Cannot Authenticate Via SSH
I have just installed Kerberos/OpenLDAP/Samba and following this guide:
hxxp://lilly.csoft.net/~vdebaere/handleiding/samba-activedirectory/index_en.html And am now unable to ssh into the box using any of the users from the Acitive directory or local machine. Any suggestions on what might have caused this or how I can fix this problem. I haven't tried login locally at the machine because it is kind of inaccessible. I do have webmin installed on the box so I can do basic administration from there. If need be I can get to the box to login locally. I don't see what could have caused this. By the way I am using Fedora Core 3. Thanks in advance. sorry for the hxxp but I cant post links yet. |
My guess would be that the pam stacks for ssh are improperly configured.
|
Thats what I was thinking but I checked the PAM stuff for both login and ssh and compared them to a machine that was able to login properly. I also was thinking that maybe it was due to the fact that most of the users in AD are also configured on the linux box, which may possibly cause issues, but I know for sure there isn't an account called root in AD and I created a new user on the linux box and still can not ssh.
It would be a little easier if I were easily able to gain access to the box other than through the use of webmin. |
Are they both authenticating against the same servers and directories?
|
No, the one that works properly is at my house that is authenticating against a windows 2003 AD at my house as well. The other two are at work.
|
Have you carefully compared configurations as much as possible? Are there any notable differences in the setups?
|
I got a chance to get to the datacenter today I found that I cannot log on locally. I'm thinking PAM must be messed up for login. I'll take a look at it here shortly.
|
That definitely sounds like a PAM issue. I've been thinking of migrating my network to an LDAP-based solution, but I'm wondering if it's worth the trouble for a half-dozen machines.
|
I solved the problem and wanted to respond to let you know. It appears that in my krb5.conf file I had "default_domain = " I for some reason forgot to finish configuring kerberos. I also found that I forgot to add
winbind enum users=yes winbind enum groups=yes to my smb.conf After I made these changes everything went fine. Except that I had to use a fedora rescue cd to edit these files. But I think what may have done it is was the nsswitch.conf passwd: compat winbind shadow: compat group: compat winbind may have caused the problem. Although I think I need that I currently have passwd: files shadow: files group: files It works for now til I can test it again. |
Thanks for posting the resolution/update. Hopefully others will be able to search and find the answer. :)
|
Okay and for my final post for this problem...
The problem seems to come from /etc/nsswitch.conf The following seems to break the authentication process: passwd: compat winbind shadow: compat groups: compat winbind For some reason the linux box will not authenticate with Acitve Directory unless you are using automatic login. If you have to manually login (ie entering in login info) it will not authenticate. So the previous settings of "compat winbind" tells the linux box to only look to Active Directory for authentication. So I just changed it to the following: passwd: compat winbind files [NOTFOUND=return] shadow: comapt files [NOTFOUND=return] group: compat winbind files [NOTFOUND=return] That way it will check with Active Directory then to the local files then if it cannot authenticate it will start over. So the following changes that had to be made are: passwd: compat winbind files [NOTFOUND=return] shadow: comapt files [NOTFOUND=return] group: compat winbind files [NOTFOUND=return] hosts: files dns wins ethers: db files netmasks: files dns networks: files dns protocols: db files rpc: db files services: db files |
All times are GMT -5. The time now is 08:26 AM. |