LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 12-02-2018, 02:02 PM   #1
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 1,486

Rep: Reputation: 122Reputation: 122
Cannot log into Samba4 AD/DC with domain user credentials


I have Samba4 running as an Active Directory / Domain Controller on Slackware64 14.2. This has actually been running for several years and has replaced our office SBS server for AD/DC. Domain members, including Windows, Linux/Slackware and Apple Mac can all get logged into by users with domain credentials. The Linux/Slackware workstations have Ivandi's PAM installed.

Domain users cannot log into the AD/DC [hostname mail]:
Code:
# From domain member:
$ labmac:~ mark$ ssh mark@mail pwd
mark@mail's password: 
Permission denied, please try again.

# from AD/DC, as non-root user:
$ ssh mark@mail                                                                                                                                
mark@mail's password: 
Permission denied, please try again.

$ su - mark                                                                                                                                    
Password: 
su: Authentication failure
I suspect this is because PAM is not installed on the AD/DC. I've tried enabling the following options for sshd:
Code:
# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
but that gave me the /var/log/messages errors:
Code:
Dec  1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option GSSAPIAuthentication
Dec  1 06:09:19 mail sshd[8645]: reprocess config line 89: Unsupported option GSSAPIAuthentication
Dec  1 06:09:22 mail sshd[8645]: Failed password for mark from 192.168.0.61 port 55802 ssh2
Dec  1 06:09:24 mail sshd[8645]: Connection closed by 192.168.0.61 port 55802 [preauth]

Dec  1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported option KerberosAuthentication
Dec  1 06:16:54 mail sshd[21898]: reprocess config line 83: Unsupported option KerberosAuthentication
Dec  1 06:16:57 mail sshd[21898]: Failed password for mark from 192.168.0.61 port 55809 ssh2
Dec  1 06:17:00 mail sshd[21898]: Connection closed by 192.168.0.61 port 55809 [preauth]
I'm thinking I can rebuild sshd to enable these options and then the ssh bit might work. I do have Dovecot running on this AD/DC with GSSAPI authentication enabled and that works, so I'm thinking the same might be true for sshd.

Any thoughts?

Also, if I try this, I have no idea how to proceed. Is there a package somewhere with the sshd source? Someone please point me in the right direction.

Last edited by mfoley; 12-02-2018 at 02:03 PM.
 
Old 12-02-2018, 07:05 PM   #2
dc.901
Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS 6-7; SuSE 8-12
Posts: 123

Rep: Reputation: 13
I do not use slackware, so am asking...
Is there sssd package for slackware? If yes, why not use that instead of going with drastic step of rebuilding sshd?
May be I am not understanding your question?

Reference:
https://help.ubuntu.com/lts/serverguide/sssd-ad.html.en
https://access.redhat.com/documentat..._guide/sssd-ad
 
Old 12-02-2018, 07:17 PM   #3
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 5,522

Rep: Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267
Quote:
Originally Posted by mfoley View Post
Also, if I try this, I have no idea how to proceed. Is there a package somewhere with the sshd source? Someone please point me in the right direction.
I have no clue on the overall issue, but the "sshd" program is part of openssh, which is available under the source/n/openssh/ folder on your install media or favorite mirror.

https://mirror.slackbuilds.org/slack...rce/n/openssh/

But, since openssh has had patches since the release of 14.2, you should probably grab the source from the patches/source/openssh/ directory of your favorite mirror and use that to rebuild openssh.

https://mirror.slackbuilds.org/slack...ource/openssh/
 
Old 12-02-2018, 09:09 PM   #4
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 69

Rep: Reputation: 36
Quote:
Originally Posted by bassmadrigal View Post
But, since openssh has had patches since the release of 14.2, you should probably grab the source from the patches/source/openssh/ directory of your favorite mirror and use that to rebuild openssh.

https://mirror.slackbuilds.org/slack...ource/openssh/
Or even get the more recent 7.9 sources from -current and rebuild those with the 14.2 SlackBuild as the 14.2 version of openssh still is the rather old 7.4:
http://mirrors.slackware.com/slackwa...urce/n/openssh
 
Old 12-02-2018, 09:17 PM   #5
Richard Cranium
Senior Member
 
Registered: Apr 2009
Location: Carrollton, Texas
Distribution: Slackware64 14.2
Posts: 3,094

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
In /etc/ssh/sshd_config, do you have

Code:
UsePAM yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
The last two default to yes, so if they aren't present in the file, that's OK.
 
Old 12-02-2018, 09:36 PM   #6
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 1,486

Original Poster
Rep: Reputation: 122Reputation: 122
dc.901: No, Slackware does not have sss[d] that I can find either in the official repository or in SlackBuilds.

bassmadrigal/ehartman: Thanks for that. I've downloaded the 7.9 package per ehartman's recommendation.

Next ... I've installed packages a-plenty, but never customized one. The openssh.SlackBuild config has a section:
Code:
# Compile package:
CFLAGS="$SLKCFLAGS" \
./configure \
  --prefix=/usr \
  --mandir=/usr/man \
  --sysconfdir=/etc/ssh \
  --without-pam \
  --with-md5-passwords \
  --with-tcp-wrappers \
  --with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin \
  --with-privsep-path=/var/empty \
  --with-privsep-user=sshd \
  --build=$ARCH-slackware-linux || exit 1
I'll be wanting the options to enable KerberosAuthentication and GSSAPIAuthentication. Is there some way of determining what other options are available so I can modify this config? I could just take a guess and do e.g. '--with-GSSAPIAuthentication', but I'd rather be a bit more systematic about it.

Last edited by mfoley; 12-02-2018 at 09:37 PM.
 
Old 12-02-2018, 09:41 PM   #7
Richard Cranium
Senior Member
 
Registered: Apr 2009
Location: Carrollton, Texas
Distribution: Slackware64 14.2
Posts: 3,094

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
Maybe just try

Code:
CFLAGS="$SLKCFLAGS" \
./configure \
  --prefix=/usr \
  --mandir=/usr/man \
  --sysconfdir=/etc/ssh \
  --with-md5-passwords \
  --with-tcp-wrappers \
  --with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin \
  --with-privsep-path=/var/empty \
  --with-privsep-user=sshd \
  --build=$ARCH-slackware-linux || exit 1
Assuming that you're building on a PAM enabled system.
 
Old 12-03-2018, 01:24 AM   #8
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 1,486

Original Poster
Rep: Reputation: 122Reputation: 122
Quote:
Originally Posted by Richard Cranium View Post
In /etc/ssh/sshd_config, do you have

Code:
UsePAM yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
The last two default to yes, so if they aren't present in the file, that's OK.
Unfortunately, Slackware is not PAM enabled. Ivandi does have a PAM package for Slackware which does work on domain members (workstations), but I hesitate to put that on the AD/DC for a number of reasons: Ivandi's PAM updates 57 different programs, 19 of which I install to make Active Directory work on the Slackware workstation. These include important modules like samba (of which I am running a newer version on the AD/DC), and krb5. I don't know to what extent that krb5 interferes with the kerberos built into Samba4. If something went badly wrong, it would be an effort to back these 19 packages out (along with their modified configs). The simplest expedient would be to restore the OS to the pre-update state, being careful not to destroy user data like email.

I'm hoping that the simplest fix is to just kerberos enable openssh. That can be rather easily reversed by re-installing the 14.2 package, which is something I've done before (with Firefox).

To that end, I've looked at the configure script in the downloaded openssh-7.9p1.tar.gz file and found a test for --with-kerberos5. I seen no --with for GSSAPI. I do see things like GSSCFLAGS="`$KRB5CONF --cflags gssapi`", but that's almost 20,000 lines into the script, so not sure how that gets set. I guess I can try setting the kerberos option and see what happened.

I have a couple of slackpkg related questions. I've downloaded:
Code:
-rw-rw---- 1 root root     578 2018-12-02 21:21 doinst.sh.gz
-rw-rw---- 1 root root 1565384 2018-12-02 21:21 openssh-7.9p1.tar.gz
-rw-rw---- 1 root root     683 2018-12-02 21:22 openssh-7.9p1.tar.gz.asc
-rw-rw---- 1 root root    5655 2018-12-02 21:22 openssh.SlackBuild
-rw-rw---- 1 root root      77 2018-01-29 17:05 opensshStuff
-rw-rw---- 1 root root    1814 2018-12-02 21:22 rc.sshd
-rw-rw---- 1 root root    1127 2018-12-02 21:22 slack-desc
-rw-rw---- 1 root root     318 2018-12-02 21:22 sshd.default
I assume I first have to turn this into a package using 'makepkg openssh-7.9.tgz', right? Or, can I just untar openssh-7.9p1.tar.gz and to the usual ./configure, make? This is unknown territory for me!

LATER ...

tried makepkg and untarring and doing ./configure. Neither worked. Sorry for the newbieness. Guidance appreciated.

EVEN LATER ...

Ah ha! found a package version in: https://mirrors.slackware.com/slackw...1-x86_64-1.txz. So, last question for now, how do I modify this package to include the --with-kerberos5 option?

Last edited by mfoley; 12-03-2018 at 01:53 AM.
 
Old 12-03-2018, 02:11 AM   #9
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 5,522

Rep: Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267
Quote:
Originally Posted by mfoley View Post
I'll be wanting the options to enable KerberosAuthentication and GSSAPIAuthentication. Is there some way of determining what other options are available so I can modify this config? I could just take a guess and do e.g. '--with-GSSAPIAuthentication', but I'd rather be a bit more systematic about it.
Unpack the source tarball and run ./configure --help and it will print out a list of various available options.
 
Old 12-03-2018, 04:40 AM   #10
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 1,486

Original Poster
Rep: Reputation: 122Reputation: 122
Quote:
Originally Posted by bassmadrigal View Post
Unpack the source tarball and run ./configure --help and it will print out a list of various available options.
I thought did that with the openssh-7.9p1.tar.gz, but I got errors running ./configure with the options (I didn't do --help). BUT, that will have to remain an exercise for the future! So, I apologize in advance for when I revist this question with another package.

Meanwhile, it appears my theory was correct. I downloaded the source openssh-7.9p1.tar.gz from https://www.openssh.com, did ./configure as shown below adding the --with-kerberos5 to the list of options used by Slackware (I don't know why this worked here but not with the tarball from the Slackware mirror), then make.
Code:
./configure \
  --prefix=/usr \
  --mandir=/usr/man \
  --sysconfdir=/etc/ssh \
  --without-pam \
  --with-kerberos5 \
  --with-md5-passwords \
  --with-tcp-wrappers \
  --with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin \
  --with-privsep-path=/var/empty \
  --with-privsep-user=sshd \
  --build=$ARCH-slackware-linux

(unfortunately, due to rebooting, the $ARCH env variable was empty. Maybe I'll redo it later, ARCH should be `uname -m`)
I manually ran the created sshd with my existing sshd_config with the first setting changed:
Code:
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
GSSAPI Authentication is still not enabled. I don't know what the commented out options do, but they're 'yes' by default (except for KerberosGetAFSToken -- don't know what that does either). I'll have to research these options.

Anyway, just enabling KerberosAuthentication did the trick! I was able to use the domain login credentials to ssh from a Linux domain member to the AD/DC. Mission accomplished!

Thanks to all for help on this.

Last edited by mfoley; 12-03-2018 at 04:52 AM.
 
Old 12-06-2018, 01:02 AM   #11
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 1,486

Original Poster
Rep: Reputation: 122Reputation: 122
Well, maybe not solved yet. Now when I do the host command I get the following error:
Code:
> host mpress
06-Dec-2018 00:56:57.208 ENGINE_by_id failed (crypto failure)
06-Dec-2018 00:56:57.208 error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
06-Dec-2018 00:56:57.208 error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
06-Dec-2018 00:56:57.208 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost
host: dst_lib_init: crypto failure
Furthermore, after rebooting, the AD/DC cannot resolve ANY domains.

My theory here is that maybe I should have used the openssl from the Slackware 14.2 sources and not downloaded from https://www.openssh.com. If anyone concurs with this theory, I'll redo this procedure using the Slackware source.

If there's something else I should look at instead, please advise.

Last edited by mfoley; 12-06-2018 at 01:33 AM.
 
Old 12-06-2018, 01:55 PM   #12
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 1,486

Original Poster
Rep: Reputation: 122Reputation: 122
I downloaded the Slackware 14.2 tarball for openssh 7.4p1 recommended by bassmadrigal in post #3 and re-built that using the --with-kerberos5 configure option (although out of an abundance of fear I did not apply the patches). That seems to have fixed the problem with 'host' and 'bind'. Obviously, there are some library issues using the 7.9p1 openssh and Slackware 14.2.

The patches deal with [optional?] TCP wrappers, and a security patch to sftp-server -- which is not used on this host, so I suppose not doing the patches isn't big deal. I may get brave and try that later, though patching is another thing I've not done manually. the openssh.SlackBuild file shows how to do that ... I think.
 
Old 12-06-2018, 03:19 PM   #13
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 5,522

Rep: Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267
If you just used the source, extracted it, and manually ran ./configure, make and make install, you can just modify the SlackBuild to add --with-kerberos5 to the configure options. It just needs to have a backslash at the end of it to continue the command.

Code:
# Compile package:
CFLAGS="$SLKCFLAGS" \
./configure \
  --prefix=/usr \
  --mandir=/usr/man \
  --sysconfdir=/etc/ssh \
  --with-kerberos5 \
  --without-pam \
  --with-md5-passwords \
  --with-tcp-wrappers \
  --with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin \
  --with-privsep-path=/var/empty \
  --with-privsep-user=sshd \
  --build=$ARCH-slackware-linux || exit 1
This would allow all the patches and anything else Pat does to the package to still be present and stored in a Slackware package that you can then install/update.

NOTE: If you do want to do this and you manually ran it and didn't make a Slackware package, you would want to run make uninstall inside the source directory to remove your own version so it won't conflict with the Slackware package.
 
Old 12-07-2018, 01:51 AM   #14
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 1,486

Original Poster
Rep: Reputation: 122Reputation: 122
Yeah, this is where I get confused. I did download all the package component files as shown in post #8: doinst.sh.gz, openssh-7.9p1.tar.gz, openssh-7.9p1.tar.gz.asc, openssh.SlackBuild, rc.sshd, slack-desc, sshd.default; and I can modify openssh.SlackBuild as you describe. But not sure what do next. Is it as simple as:
Code:
makepkg ../openssh.tgz
installpkg ../openssh.tgz
 
Old 12-07-2018, 11:03 AM   #15
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 5,522

Rep: Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267
Quote:
Originally Posted by mfoley View Post
Yeah, this is where I get confused. I did download all the package component files as shown in post #8: doinst.sh.gz, openssh-7.9p1.tar.gz, openssh-7.9p1.tar.gz.asc, openssh.SlackBuild, rc.sshd, slack-desc, sshd.default; and I can modify openssh.SlackBuild as you describe. But not sure what do next. Is it as simple as:
Code:
makepkg ../openssh.tgz
installpkg ../openssh.tgz
No, you just run the SlackBuild script as root and install the resulting package in /tmp/.

Code:
sh ./openssh.SlackBuild
upgradepkg --reinstall --install-new /tmp/openssh-7.9p1-x86_64-2_slack14.2
Make sure you uninstall the other version first by going into the source directory you built it in and running make uninstall as root.
 
  


Reply

Tags
active directory, ssh login


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS 6.8 + Samba4 + Kerberos: No credentials cache found ygorth Linux - Server 1 07-14-2016 08:38 PM
Samba4 and LDAP, how get string of connection to SAMBA4 of LDAP? acer2! Linux - Server 0 12-11-2015 03:45 PM
Copy Samba4 DC user to another Samba4 DC include userPassword troya Linux - Server 0 04-29-2014 07:44 AM
Freeipa vs Samba4 : will Redhat dump freeipa in favor of Samba4? exodius Linux - Enterprise 1 12-16-2013 03:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 10:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration