Cannot Authenticate Via SSH
 

I have just installed Kerberos/OpenLDAP/Samba and following this guide:

hxxp://lilly.csoft.net/~vdebaere/handleiding/samba-activedirectory/index_en.html

And am now unable to ssh into the box using any of the users from the Acitive directory or local machine.

Any suggestions on what might have caused this or how I can fix this problem. I haven't tried login locally at the machine because it is kind of inaccessible. I do have webmin installed on the box so I can do basic administration from there. If need be I can get to the box to login locally.

I don't see what could have caused this. By the way I am using Fedora Core 3.


Thanks in advance.

sorry for the hxxp but I cant post links yet.

My guess would be that the pam stacks for ssh are improperly configured.

Thats what I was thinking but I checked the PAM stuff for both login and ssh and compared them to a machine that was able to login properly. I also was thinking that maybe it was due to the fact that most of the users in AD are also configured on the linux box, which may possibly cause issues, but I know for sure there isn't an account called root in AD and I created a new user on the linux box and still can not ssh.

It would be a little easier if I were easily able to gain access to the box other than through the use of webmin.

Are they both authenticating against the same servers and directories?

No, the one that works properly is at my house that is authenticating against a windows 2003 AD at my house as well. The other two are at work.

Have you carefully compared configurations as much as possible? Are there any notable differences in the setups?

I got a chance to get to the datacenter today I found that I cannot log on locally. I'm thinking PAM must be messed up for login. I'll take a look at it here shortly.

That definitely sounds like a PAM issue. I've been thinking of migrating my network to an LDAP-based solution, but I'm wondering if it's worth the trouble for a half-dozen machines.

I solved the problem and wanted to respond to let you know. It appears that in my krb5.conf file I had "default_domain = " I for some reason forgot to finish configuring kerberos. I also found that I forgot to add

winbind enum users=yes
winbind enum groups=yes

to my smb.conf

After I made these changes everything went fine. Except that I had to use a fedora rescue cd to edit these files.

But I think what may have done it is was the nsswitch.conf

passwd: compat winbind
shadow: compat
group: compat winbind

may have caused the problem.

Although I think I need that I currently have

passwd: files
shadow: files
group: files

It works for now til I can test it again.

Thanks for posting the resolution/update. Hopefully others will be able to search and find the answer. :)

Okay and for my final post for this problem...

The problem seems to come from /etc/nsswitch.conf

The following seems to break the authentication process:

passwd: compat winbind
shadow: compat
groups: compat winbind

For some reason the linux box will not authenticate with Acitve Directory unless you are using automatic login. If you have to manually login (ie entering in login info) it will not authenticate.

So the previous settings of "compat winbind" tells the linux box to only look to Active Directory for authentication.

So I just changed it to the following:

passwd: compat winbind files [NOTFOUND=return]
shadow: comapt files [NOTFOUND=return]
group: compat winbind files [NOTFOUND=return]

That way it will check with Active Directory then to the local files then if it cannot authenticate it will start over.

So the following changes that had to be made are:

passwd: compat winbind files [NOTFOUND=return]
shadow: comapt files [NOTFOUND=return]
group: compat winbind files [NOTFOUND=return]
hosts: files dns wins
ethers: db files
netmasks: files dns
networks: files dns
protocols: db files
rpc: db files
services: db files