I'm trying to get the login with active directory users working for nearly a week now. First of all, I'm pretty new to pam, samba, kerberos and winbind. We worked with local users and sudo before, but decided to use active directory for user authenticationm so we don't have to maintain the AD and the local users on every machine. I googled and found a handful of quiet similar documentation on how to accomplish this.
First of all, I setup a testbox with Debian Jessie. The second step was to install these packages. In braces are the purposes as I understood them, correct me please, if I'm wrong:
• krb5-user (Kerberos client, for recieving TGT and user authentication)
• samba (Samba for joining the AD with the Linux-box)
• smbclient (mounting the home-directory)
• winbind (second way of user-authentication, if Kerberos fails for any reason)
• libpam-winbind (PA-Module for winbind)
• libpam-mount (Not sure about this one)
• libpam-ccreds (Storing credentials, if the DC is not reachable)
• libpam-krb5 (PAM-Module for Kerberos)
• cifs-utils (Mounting cif shares)
I am able to join the domain with this command:
net ads join member -k -S DC1.DOMAIN.LOCAL -U {User_with_admin_rights} createcomputer=IT/BLA osName=Debian osVer=`cat /etc/debian_version` -d 1
After succesfully joining the AD it's pussibble to get a Kerberos TGT:
kinit -V user@DOMAIN.LOCAL
And get a listing:
root@testbox / % klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@DOMAIN.LOCAL
Valid starting Expires Service principal
14.12.2015 09:47:01 14.12.2015 19:47:01 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 15.12.2015 09:46:57
But when I try to login with an AD-user (username: username@DOMAIN.LOCAL) it won't work:
Dec 14 13:19:58 testbox login[2875]: pam_krb5(login:auth): user username@DOMAIN.LOCAL authenticated as username@DOMAIN.LOCAL
Dec 14 13:20:01 testbox login[2875]: FAILED LOGIN (1) on '/dev/pts/2' FOR 'UNKNOWN', User not known to the underlying authentication module
As far as I understand it, the username can be authenticated via Kerberos, but this information is not sent to the next module, am I right?
Rearding the pam-configuration, I just did a pam-auth-update and activeted everything:
[*] Kerberos authentication
[*] Ccreds credential caching - password saving
[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Mount volumes for user
[*] Ccreds credential caching - password checking
And restarted the services (smbd, winbind) afterwards.
The name resolution of the DCs is working in both ways on the linuxbox.
Any help would be appreciated! Thanks in advance!
Here's my /etc/krb5.conf (I removed the comments):
[libdefaults]
default_realm = DOMAIN
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOMAIN.LOCAL = {
kdc = DC1.domain.local
kdc = DC2.domain.local
kdc = DC.domain.local
kdc = DC4.domain.local
kdc = DC5.domain.local
admin_server = DC1.domain.local
default_domain = domain
}
[domain_realm]
kerberos.server = DOMAIN.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
This is my smb.conf:
#======================= Global Settings =======================
[global]
security = ADS
encrypt passwords = yes
realm = DOMAIN.LOCAL
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
workgroup = DOMAIN
; wins server = w.x.y.z
dns proxy = no
; interfaces = 127.0.0.0/8 eth0
; bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
#####
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
########
; logon path = \\%N\profiles\%U
; logon drive = H:
; logon script = logon.cmd
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
; add machine script = /usr/sbin/useradd -g machines -c "%u machineaccount" -d /var/lib/samba -s /bin/false %u
; add group script = /usr/sbin/addgroup --force-badname %g
##########
; include = /home/samba/etc/smb.conf.%m
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
; usershare max shares = 100
usershare allow guests = yes
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
And last, but not least, the nsswitch.conf: passwd: compat winbind group: compat winbind shadow: compat winbind gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
