LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-29-2006, 02:05 PM   #1
amon
Member
 
Registered: May 2004
Location: UK
Distribution: Debian, Ubantu, CentOS
Posts: 146

Rep: Reputation: 17
AD authentication


Hi I'm trying to authenticate a linux machine with a windows 2003 server.

I work in a college and want to teach students how to use linux and at times show them how much better it is.
Primerily all I want is for students to be able to type in theur usernames and passwords that they use on the windows network and log into a linux workstation. Something that has proven harder than I thought it would.

I'm currently experimenting with a suse machine (it has bosted some of the best hardware support for the box from the CD as the suse 9 disk came with the computers). I'd rather use Debian but at this point (after several months of tears) I'm happy to use any distro if there is a better one for setting this up.

I'm able to add the computer to the domain using:
net ads join -U administrator

I can get user names and groups with
wbinfo -u
wbinfo -g

I can list groups with
getent group

In desperation I have added the following line to all my pam.d files:
Code:
session  required	pam_mkhomedir.so	skel=/etc/skel/ umask=0077 #added by david
These are the files:
Code:
linux:/etc/pam.d # ls
.  ..  chage  chfn  chsh  cups  gdm  gdm-autologin  login  other  passwd  ppp  rpasswd  shadow  sshd  su  sudo  useradd  xdm  xscreensaver
linux:/etc/pam.d #
but for some reason i can't logon. I've tried using

<user>
<domain>\<user>

and many other combinations without success.

1: where do I go from here? I'm at a loss and feeling very down with this?

2: Is there annother/better method of doing this? I'd rather not have to make changes to the server and risk causing upset to the college system.
 
Old 03-29-2006, 04:13 PM   #2
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
I have never attempted this before, but my suggestion would be to make sure you update to the newest version of Samba and follow the steps at http://www.samba.org/samba/docs/man/...tml#ads-member to a T.
 
Old 03-30-2006, 01:38 PM   #3
amon
Member
 
Registered: May 2004
Location: UK
Distribution: Debian, Ubantu, CentOS
Posts: 146

Original Poster
Rep: Reputation: 17
I want to cry :(

6 months on this problem and i'm still no closer.

If i try kinit i get:
Code:
linux:~ # kinit inst@internal.my-college.org
Password for inst@internal.my-college.org:password
Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
        at sun.security.krb5.KrbAsRep.<init>(DashoA6275:67)
        at sun.security.krb5.KrbAsReq.getReply(DashoA6275:315)
        at sun.security.krb5.KrbAsReq.getReply(DashoA6275:276)
        at sun.security.krb5.internal.tools.Kinit.<init>(DashoA6275:271)
        at sun.security.krb5.internal.tools.Kinit.main(DashoA6275:109)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.af.a(DashoA6275:134)
        at sun.security.krb5.internal.at.a(DashoA6275:63)
        at sun.security.krb5.internal.at.<init>(DashoA6275:58)
        at sun.security.krb5.KrbAsRep.<init>(DashoA6275:53)
        ... 4 more
Here is my smb.conf
Code:
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE
# Date: 2004-10-05
[global]
	workgroup = RIC
	printing = cups
	printcap name = cups
	printcap cache time = 750
	cups options = raw
	printer admin = @ntadmin, root, administrator
	username map = /etc/samba/smbusers
	map to guest = Bad User
	include = /etc/samba/dhcp.conf
	logon path = \\%L\profiles\.msprofile
	logon home = \\%L\%U\.9xprofile
	logon drive = P:
#	security = domain
	security = ads
	encrypt passwords = yes
	smb passwd file = /etc/samba/smbpasswd # added from
	unix password sync = no # http://lists.samba.org/archive/samba/2005-August/109198.html
	passwd program = /etc/bin/passwd %u # also
	pam password change = yes # and this
	obey pam restrictions = yes # and this 
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # and this
	case sensitive = no # and this
	dns proxy = no # and this
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template shell = /bin/bash
	password server = ricsvr01.internal.my-college.org
	realm = internal.my-college.org
	winbind use default domain = yes # and this
	winbind separator = + # and this
	winbind enum users = yes # and this
	winbind enum groups = yes # and this
	wins server = ricsvr01.internal.my-college.org # and this
	unix extensions = yes # and this
[homes]
	comment = Home Directories
	valid users = %S
	browseable = No
	read only = No
	inherit acls = Yes
[profiles]
	comment = Network Profiles Service
	path = %H
	read only = No
	store dos attributes = Yes
	create mask = 0600
	directory mask = 0700
[users]
	comment = All users
	path = /home
	read only = No
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/
[groups]
	comment = All groups
	path = /home/groups
	read only = No
	inherit acls = Yes
[pdf]
	comment = PDF creator
	path = /var/tmp
	printable = Yes
	print command = /usr/bin/smbprngenpdf -J '%J' -c %c -s %s -u '%u' -z %z
	create mask = 0600
[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @ntadmin root
	force group = ntadmin
	create mask = 0664
	directory mask = 0775
and here is my krb5.conf
Code:
[libdefaults]
	default_realm = INTERNAL.MY-COLLEGE.ORG
	clockskew = 300
	
[realms]
#	MY.REALM = {
#		kdc = MY.COMPUTER
#		admin_server = MY.COMPUTER
#		kpasswd_server = MY.COMPUTER
#	}
#	OTHER.REALM = {
#		kdc = OTHER.COMPUTER
#	}
	internal.my-college.org = {
	kdc = 192.168.48.10
	}

[domain_realm]
#	.my.domain = MY.REALM

[logging]
	default = SYSLOG:NOTICE:DAEMON
	kdc = FILE:/var/log/kdc.log
	kadmind = FILE:/var/log/kadmind.log

[appdefaults]
	pam = {
		ticket_lifetime = 1d
		renew_lifetime = 1d
		forwardable = true
		proxiable = true
		retain_after_close = false
		minimum_uid = 0
		debug = false
	}

[domain_realms]
	.kerberos.server = INTERNAL.MY-COLLEGE.ORG
I can't believe how difficult this is proving!
 
Old 03-30-2006, 01:57 PM   #4
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Is your system using the AD DNS server?
Code:
root@linux~# dig -x 192.168.48.10
root@linux~# dig SRV _kerberos._tcp.internal.my-college.org
root@linux~# dig ricsvr01.internal.my-college.org
 
Old 03-30-2006, 02:12 PM   #5
amon
Member
 
Registered: May 2004
Location: UK
Distribution: Debian, Ubantu, CentOS
Posts: 146

Original Poster
Rep: Reputation: 17
not sure :-S

Code:
linux:~ # dig -x 192.168.48.10
 
; <<>> DiG 9.2.4 <<>> -x 192.168.48.10
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56697
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;10.48.168.192.in-addr.arpa.    IN      PTR
 
;; ANSWER SECTION:
10.48.168.192.in-addr.arpa. 1200 IN     PTR     ricsvr01.internal.my-college.org.
 
;; Query time: 0 msec
;; SERVER: 192.168.48.10#53(192.168.48.10)
;; WHEN: Thu Mar 30 21:08:29 2006
;; MSG SIZE  rcvd: 97
Code:
linux:~ # dig SRV _kerberos._tcp.internal.my-college.org
 
; <<>> DiG 9.2.4 <<>> SRV _kerberos._tcp.internal.my-college.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48712
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
 
;; QUESTION SECTION:
;_kerberos._tcp.internal.my-college.org. IN SRV
 
;; ANSWER SECTION:
_kerberos._tcp.internal.my-college.org. 600 IN SRV 0 100 88 ricsvr02.internal.my-college.org.
_kerberos._tcp.internal.my-college.org. 600 IN SRV 0 100 88 ricsvr01.internal.my-college.org.

;; ADDITIONAL SECTION:
ricsvr02.internal.my-college.org. 3600 IN A 192.168.48.11
ricsvr01.internal.my-college.org. 3600 IN A 192.168.48.10
 
;; Query time: 0 msec
;; SERVER: 192.168.48.10#53(192.168.48.10)
;; WHEN: Thu Mar 30 21:09:31 2006
;; MSG SIZE  rcvd: 213
Code:
linux:~ # dig ricsvr01.internal.my-college.org
 
; <<>> DiG 9.2.4 <<>> ricsvr01.internal.my-college.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18703
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;ricsvr01.internal.my-college.org. IN A
 
;; ANSWER SECTION:
ricsvr01.internal.my-college.org. 3600 IN A 192.168.48.10
 
;; Query time: 0 msec
;; SERVER: 192.168.48.10#53(192.168.48.10)
;; WHEN: Thu Mar 30 21:11:37 2006
;; MSG SIZE  rcvd: 73
 
Old 03-30-2006, 04:10 PM   #6
soulestream
Member
 
Registered: Nov 2005
Posts: 183

Rep: Reputation: 30
Linky


This link helped my alot


soule
 
Old 03-30-2006, 05:02 PM   #7
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
OK, that means yes you are using the AD DNS server and it can see all the stuff it needs to in the Active Directory Domain.

Googling for the error you receive turned up some list threads that point towards a bad or "fake" kinit/kerberos install (from some other package overwriting kerberos files.) The solution to this would probably be to use the package manager to update, or reinstall the kerberos package.
 
Old 03-31-2006, 05:32 AM   #8
amon
Member
 
Registered: May 2004
Location: UK
Distribution: Debian, Ubantu, CentOS
Posts: 146

Original Poster
Rep: Reputation: 17
OK so now my kinit seems to work. if i type in the correct password it takes me back to the command line. if i type in the wrong password It throws up an error.

I can:
Code:
wbinfo -u
wbinfo -g
wbinfo -n <username>
But i can't log in with anything (my main want is for GDM)
here is my /etc/pam.d/gdm
Code:
#%PAM-1.0
auth     required       pam_unix2.so	nullok #set_secrpc
account  required       pam_unix2.so
password required       pam_unix2.so	#strict=false
session  required       pam_unix2.so	debug # trace or none
session  required       pam_devperm.so
session  required       pam_resmgr.so
session  sufficient	pam_mkhomedir.so	skel=/etc/skel/ umask=0077 #added by david
tried changing it to this also with no luck
Code:
#%PAM-1.0
auth     required       pam_unix2.so	nullok #set_secrpc
auth	sufficient	pam_krb5.so	use_first_pass	#david
auth	sufficient	pam_winbind.so	use_first_pass	#david
account  required       pam_unix2.so
account	sufficient	pam_krb5.so			#david
account sufficient	pam_winbind.so			#david
password required       pam_unix2.so	#strict=false
password sufficient	pam_krb5.so	use_authtok	#david
password sufficient	pam_winbind.so	use_authtok	#david
session  required       pam_unix2.so	debug # trace or none
session  required       pam_devperm.so
session  required       pam_resmgr.so
session  optional	pam_mkhomedir.so	skel=/etc/skel/ umask=0077 #added by david
session  optional	pam_krb5.so			#david

Last edited by amon; 03-31-2006 at 06:26 AM.
 
Old 04-02-2006, 10:55 AM   #9
ronatartifact
Member
 
Registered: Oct 2003
Location: Montreal, Canada
Distribution: CentOS
Posts: 38

Rep: Reputation: 5
Your PAM stuff looks a bit odd if you just want to use windbind.

I have this working very nicely for ssh clients on Mandriva 10.1 with Samba (3.10??? - not sure) and PAM 0.77

I do not see why you want Kerebos if you only AD since winbind will do this.

You probably want to put the winbind first since if winbind gives auth the OK, you do not want to require pam_unix


auth sufficient pam_winbind.so #if winbind ok, you are in
auth required pam_unix2.so #else check passwd

Try this, if it works you may want to add use_first_pass on the unix.so to stop it prompting again when winbind does not give ok.

You may want to test with something like sshd so that you do not lock yourself out while testing. I managed to do that once by being a bit too clever on a test.

Once I got the winbind working, I modified the system-auth script to make winbind work for all PAM-enabled applications without having to touch each file in pam.d

PAM is pretty powerful and a good tool for lots of tasks.
I added some checks to prevent all but a few users from logging in remotely(they must be in the office on the LAN to get in).

I also added some stuff to the "session" to set up custom environments to automatically start an application for some users and to start them up in the right menu depending on files of usernames(shipping users can only run one application and they start in teh shipping menu)

I have to modify pam_access and pam_filelist to support all the PAM controls but it was trivial even for someonewho is not a C programmer.

I hope that this gets you up and running. You are very close now.
Ron
 
Old 04-03-2006, 07:56 AM   #10
amon
Member
 
Registered: May 2004
Location: UK
Distribution: Debian, Ubantu, CentOS
Posts: 146

Original Poster
Rep: Reputation: 17
i made some changes. my /etc/pam.d/sshd file now looks like this:
Code:
#%PAM-1.0
auth sufficient pam_winbind.so #if winbind ok, you are in
auth required pam_unix2.so #else check passwd
auth required pam_nologin.so
I testasrted the sshd deamon:
/etc/init.d/sshd restart

It restarted OK. Then I tried to log in as the user inst which is an AD user with the command:
Code:
ssh inst@localhost
and was told permision denied. Am I getting something wrong in my ssh command or is there a problem somewhere else?
 
Old 04-03-2006, 10:23 PM   #11
ronatartifact
Member
 
Registered: Oct 2003
Location: Montreal, Canada
Distribution: CentOS
Posts: 38

Rep: Reputation: 5
AD authentication continued

Look in your auth.log (or equivalent) to see what failed.
Once you get through auth, you still have to get through account, password and session.

You will need to use the same logic in those sections as well to make sure that winbind get called first (if you want any more checking at all) Read the PAM documentation about the "controls" to see what is being done at each of these steps.


I am not sure why you need pam_unix (or winbind) in session - you are already through auth, account and password by then so you really only need to do any post-login setups or prior-to-logout tear-downs that you need. I have my menu customization in session but no reference to pam_winbind or pam_unix.

I could use .profile, .bashrc, etc for what I am doing in "session" but I like some of the pam modules that are available to identify users and to set up environment variables based on the tests. Saves writing a lot of shell code.

You will get an error from ssh if any of the "controls" fail, so make sure that if "auth" succeeds everything that your subsequent controls do, also returns "success".

The logs can be a bit hard to read but you will be able to track the execution of ssh as it calls PAM at each stage.
Beware that success messages may not be logged so you have to be a bit careful reading the logs.

Ron
 
Old 04-04-2006, 01:39 PM   #12
amon
Member
 
Registered: May 2004
Location: UK
Distribution: Debian, Ubantu, CentOS
Posts: 146

Original Poster
Rep: Reputation: 17
I've done it

This problem has hung over me in some shape for 2 years. A big thank you to all here and arround the world.

i found part of my problems were in my gdm configuration (It didn't like me putting comments on the same line as i had options).

My nexst problwem was a permissions one. I had set a sub dir for domain users in my homer and made it with root and didn't give evereyone read/enter permission so it bombed out when people logged in., I'm going to tidy things up a little then write it all up for others.

I was pointed in the direction when i checked /var/log/samba/log.winbindd
and found the error messages.

It gave me annother error that I was able to google for and fix after i'd loged in and then it wouldn't let me log in again.

Last edited by amon; 04-04-2006 at 01:42 PM.
 
Old 04-05-2006, 08:48 AM   #13
ronatartifact
Member
 
Registered: Oct 2003
Location: Montreal, Canada
Distribution: CentOS
Posts: 38

Rep: Reputation: 5
Glad you are back on track
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Authentication service cannot retrieve authentication info Moffett67 Linux - Software 3 12-13-2007 03:16 AM
Authentication ?? tuokki Linux - Enterprise 5 07-01-2004 11:04 PM
PF and authentication? german *BSD 0 09-05-2003 11:41 AM
authentication :( sspiro Linux - Newbie 9 06-04-2002 07:04 PM
authentication antken Linux - Networking 4 01-10-2001 10:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration