Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a CentOS configured with Samba and Winbind for file shares which works fine. In order for domain user to login to the linux box I did configure /etc/pam.d/sshd file. However every time I try to login with domain user it connects and shows the standard message "Last login: ..." and then disconnects by displaying message "Connection to the SERVER-NAME is closed."
Also, it did ask to manually create the /home/DOMAIN/ directory else it gives this message
"Last login: Tue Feb 28 16:30:45 2012 from x.x.x.x
Could not chdir to home directory /home/DOMAIN/USER: No such file or directory
Connection to SERVER closed."
The /etc/pam.d/sshd looks like this:
auth sufficient pam_winbind.so
auth required pam_nologin.so
auth include system-auth
account sufficient pam_winbind.so
account include system-auth
session include system-auth
password include system-auth
Following is the message at /var/log/secure (disregarding the break-in attempt part)
Feb 28 16:44:55 file3 sshd[4394]: reverse mapping checking getaddrinfo for machinename.domain.com failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 28 16:44:59 file3 sshd[4394]: pam_winbind(sshd:auth): getting password (0x00000000)
Feb 28 16:44:59 file3 sshd[4394]: pam_winbind(sshd:auth): user 'DOMAIN+User' granted access
Feb 28 16:44:59 file3 sshd[4394]: pam_winbind(sshd:account): user 'DOMAIN+User' granted access
Feb 28 16:44:59 file3 sshd[4394]: Accepted password for DOMAIN+User from x.x.x.x port 44240 ssh2
Feb 28 16:44:59 file3 sshd[4394]: pam_unix(sshd:session): session opened for user DOMAIN+User by (uid=0)
Feb 28 16:44:59 file3 sshd[4396]: Received disconnect from x.x.x.x: 11: disconnected by user
Feb 28 16:44:59 file3 sshd[4394]: pam_unix(sshd:session): session closed for user DOMAIN+User
I have also added the group in sudoers list that will be accessing this machine.
Please can anyone assist me here to make ssh work for domain user.
I have a CentOS configured with Samba and Winbind for file shares which works fine. In order for domain user to login to the linux box I did configure /etc/pam.d/sshd file. However every time I try to login with domain user it connects and shows the standard message "Last login: ..." and then disconnects by displaying message "Connection to the SERVER-NAME is closed."
Also, it did ask to manually create the /home/DOMAIN/ directory else it gives this message
"Last login: Tue Feb 28 16:30:45 2012 from x.x.x.x
Could not chdir to home directory /home/DOMAIN/USER: No such file or directory
Connection to SERVER closed."
The /etc/pam.d/sshd looks like this:
auth sufficient pam_winbind.so
auth required pam_nologin.so
auth include system-auth
account sufficient pam_winbind.so
account include system-auth
session include system-auth
password include system-auth
Following is the message at /var/log/secure (disregarding the break-in attempt part)
Feb 28 16:44:55 file3 sshd[4394]: reverse mapping checking getaddrinfo for machinename.domain.com failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 28 16:44:59 file3 sshd[4394]: pam_winbind(sshd:auth): getting password (0x00000000)
Feb 28 16:44:59 file3 sshd[4394]: pam_winbind(sshd:auth): user 'DOMAIN+User' granted access
Feb 28 16:44:59 file3 sshd[4394]: pam_winbind(sshd:account): user 'DOMAIN+User' granted access
Feb 28 16:44:59 file3 sshd[4394]: Accepted password for DOMAIN+User from x.x.x.x port 44240 ssh2
Feb 28 16:44:59 file3 sshd[4394]: pam_unix(sshd:session): session opened for user DOMAIN+User by (uid=0)
Feb 28 16:44:59 file3 sshd[4396]: Received disconnect from x.x.x.x: 11: disconnected by user
Feb 28 16:44:59 file3 sshd[4394]: pam_unix(sshd:session): session closed for user DOMAIN+User
I have also added the group in sudoers list that will be accessing this machine.
Please can anyone assist me here to make ssh work for domain user.
Thanks in advance!
Mayank
where are the domain users credentials? are they stored in Active Directory? and if so, is it Windows Server 2008?
You will want to check and see if /etc/security/access.conf is configured properly. Make sure + : ALL : ALL is called out (if you are not concerned about security. You will need to tighten this up later).
as well as check /etc/securetty (if a valid tty for the user is not defined you can login, but it will immediately disconnect you).
@Cyrolance: I am not sure where to assign that however in the system-auth file I have following line:
session optional pam_mkhomedir.so umask=0077
@Beandip408: Yes, its on AD which is a 2008 R2 box.
@yngmike: I added + : ALL = ALL but its still disconnecting. Also, I don't want to add a tty in the securetty as I need a group of people to access the boxes not just one.
@Cyrolance: I am not sure where to assign that however in the system-auth file I have following line:
session optional pam_mkhomedir.so umask=0077
That's not the case. Maybe you need to install something like "Microsoft Services for Unix" to the Windows Server. Linux needs UID, GID, Home Directory and Login Shell in order to continue after the login process. I think, you have set up the login, Linux checks the AD for password and username, then says OK. But when Linux asks for other things, like Home Directory or Login Shell, AD does not respond or responds like "not found" and you disconnect from the Linux.
The directive "pam_mkhomedir" needs a valid Home Directory and creates it if not available. You can set /home/test or /var/www/test, it does not matter for "pam_mkhomedir". It just creates the directory if not present in the filesystem.
Last edited by Cyrolancer; 03-08-2012 at 02:15 AM.
That's not the case. Maybe you need to install something like "Microsoft Services for Unix" to the Windows Server. Linux needs UID, GID, Home Directory and Login Shell in order to continue after the login process. I think, you have set up the login, Linux checks the AD for password and username, then says OK. But when Linux asks for other things, like Home Directory or Login Shell, AD does not respond or responds like "not found" and you disconnect from the Linux.
The directive "pam_mkhomedir" needs a valid Home Directory and creates it if not available. You can set /home/test or /var/www/test, it does not matter for "pam_mkhomedir". It just creates the directory if not present in the filesystem.
@Cyrolancer,
That is incorrect. Microsoft services for Unix would only be required if you defined RFC2307 extensions in your smb.conf
IE:
winbind nss info = rfc2307
idmap config YOURDOMAIN : cache time = 1800
idmap config YOURDOMAIN : backend = ad
idmap config YOURDOMAIN : range = 10000-5000000
idmap config YOURDOMAIN : schema_mode = rfc2307
Additionally some tweaks with ADSI edit would also be required.
If he is getting disconnected immediately after login, it would seem to me that he is having some type of PAM issue.
@manyrootsofallevil: We are using AD with Linux integration from several years and I doubt we have any issues with the join. When I do wbinfo -u and wbinfo -g I get all the domain users and groups. Also getent passwd I see domain and local user details.
@Cyrolance: I am not sure where/how I can define a home directory pam_makehomedir
I am still working on it and trying to resolve it.
@manyrootsofallevil: We are using AD with Linux integration from several years and I doubt we have any issues with the join. When I do wbinfo -u and wbinfo -g I get all the domain users and groups. Also getent passwd I see domain and local user details.
@Cyrolance: I am not sure where/how I can define a home directory pam_makehomedir
I am still working on it and trying to resolve it.
Thanks,
Mayank
If your users are all logging in with SSH, you could add this directive to /etc/pam.d/sshd
and remove the other mkhomedir reference form sys-auth, at least temporarily.
Change the umask to suit your needs.
Do make sure that it is the first session directive, though.
This works for CentOS/RHEL 6.x
The other thing to bear in mind, is what is the status of SELinux? The above will not work if SELinux is set to enforcing and you haven't created policy modules.
As soon as I try to ssh I see the following log in /var/log/secure
Mar 14 15:23:56 SERVERNAME sshd[13444]: PAM unable to dlopen(/lib64/security/system-auth)
Mar 14 15:23:56 SERVERNAME sshd[13444]: PAM [error: /lib64/security/system-auth: cannot open shared object file: No such file or directory]
Mar 14 15:23:56 SERVERNAME sshd[13444]: PAM adding faulty module: /lib64/security/system-auth
Mar 14 15:24:31 SERVERNAME sshd[13444]: pam_winbind(sshd:auth): getting password (0x00000000)
The above log is even before I enter password and as soon as I enter password I see following on my prompt
Last login: Wed Mar 14 15:22:48 2012 from X.X.X.X
Could not chdir to home directory /home/DOMAIN/username: No such file or directory
Connection to SERVERNAME closed.
And on server I see following in /var/log/secure
Mar 14 15:24:31 SERVERNAME sshd[13444]: pam_winbind(sshd:auth): getting password (0x00000000)
Mar 14 15:24:31 SERVERNAME sshd[13444]: pam_winbind(sshd:auth): user 'DOMAIN+username' granted access
Mar 14 15:24:31 SERVERNAME sshd[13444]: pam_winbind(sshd:account): user 'DOMAIN+username' granted access
Mar 14 15:24:31 SERVERNAME sshd[13444]: Accepted password for DOMAIN+username from X.X.X.X port XXXXX ssh2
Mar 14 15:24:31 SERVERNAME sshd[13446]: Received disconnect from X.X.X.X: 11: disconnected by user
I am not sure why it says disconnected by user as the user is trying to connect.
As soon as I try to ssh I see the following log in /var/log/secure
Mar 14 15:23:56 SERVERNAME sshd[13444]: PAM unable to dlopen(/lib64/security/system-auth)
Mar 14 15:23:56 SERVERNAME sshd[13444]: PAM [error: /lib64/security/system-auth: cannot open shared object file: No such file or directory]
Mar 14 15:23:56 SERVERNAME sshd[13444]: PAM adding faulty module: /lib64/security/system-auth
Mar 14 15:24:31 SERVERNAME sshd[13444]: pam_winbind(sshd:auth): getting password (0x00000000)
The above log is even before I enter password and as soon as I enter password I see following on my prompt
Last login: Wed Mar 14 15:22:48 2012 from X.X.X.X
Could not chdir to home directory /home/DOMAIN/username: No such file or directory
Connection to SERVERNAME closed.
And on server I see following in /var/log/secure
Mar 14 15:24:31 SERVERNAME sshd[13444]: pam_winbind(sshd:auth): getting password (0x00000000)
Mar 14 15:24:31 SERVERNAME sshd[13444]: pam_winbind(sshd:auth): user 'DOMAIN+username' granted access
Mar 14 15:24:31 SERVERNAME sshd[13444]: pam_winbind(sshd:account): user 'DOMAIN+username' granted access
Mar 14 15:24:31 SERVERNAME sshd[13444]: Accepted password for DOMAIN+username from X.X.X.X port XXXXX ssh2
Mar 14 15:24:31 SERVERNAME sshd[13446]: Received disconnect from X.X.X.X: 11: disconnected by user
I am not sure why it says disconnected by user as the user is trying to connect.
Thanks in advance!
Mayank
is your system 64 bit?
On our 64 bit system we don't bother with qualified names
@yngmike: We only login from SSH as our env is virtualized and we don't have access to vCentre. Obviously if this not the case, then system-auth is a better place to add this directive.
Last edited by manyrootsofallevil; 03-15-2012 at 02:58 AM.
Mar 14 15:23:56 SERVERNAME sshd[13444]: PAM unable to dlopen(/lib64/security/system-auth)
Mar 14 15:23:56 SERVERNAME sshd[13444]: PAM [error: /lib64/security/system-auth: cannot open shared object file: No such file or directory]
Mar 14 15:23:56 SERVERNAME sshd[13444]: PAM adding faulty module: /lib64/security/system-auth
Mar 14 15:24:31 SERVERNAME sshd[13444]: pam_winbind(sshd:auth): getting password (0x00000000)
Below is a fully functioning /etc/pam.d/sshd file that will work with RHEL 5.x (should also work with 6.x asumming no huge changes have been made to PAM)
#%PAM-1.0
account required pam_access.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
