SSH instant logout after ssh login kerberos / winbind

Question

I set up a ubuntu server which is authenticating against the active directory of our W2k8 Domain. Everything went well and I see all the users in getent passwd, and wbinfo.

I want to be able to use kerberos and winbind auth on the machine and so far everything works.

But when i login with a AD user onto the server, I just see the motd and instead of getting a promt, I get logged out again.

auth.log

Feb 28 15:34:48 server sshd[12635]: Postponed keyboard-interactive for micha from 10.10.10.121 port 36519 ssh2 [preauth]
Feb 28 15:34:50 server sshd[12637]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ub64-it.city.domain.org  user=micha
Feb 28 15:34:50 server sshd[12637]: pam_krb5(sshd:auth): pam_sm_authenticate: entry (nonull)
Feb 28 15:34:50 server sshd[12637]: pam_krb5(sshd:auth): (user micha) attempting authentication as micha@CITY.DOMAIN.ORG
Feb 28 15:34:50 server sshd[12637]: pam_krb5(sshd:auth): user micha authenticated as micha@CITY.DOMAIN.ORG
Feb 28 15:34:50 server sshd[12637]: pam_krb5(sshd:auth): pam_sm_authenticate: exit (success)
Feb 28 15:34:50 server sshd[12637]: pam_winbind(sshd:account): user 'micha' granted access
Feb 28 15:34:50 server sshd[12635]: Postponed keyboard-interactive/pam for micha from 10.10.10.121 port 36519 ssh2 [preauth]
Feb 28 15:34:50 server sshd[12635]: Accepted keyboard-interactive/pam for micha from 10.10.10.121 port 36519 ssh2
Feb 28 15:34:50 server sshd[12635]: pam_krb5(sshd:session): pam_sm_open_session: entry
Feb 28 15:34:50 server sshd[12635]: pam_krb5(sshd:session): no context found, creating one
Feb 28 15:34:50 server sshd[12635]: pam_krb5(sshd:session): (user micha) found initial ticket cache at /tmp/krb5cc_pam_e12637
Feb 28 15:34:50 server sshd[12635]: pam_krb5(sshd:session): (user micha) initializing ticket cache FILE:/tmp/krb5cc_72208_e12635
Feb 28 15:34:50 server sshd[12635]: pam_krb5(sshd:session): pam_sm_open_session: exit (success)
Feb 28 15:34:50 server sshd[12635]: pam_unix(sshd:session): session opened for user micha by (uid=0)
Feb 28 15:34:50 server sshd[12771]: Received disconnect from 10.10.10.121: 11: disconnected by user
Feb 28 15:34:50 server sshd[12635]: pam_krb5(sshd:session): pam_sm_close_session: entry (silent)
Feb 28 15:34:50 server sshd[12635]: pam_krb5(sshd:session): pam_sm_close_session: exit (success)
Feb 28 15:34:50 server sshd[12635]: pam_unix(sshd:session): session closed for user micha

The SSH client just tells me its closed

    Last login: Thu Feb 28 15:25:26 2013 from ub64-it.city.domain.org
    Connection to server closed

And with -vv I see:

    debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
    debug2: channel 0: rcvd eow
    debug2: channel 0: close_read
    debug2: channel 0: input open -> closed
    debug2: channel 0: rcvd eof
    debug2: channel 0: output open -> drain
    debug2: channel 0: rcvd close
    Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.2.0-37-virtual x86_64)

     * Documentation:  https://help.ubuntu.com/

      System information as of Thu Feb 28 15:40:36 EAT 2013

      System load:  0.0                Users logged in:     1
      Usage of /:   16.7% of 18.21GB   IP address for eth0: 10.10.11.9
      Memory usage: 48%                IP address for tap0: 10.10.14.1
      Swap usage:   0%                 IP address for tap1: 10.10.12.1
      Processes:    94                 IP address for tun0: 10.10.13.1

      Graph this data and manage this system at https://landscape.canonical.com/


    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.

    Last login: Thu Feb 28 15:34:50 2013 from ub64-it.city.domain.org
    debug2: channel 0: obuf empty
    debug2: channel 0: close_write
    debug2: channel 0: output drain -> closed
    debug2: channel 0: almost dead
    debug2: channel 0: gc: notify user
    debug2: channel 0: gc: user detached
    debug2: channel 0: send close
    debug2: channel 0: is dead
    debug2: channel 0: garbage collecting
    debug1: channel 0: free: client-session, nchannels 1
    Connection to server closed.

Any Ideas?

Best regards Michael

for pam.d I added: `auth sufficient pam_unix.so nullok_secure auth sufficient pam_krb5.so use_first_pass forwardable debug auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE require_membership_of=S-1-5-21-1837334489-2033666451-622096382-512 use_first_pass` on top of the files — Meiko Watu, Feb 28 '13 at 12:47
I was just searching for the same thing! Care to add the solution as an answer, so you may close the question? — fboaventura, Feb 28 '13 at 14:15
Actually I would, but need some votes / credibility to do so when its my own question and less than 48 hours :-). Maybe I can do it now — Meiko Watu, Mar 01 '13 at 19:45

score 2 · Accepted Answer · answered Mar 01 '13 at 19:47

2

ok, it's resolved by checking the user details: super simple, they just didn't had a correct shell assigned from winbind. SO therefore, it just went through motd and then logged out. smb.conf : template shell = /bin/bash thats it.

answered Mar 01 '13 at 19:47

Meiko Watu

334
3
14

SSH instant logout after ssh login kerberos / winbind

1 Answers1