ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET

Samba - General mailing list
Running Feora 25 workstation we're able to register the computer in AD but I can't get SSH to authenticate properly.  wbinfo -u brings back all the users. Just getting "Permission denied, please try again." Below are key settings in related conf files.

rpm -q samba
samba-4.5.8-1.fc25.x86_64

winbindd -V
Version 4.5.8

/etc/nsswitch.conf:
passwd:     files winbind
shadow:     files
group:      files winbind
hosts:      files dns

/etc/samba/smb.conf:
[global]
        workgroup = DSDEV
        realm = DSDEV.LOCAL
        security = ads
        idmap.config *:backend = tdb
        idmap.config *:range = 100000-199999
        idmap.config DSDEV: backend = rid
        idmap.config DSDEV: range = 1000000-4999999
        winbind enum users = yes
        winbind enum groups = yes
        winbind separator = +
        template homedir = /home/%D/%U
        template shell = /bin/bash
# winbind use default domain = true
        winbind offline logon = true
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw
# ldap ssl ads = yes
# ldap ssl = start tls
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
        log level = 3

/etc/krb5.conf:
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = DSDEV.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}
[domain_realm]
.dsdev = DSDEV.LOCAL
dsdev = DSDEV.LOCAL
dsdev.local = DSDEV.LOCAL
.dsdev.local = DSDEV.LOCAL

/etc/ssh/ssd_config:
ChallengeResponseAuthentication no
KerberosAuthentication yes
KerberosTicketCleanup yes
KerberosGetAFSToken yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

/etc/resolv.conf:
search dsdev.local ourdomain
nameserver y.y.y.y.
nameserver x.x.x.x

/etc/pam.d/password-auth-ac:
auth        required  pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_winbind.so cached_login use_first_pass
auth        required  pam_deny.so

account     required  pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account     required  pam_permit.so

Some logs from log.wb-DSDEV:
[2017/05/09 10:05:36.038999,  3] ../source3/winbindd/winbindd_ads.c:412(query_user_list)
  ads query_user_list gave 43369 entries
[2017/05/09 10:06:09.770858,  3] ../source3/winbindd/winbindd_dual.c:60(child_read_request)
  child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
[2017/05/09 10:09:40.556738,  3] ../source3/winbindd/winbindd_ads.c:1495(sequence_number)
  ads: fetch sequence_number for DSDEV
[2017/05/09 10:09:40.557560,  3] ../source3/libsmb/namequery.c:3117(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/05/09 10:09:40.560753,  3] ../source3/libads/ldap.c:618(ads_connect)
  Successfully contacted LDAP server 172.17.132.28

I've scanned the previous thread here:
https://groups.google.com/forum/#!topic/linux.samba/XhVnPg-HMF8

And I didn't compile I'm using the packages via DNF so no need for the sym links. I have log level set to 3 but I didn’t want to overwhelm my post any more.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET

Samba - General mailing list
On Tue, 9 May 2017 11:00:09 -0400
Robert Kudyba via samba <[hidden email]> wrote:

> Running Feora 25 workstation we're able to register the computer in
> AD but I can't get SSH to authenticate properly.  wbinfo -u brings
> back all the users. Just getting "Permission denied, please try
> again." Below are key settings in related conf files.
>
> rpm -q samba
> samba-4.5.8-1.fc25.x86_64
>
> winbindd -V
> Version 4.5.8
>
> /etc/nsswitch.conf:
> passwd:     files winbind
> shadow:     files
> group:      files winbind
> hosts:      files dns
>
> /etc/samba/smb.conf:
> [global]
> workgroup = DSDEV
> realm = DSDEV.LOCAL
> security = ads
> idmap.config *:backend = tdb
> idmap.config *:range = 100000-199999
> idmap.config DSDEV: backend = rid
> idmap.config DSDEV: range = 1000000-4999999
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = +
> template homedir = /home/%D/%U
> template shell = /bin/bash
> # winbind use default domain = true
> winbind offline logon = true
> passdb backend = tdbsam
> printing = cups
> printcap name = cups
> load printers = yes
> cups options = raw
> # ldap ssl ads = yes
> # ldap ssl = start tls
>         client use spnego = yes
>         client ntlmv2 auth = yes
>         encrypt passwords = yes
>         winbind use default domain = yes
>         restrict anonymous = 2
> log level = 3
>
> /etc/krb5.conf:
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
>  default_realm = DSDEV.LOCAL
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>  rdns = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  udp_preference_limit = 0
>  default_ccache_name = KEYRING:persistent:%{uid}
> [domain_realm]
> .dsdev = DSDEV.LOCAL
> dsdev = DSDEV.LOCAL
> dsdev.local = DSDEV.LOCAL
> .dsdev.local = DSDEV.LOCAL
>
> /etc/ssh/ssd_config:
> ChallengeResponseAuthentication no
> KerberosAuthentication yes
> KerberosTicketCleanup yes
> KerberosGetAFSToken yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> /etc/resolv.conf:
> search dsdev.local ourdomain
> nameserver y.y.y.y.
> nameserver x.x.x.x
>
> /etc/pam.d/password-auth-ac:
> auth        required  pam_env.so
> auth        [default=1 success=ok] pam_localuser.so
> auth        [success=done ignore=ignore default=die] pam_unix.so
> nullok try_first_pass auth        requisite     pam_succeed_if.so uid
> >= 1000 quiet_success auth        sufficient    pam_sss.so
> >forward_pass
> auth        sufficient    pam_winbind.so cached_login use_first_pass
> auth        required  pam_deny.so
>
> account     required  pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     [default=bad success=ok user_unknown=ignore]
> pam_winbind.so cached_login account     required
> pam_permit.so
>
> Some logs from log.wb-DSDEV:
> [2017/05/09 10:05:36.038999,
> 3] ../source3/winbindd/winbindd_ads.c:412(query_user_list) ads
> query_user_list gave 43369 entries [2017/05/09 10:06:09.770858,
> 3] ../source3/winbindd/winbindd_dual.c:60(child_read_request)
> child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
> [2017/05/09 10:09:40.556738,
> 3] ../source3/winbindd/winbindd_ads.c:1495(sequence_number) ads:
> fetch sequence_number for DSDEV [2017/05/09 10:09:40.557560,
> 3] ../source3/libsmb/namequery.c:3117(get_dc_list) get_dc_list:
> preferred server list: ", *" [2017/05/09 10:09:40.560753,
> 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted
> LDAP server 172.17.132.28
>
> I've scanned the previous thread here:
> https://groups.google.com/forum/#!topic/linux.samba/XhVnPg-HMF8
>
> And I didn't compile I'm using the packages via DNF so no need for
> the sym links. I have log level set to 3 but I didn’t want to
> overwhelm my post any more.

is sssd installed ?

If so, try removing it,sssd has its own version of a winbind lib and
this can conflict with winbind.

You also only need this in /etc/krb5/conf for Samba:

[libdefaults]
 default_realm = DSDEV.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = true

The first two lines in yours have been known to confuse Samba.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET

Samba - General mailing list

> On May 9, 2017, at 11:15 AM, Rowland Penny via samba <[hidden email]> wrote:
>
> On Tue, 9 May 2017 11:00:09 -0400
> Robert Kudyba via samba <[hidden email]> wrote:
>
>> Running Feora 25 workstation we're able to register the computer in
>> AD but I can't get SSH to authenticate properly.  wbinfo -u brings
>> back all the users. Just getting "Permission denied, please try
>> again." Below are key settings in related conf files.
>>
>> rpm -q samba
>> samba-4.5.8-1.fc25.x86_64
>>
>> winbindd -V
>> Version 4.5.8
>>
>> /etc/nsswitch.conf:
>> passwd:     files winbind
>> shadow:     files
>> group:      files winbind
>> hosts:      files dns
>>
>> /etc/samba/smb.conf:
>> [global]
>> workgroup = DSDEV
>> realm = DSDEV.LOCAL
>> security = ads
>> idmap.config *:backend = tdb
>> idmap.config *:range = 100000-199999
>> idmap.config DSDEV: backend = rid
>> idmap.config DSDEV: range = 1000000-4999999
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind separator = +
>> template homedir = /home/%D/%U
>> template shell = /bin/bash
>> # winbind use default domain = true
>> winbind offline logon = true
>> passdb backend = tdbsam
>> printing = cups
>> printcap name = cups
>> load printers = yes
>> cups options = raw
>> # ldap ssl ads = yes
>> # ldap ssl = start tls
>>        client use spnego = yes
>>        client ntlmv2 auth = yes
>>        encrypt passwords = yes
>>        winbind use default domain = yes
>>        restrict anonymous = 2
>> log level = 3
>>
>> /etc/krb5.conf:
>> includedir /etc/krb5.conf.d/
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>> [libdefaults]
>> default_realm = DSDEV.LOCAL
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> rdns = false
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = true
>> udp_preference_limit = 0
>> default_ccache_name = KEYRING:persistent:%{uid}
>> [domain_realm]
>> .dsdev = DSDEV.LOCAL
>> dsdev = DSDEV.LOCAL
>> dsdev.local = DSDEV.LOCAL
>> .dsdev.local = DSDEV.LOCAL
>>
>> /etc/ssh/ssd_config:
>> ChallengeResponseAuthentication no
>> KerberosAuthentication yes
>> KerberosTicketCleanup yes
>> KerberosGetAFSToken yes
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>>
>> /etc/resolv.conf:
>> search dsdev.local ourdomain
>> nameserver y.y.y.y.
>> nameserver x.x.x.x
>>
>> /etc/pam.d/password-auth-ac:
>> auth        required  pam_env.so
>> auth        [default=1 success=ok] pam_localuser.so
>> auth        [success=done ignore=ignore default=die] pam_unix.so
>> nullok try_first_pass auth        requisite     pam_succeed_if.so uid
>>> = 1000 quiet_success auth        sufficient    pam_sss.so
>>> forward_pass
>> auth        sufficient    pam_winbind.so cached_login use_first_pass
>> auth        required  pam_deny.so
>>
>> account     required  pam_unix.so broken_shadow
>> account     sufficient    pam_localuser.so
>> account     sufficient    pam_succeed_if.so uid < 1000 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account     [default=bad success=ok user_unknown=ignore]
>> pam_winbind.so cached_login account     required
>> pam_permit.so
>>
>> Some logs from log.wb-DSDEV:
>> [2017/05/09 10:05:36.038999,
>> 3] ../source3/winbindd/winbindd_ads.c:412(query_user_list) ads
>> query_user_list gave 43369 entries [2017/05/09 10:06:09.770858,
>> 3] ../source3/winbindd/winbindd_dual.c:60(child_read_request)
>> child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
>> [2017/05/09 10:09:40.556738,
>> 3] ../source3/winbindd/winbindd_ads.c:1495(sequence_number) ads:
>> fetch sequence_number for DSDEV [2017/05/09 10:09:40.557560,
>> 3] ../source3/libsmb/namequery.c:3117(get_dc_list) get_dc_list:
>> preferred server list: ", *" [2017/05/09 10:09:40.560753,
>> 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted
>> LDAP server 172.17.132.28
>>
>> I've scanned the previous thread here:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_forum_-23-21topic_linux.samba_XhVnPg-2DHMF8&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Tz146SNyvSi-v8QAv_C3FbF_1FQ7vdd24GxAd5tsCO8&s=5eQTJ36k4Edls1CIhRVQYWgSIaKvPDl1bhYI5ERnmM0&e= 
>>
>> And I didn't compile I'm using the packages via DNF so no need for
>> the sym links. I have log level set to 3 but I didn’t want to
>> overwhelm my post any more.
>
> is sssd installed ?
>
> If so, try removing it,sssd has its own version of a winbind lib and
> this can conflict with win bind.

OK I stopped it and disabled it.


> You also only need this in /etc/krb5/conf for Samba:
>
> [libdefaults]
> default_realm = DSDEV.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true

OK I had dns_lookup_kdc = true just changed dns_lookup_realm = false. Restarted smb and winbind.


> The first two lines in yours have been known to confuse Samba.

Do you mean the include lines? Should I comment them out?

Still getting:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.

May  9 11:32:30 our sshd[32423]: input_userauth_request: invalid user myuser [preauth]
May  9 11:32:40 our sshd[32423]: Failed password for invalid user myuser from x.x.x.x port 63258 ssh2



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET

Samba - General mailing list
On Tue, 9 May 2017 11:34:27 -0400
Robert Kudyba <[hidden email]> wrote:


> > You also only need this in /etc/krb5/conf for Samba:
> >
> > [libdefaults]
> > default_realm = DSDEV.LOCAL
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
>
> OK I had dns_lookup_kdc = true just changed dns_lookup_realm = false.
> Restarted smb and winbind.
>
>
> > The first two lines in yours have been known to confuse Samba.
>
> Do you mean the include lines? Should I comment them out?

Er no, when I said you only need what I posted, I meant that
your /etc/krb.conf should only contain the 4 lines I posted.

>
> Still getting:
> debug2: we sent a password packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password Permission denied,
> please try again.
>
> May  9 11:32:30 our sshd[32423]: input_userauth_request: invalid user
> myuser [preauth] May  9 11:32:40 our sshd[32423]: Failed password for
> invalid user myuser from x.x.x.x port 63258 ssh2
>

If you run 'getent passwd myuser' on the machine you are trying to
connect to, do you get any output ?

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET

Samba - General mailing list

> On May 9, 2017, at 11:48 AM, Rowland Penny via samba <[hidden email]> wrote:
>
> On Tue, 9 May 2017 11:34:27 -0400
> Robert Kudyba <[hidden email]> wrote:
>
>
>>> You also only need this in /etc/krb5/conf for Samba:
>>>
>>> [libdefaults]
>>> default_realm = DSDEV.LOCAL
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>
>> OK I had dns_lookup_kdc = true just changed dns_lookup_realm = false.
>> Restarted smb and winbind.
>>
>>
>>> The first two lines in yours have been known to confuse Samba.
>>
>> Do you mean the include lines? Should I comment them out?
>
> Er no, when I said you only need what I posted, I meant that
> your /etc/krb.conf should only contain the 4 lines I posted.

OK I wasn’t sure if you were referencing the "Connections to a Samba Domain Member Fail After Adding a includedir Statement to the /etc/krb5.conf File” at https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members <https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members>

> If you run 'getent passwd myuser' on the machine you are trying to
> connect to, do you get any output ?

None, blank line. Are there any other services to restart other than smb, winbind and sshd?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET

Samba - General mailing list
On Tue, 9 May 2017 11:55:11 -0400
Robert Kudyba <[hidden email]> wrote:

> > If you run 'getent passwd myuser' on the machine you are trying to
> > connect to, do you get any output ?
>
> None, blank line. Are there any other services to restart other than
> smb, winbind and sshd?

That's your problem then, if you aren't getting output, then the OS
doesn't know who your user is.

Does 'wbinfo -u | grep myuser' show the user ?

Are you sure the libnss-winbind links are correct ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET

Samba - General mailing list

> On May 9, 2017, at 12:11 PM, Rowland Penny via samba <[hidden email]> wrote:
>
> On Tue, 9 May 2017 11:55:11 -0400
> Robert Kudyba <[hidden email]> wrote:
>
>>> If you run 'getent passwd myuser' on the machine you are trying to
>>> connect to, do you get any output ?
>>
>> None, blank line. Are there any other services to restart other than
>> smb, winbind and sshd?
>
> That's your problem then, if you aren't getting output, then the OS
> doesn't know who your user is.
>
> Does 'wbinfo -u | grep myuser' show the user ?

yes

> Are you sure the libnss-winbind links are correct ?

I think so here’s what it looks like, note they aren’t sym links but the actual file:
smbd -b | grep LIBDIR
   LIBDIR: /usr/lib64

locate libnss_winbind.so.2
/usr/lib64/libnss_winbind.so.2

ls -l /lib64/libnss_winbind.so.2
-rwxr-xr-x 1 root root 15120 Apr  6 11:30 /lib64/libnss_winbind.so.2

ls -l /usr/lib64/libnss_winbind.so.2
-rwxr-xr-x 1 root root 15120 Apr  6 11:30 /usr/lib64/libnss_winbind.so.2


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba