FQDN
Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't
contact LDAP server
Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: reconnecting to LDAP server...
Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't
contact LDAP server
Aug 26 11:09:23 ldap sshd[4642]: Failed password for invalid user
nslcd-connect from MY_MACHINE port 51004 ssh2
Aug 26 11:09:25 ldap sshd[4642]: Connection closed by MY_MACHINE [preauth]
You don't connect with the "nslcd-connect" account via ssh to the
server. Each user connect with his/her domain account.
You need this account (nslcd-connect) in your AD, to allow nslcd to
connect to your directory (you can give it any name you want, of
course), because Samba/AD doesn't allow anonymous bind.
This are the steps you do:
- Create a new account (i named it nslcd-connect) in your AD
- Put the accounts DN + password in your nslcd.conf
- Restart nslcd.conf
- Add "ldap" to the following three lines in your /etc/nsswitch.conf
(sorry. I forgot this in my previous post):
passwd: files ldap
shadow: files ldap
group: files ldap
- Now you should be able to see all accounts (the local and domain
accounts), when you type
# getent passwd
- If you don't see the domain accounts, add "acl:search = no" to the
[global] section of your smb.conf and restart Samba. (Workaround for bug
#9788)
- If there's nothing else preventing (missing home, missing keyfile,
etc), you should be able now, to login via ssh by
# ssh -l {domainusername} {entryservername}
The domainusername is the attribute that is mapped in nslcd.conf to
uid (If you use my nslcd.conf example, the domainusername is what stand
in the AD attribute sAMAccountName).
============> This is my samba4 server LDAP test:
root@samba:~# ldapsearch -U nslcd-connect -h localhost -b
DC=corporativo,DC=mydomain,DC=net "cn=nslcd-connect" distinguishedName
If you let ldapseach search for all attributes mentioned in nslcd.conf
(sAMAccountName, unixHomeDirectory, etc.) and you don't get result for
all of them, you need the workaround for bug #9788 (see above) or these
attributes are not filled in AD.
I'm currently still working on a HowTo about sssd, nslcd and winbind,
which would contain this all in a much more detailed depth. But I had to
less time at the moment to finish it yet. Maybe next week it will be
done and published in the Wiki.
Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
