I have been trying to get AD logins working on a linux machine. If I create a local linux user with the same name as the AD user, the linux machine will require the AD password. But if no corresponding local user exists, then I get invalid user errors:
Create test01 locally with no password. test01 can then login using the AD password:
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5[8467]: error reading keytab 'FILE:/etc/krb5.keytab'
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5[8467]: TGT verified
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5[8467]: authentication succeeds for 'test01' (test01@DOL.LOCAL)
Dec 21 16:06:41 doladtest002 sshd[8467]: Accepted password for test01 from x.x.x.x port 51130 ssh2
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_unix(sshd:session): session opened for user test01 by (uid=0)
Dec 21 16:06:46 doladtest002 sshd[8467]: pam_unix(sshd:session): session closed for user test01
Delete local user test01 and delete home directory:
Dec 21 16:06:54 doladtest002 userdel[8498]: delete user `test01'
Dec 21 16:06:54 doladtest002 userdel[8498]: removed group `test01' owned by `test01'
Attempt login with AD account but no local account:
Dec 21 16:07:10 doladtest002 sshd[8504]: Invalid user test01 from x.x.x.x
Dec 21 16:07:10 doladtest002 sshd[8505]: input_userauth_request: invalid user test01
Dec 21 16:07:16 doladtest002 sshd[8504]: pam_unix(sshd:auth): check pass; user unknown
Dec 21 16:07:16 doladtest002 sshd[8504]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
Dec 21 16:07:16 doladtest002 sshd[8504]: pam_succeed_if(sshd:auth): error retrieving information about user test01
Dec 21 16:07:18 doladtest002 sshd[8504]: Failed password for invalid user test01 from x.x.x.x port 51138 ssh2
Dec 21 16:07:20 doladtest002 sshd[8505]: Received disconnect from x.x.x.x: 13: Unable to authenticate
Attempt login with AD account using name@machine.dol.local:
Dec 21 16:12:53 doladtest002 sshd[8527]: Invalid user
test01@doladtest002.dol.local from x.x.x.x
Dec 21 16:12:53 doladtest002 sshd[8528]: input_userauth_request: invalid user
test01@doladtest002.dol.local
Dec 21 16:12:58 doladtest002 sshd[8527]: pam_unix(sshd:auth): check pass; user unknown
Dec 21 16:12:58 doladtest002 sshd[8527]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
Dec 21 16:12:58 doladtest002 sshd[8527]: pam_succeed_if(sshd:auth): error retrieving information about user
test01@doladtest002.dol.local
Dec 21 16:13:01 doladtest002 sshd[8527]: Failed password for invalid user
test01@doladtest002.dol.local from x.x.x.x port 51220 ssh2
Dec 21 16:13:02 doladtest002 sshd[8528]: Received disconnect from x.x.x.x: 13: Unable to authenticate
I too cannot seem to get past this. When I played around with Samba and Winbind, I got better results, but I don't want to use that. I should be able to do this with just Kerberos and LDAP. I am copying the relevant config files from a linux machine in a different domain that authenticates to AD using Kerberos and authorizes access based on AD group via LDAP.
This is driving me insane. I have gone through every setting I can think of on both the Domain Controller and the linux machine. I have compared my config files to working config files. I have compared Domain Controller settings. In the domain where this is working, Samba is not being used. Any suggestions are welcome. I am stuck.
Here is a successful AD user login on a linux machine in the other domain. There is no corresponding local user:
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_krb5[27107]: error reading keytab 'FILE:/etc/krb5.keytab'
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_krb5[27107]: TGT verified
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_krb5[27107]: authentication succeeds for 'tgiardi' (tgiardi@DOMAIN.COM)
Dec 21 10:49:26 enysvlalb012 sshd[27107]: Accepted password for tgiardi from x.x.x.x port 50618 ssh2
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_unix(sshd:session): session opened for user tgiardi by (uid=0)