# PAM,SSHD,WINBIND + AD

## coley

Hi,

I've read through some of the posts and can't see an answer to my query so I'm throwing it here  :Smile: 

GOAL: To use Winbind to authenticate users against directory,for Console Login, GDM, SSH etc

While this has been somewhat successful, there are a few errors that I would like to remove (if possible).

Firstly :

When I ssh with an AD user all appears to log in ok, except the ssh client in windows throws up 'Enter your Authentication Response', and in the syslog there are 2 entries :

pam_winbind[12657]: user 'bill' granted access

pam_winbind[12657]: user 'bill' granted access

sshd[12714]: Accepted keyboard-interactive/pam for bill from xx.xx.xx.xx port 1423 ssh2

sshd(pam_unix)[12720]: session opened for user bill by (uid=0)

Shouldn't there just be one pam_winbind entry?

Secondly :

When I ssh with a non AD user,such as root, windows still throws up 'Enter your Authentication Response', and in the syslog, the following :

pam_winbind[12682]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER

pam_winbind[12682]: user 'root' granted access

sshd[12677]: Accepted keyboard-interactive/pam for root from xx.xx.xx.xx port 1413 ssh2

sshd(pam_unix)[12683]: session opened for user root by root(uid=0)

Now, although it did indeed log my root user in, I'm baffled as to why winbind even attempted to look in the AD. In the nsswitch.conf (below) it clearly states COMPAT WINBIND,which I took to believe, that it would look in files first (e.g passwd/group) and then winbind would query the AD,but clearly this error states otherwise.

# /etc/nsswitch.conf:

passwd:      compat winbind

shadow:      compat

group:       compat winbind

# /etc/pam/sshd

#%PAM-1.0

auth       required     pam_stack.so service=system-auth-winbind 

auth       required     pam_shells.so

auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth-winbind

password   required     pam_stack.so service=system-auth-winbind

session    required     pam_stack.so service=system-auth-winbind

# /etc/pam/system-auth-winbind

#%PAM-1.0

auth        required      /lib/security/pam_env.so

auth        sufficient    /lib/security/pam_winbind.so

auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass

auth        required      /lib/security/pam_deny.so

account     sufficient    /lib/security/pam_winbind.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow

password    required      /lib/security/pam_deny.so

#session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 

session     required      /lib/security/pam_limits.so

session     required      /lib/security/pam_unix.so

Any pointers or direct help would be gratefully received.

Thanks

Mike

----------

## oizone

I recommed that you check out pam_krb5, instead of winbind. It's much more usable for ssh/gdm etc. usage since the users have static UID's (local users must exist).

Winbind takes random uid's and gid's each time it starts and that messes up users rights.

----------

## coley

 *oizone wrote:*   

> I recommed that you check out pam_krb5, instead of winbind. It's much more usable for ssh/gdm etc. usage since the users have static UID's (local users must exist).
> 
> Winbind takes random uid's and gid's each time it starts and that messes up users rights.

 

oizone, thanks for your input, but I believe this defeats the object .. ie I already have a fully implemented Active Directory with users, and I do not wish to create any local accounts on the gentoo box, referring to your comment '(local users must exist)'. I simply wish to authenticate services via PAM against the AD.

----------

## geta

oizone might have a point about the user id's, however there is a way to "set" the uid as provided by windbind (once an AD user has logged in). This is no problem if all your users authenticate against one single server or computer or against several computers without need for synchronisation. It gets messy if uids have to be synchronised between several pcs (thus I have never done such a thing).

About your other problem: I remember a configuration option for the "first try log in" in pam. I can only provide further information on monday if you're interested in some configuration data.

Cheers,

geta

----------

## coley

 *geta wrote:*   

> oizone might have a point about the user id's, however there is a way to "set" the uid as provided by windbind (once an AD user has logged in). This is no problem if all your users authenticate against one single server or computer or against several computers without need for synchronisation. It gets messy if uids have to be synchronised between several pcs (thus I have never done such a thing).
> 
> About your other problem: I remember a configuration option for the "first try log in" in pam. I can only provide further information on monday if you're interested in some configuration data.
> 
> Cheers,
> ...

 

Geta,

As stated,winbind is actually authenticating against my AD, its just doing a couple of odd things in the syslog (these are PAM issues .. i believe, but i am happy to be proved wrong). Within my AD I have 6,000+ users (another reason I do not wish to implement local accounts, ie pam_krb5) as only a very small subset may require access to sshd/gdm/console login/samba shares etc

I am happy to investigate pam_krb5 if anyone has any good (noddy docs if poss) info/sites/configs for gentoo.

Look forward to your information re: 'first try log in'  :Smile: 

Thanks

----------

## geta

Hello again,

I do realise I wasn't quite precise in expressing myself: I did not suggest you use something else than winbind. I'm quite happy with winbind myself.

The pam thingy I was talking about is to be found in /etc/pam.d/system-auth. Here is my configuration:

```

auth        required      /lib/security/pam_env.so

auth        sufficient    /lib/security/pam_winbind.so

auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass

auth        required      /lib/security/pam_deny.so

account     sufficient    /lib/security/pam_winbind.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow

password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022

session     required      /lib/security/pam_limits.so

session     required      /lib/security/pam_unix.so

```

Basically, PAM goes through all methods of authentication from top to bottom. Putting pam_winbind.so first, PAM will try winbind first, if that fails it will try pam_unix.so (/etc/passwd, /etc/shadow). "use_first_pass" is to tell pam_unix.so not to validate if pam_winbind was successful - thus letting a user in without having to enter a password the second time. One thing that's not so nice about this configuration however, is the fact that the "login" prompt in unix will always try winbind first and - if that fails - present a second password prompt, which always authenticates against pam_unix. So misspelling the password the first time has the consequence that you have to skip the second password prompt and try again with the third password prompt. I hope you did understand what I was trying to tell you, if not just try it out or ask me to rephrase.

Cheers,

geta

----------

