JR Gonzalez
Explorer
- Joined
- Aug 29, 2014
- Messages
- 64
I am having problems authenticating sshd in a jail against the FreeNAS AD. From what I can tell the AD is working just fine. I was able to join and browse shares and authenticate on a Win7 laptop.
My problem is using the AD to authenticate the users in a FreeBSD jail for sshd so they can use shells and I can just use my AD for setting up accounts. Right now sshd is just a start and I plan on using pam modules in a couple of jails for shells, email, and contact/calendar information.
What I have tried so far:
Installed samba36 from ports:
# cd /usr/ports/net/samba36
# make config
OPTIONS: ACL_SUPPORT ADS AIO_SUPPORT CUPS DNSUPDATE DOCS EXAMPLES EXP_MODULES FAM IPV6 LDAP PAM_SMBPASS POPT PTHREADPOOL SYSLOG UTMP WINBIND
After the gentooesque build session I did the following:
/etc/rc.conf
# Samba
samba_enable="YES"
nmbd_enable="YES"
smbd_enable="YES"
winbindd_enable="YES"
kerberos5_server_enable="YES"
kadmind5_server_enable="YES"
/usr/local/etc/smb.conf
[global]
workgroup = DOMAIN
server string = FreeBSD Client %v
load printers = no
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
smb ports = 139
security = ADS
realm = DOMAIN.ORG
;winbind separator = \
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /usr/local/bin/bash
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
/etc/krb5.conf
[logging]
default = SYSLOG:INFO
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = DOMAIN.ORG
[realms]
domain.LOCAL = {
kdc = servername.domain.org:88
admin_server = servername.domain.org:464
default_domain = scientiam.org
}
[domain_realm]
.domain.local = DOMAIN.ORG
domain.local = DOMAIN.ORG
(Please note... Even tho these are example domain and server names I triple checked. These entries are correct in krb5.conf.)
[RESTART JAIL]
Then I attempted to see if I can join the DOMAIN...
# kinit administrator
administrator@DOMAIN.ORG's Password:
# /usr/local/bin/net ads join -U server.domain.org -U administrator
Enter administrator's password:
Using short domain name -- DOMAIN
Joined 'LEGACY' to dns domain 'domain.org'
No DNS domain configured for localhost. Unable to perform DNS Update.
DNS update failed!
From what I can tell the localhost DNS thing is not an issue. Am I wrong?
# wbinfo -u
administrator
jrg
krbtgt
guest
/etc/nsswitch.conf
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
Installed pam_mkhomedir
# cd /usr/ports/security/pam_mkhomedir && make install clean
Then....
/etc/pam.d/sshd
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_winbind.so
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Then I try it...
shell% ssh jrg@legacy.domain.org
Password:
Wrong Password
The user is there. It works on a Win7 box. What on Earth am I missing here?
I'm positive the password is correct for the user I am trying to use. I also don't get much in way of logs..
Mar 26 15:23:13 legacy sshd[26383]: pam_winbind(sshd): user 'jrg' denied access (incorrect password or invalid membership)
Mar 26 15:24:10 legacy sshd[26390]: pam_winbind(sshd): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (9), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Can someone please let me know if I missed steps. This seemed rather similar to straight openldap but for whatever reason the authentication doesn't seem to want to send the password properly.
Also...
# getent passwd
administrator:*:10001:10000:Administrator:/home/administrator:/usr/local/bin/bash
jrg:*:10000:10000:JR Gonzalez:/home/jrg:/usr/local/bin/bash
krbtgt:*:10002:10000:krbtgt:/home/krbtgt:/usr/local/bin/bash
guest:*:10003:10001:Guest:/home/guest:/usr/local/bin/bash
So it seems to be able to grab the users/groups.
The computer can also be seen in RSAT meaning it had a successful join to the domain.
The computer is properly placed in the DC's internal DNS and can be resolved.
Please help.
My problem is using the AD to authenticate the users in a FreeBSD jail for sshd so they can use shells and I can just use my AD for setting up accounts. Right now sshd is just a start and I plan on using pam modules in a couple of jails for shells, email, and contact/calendar information.
What I have tried so far:
Installed samba36 from ports:
# cd /usr/ports/net/samba36
# make config
OPTIONS: ACL_SUPPORT ADS AIO_SUPPORT CUPS DNSUPDATE DOCS EXAMPLES EXP_MODULES FAM IPV6 LDAP PAM_SMBPASS POPT PTHREADPOOL SYSLOG UTMP WINBIND
After the gentooesque build session I did the following:
/etc/rc.conf
# Samba
samba_enable="YES"
nmbd_enable="YES"
smbd_enable="YES"
winbindd_enable="YES"
kerberos5_server_enable="YES"
kadmind5_server_enable="YES"
/usr/local/etc/smb.conf
[global]
workgroup = DOMAIN
server string = FreeBSD Client %v
load printers = no
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
smb ports = 139
security = ADS
realm = DOMAIN.ORG
;winbind separator = \
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /usr/local/bin/bash
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
/etc/krb5.conf
[logging]
default = SYSLOG:INFO
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = DOMAIN.ORG
[realms]
domain.LOCAL = {
kdc = servername.domain.org:88
admin_server = servername.domain.org:464
default_domain = scientiam.org
}
[domain_realm]
.domain.local = DOMAIN.ORG
domain.local = DOMAIN.ORG
(Please note... Even tho these are example domain and server names I triple checked. These entries are correct in krb5.conf.)
[RESTART JAIL]
Then I attempted to see if I can join the DOMAIN...
# kinit administrator
administrator@DOMAIN.ORG's Password:
# /usr/local/bin/net ads join -U server.domain.org -U administrator
Enter administrator's password:
Using short domain name -- DOMAIN
Joined 'LEGACY' to dns domain 'domain.org'
No DNS domain configured for localhost. Unable to perform DNS Update.
DNS update failed!
From what I can tell the localhost DNS thing is not an issue. Am I wrong?
# wbinfo -u
administrator
jrg
krbtgt
guest
/etc/nsswitch.conf
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
Installed pam_mkhomedir
# cd /usr/ports/security/pam_mkhomedir && make install clean
Then....
/etc/pam.d/sshd
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_winbind.so
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Then I try it...
shell% ssh jrg@legacy.domain.org
Password:
Wrong Password
The user is there. It works on a Win7 box. What on Earth am I missing here?
I'm positive the password is correct for the user I am trying to use. I also don't get much in way of logs..
Mar 26 15:23:13 legacy sshd[26383]: pam_winbind(sshd): user 'jrg' denied access (incorrect password or invalid membership)
Mar 26 15:24:10 legacy sshd[26390]: pam_winbind(sshd): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (9), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Can someone please let me know if I missed steps. This seemed rather similar to straight openldap but for whatever reason the authentication doesn't seem to want to send the password properly.
Also...
# getent passwd
administrator:*:10001:10000:Administrator:/home/administrator:/usr/local/bin/bash
jrg:*:10000:10000:JR Gonzalez:/home/jrg:/usr/local/bin/bash
krbtgt:*:10002:10000:krbtgt:/home/krbtgt:/usr/local/bin/bash
guest:*:10003:10001:Guest:/home/guest:/usr/local/bin/bash
So it seems to be able to grab the users/groups.
The computer can also be seen in RSAT meaning it had a successful join to the domain.
The computer is properly placed in the DC's internal DNS and can be resolved.
Please help.
