HPE Community
Operating System - HP-UX
1830674 Members
2459 Online
110015 Solutions
New Discussion

sshd+pam kerberos+winbind

 
Court Campbell
Honored Contributor

‎12-06-2007 10:12 AM

‎12-06-2007 10:12 AM

sshd+pam kerberos+winbind

This is so much easier in Linux. Anyway, I have an 11.23 box. I installed the kerberos client, CIFS server, and pam kerberos. I setup the krb5.conf and did a kinit and klist - works fine. I then setup winbind and wbinfo is working correctly. I then set the pam.conf. Here is what is there.

#
#
# Authentication management
#
login auth required libpam_hpsec.so.1
login auth sufficient libpam_krb5.so.1
login auth required libpam_unix.so.1 try_first_pass
su auth required libpam_hpsec.so.1
su auth sufficient libpam_krb5.so.1
su auth required libpam_unix.so.1 try_first_pass
dtlogin auth required libpam_hpsec.so.1
dtlogin auth sufficient libpam_krb5.so.1
dtlogin auth required libpam_unix.so.1 try_first_pass
dtaction auth required libpam_hpsec.so.1
dtaction auth sufficient libpam_krb5.so.1
dtaction auth required libpam_unix.so.1 try_first_pass
ftp auth required libpam_hpsec.so.1
ftp auth sufficient libpam_krb5.so.1
ftp auth required libpam_unix.so.1 try_first_pass
sshd auth required libpam_hpsec.so.1
sshd auth required libpam_krb5.so.1
sshd auth required libpam_unix.so.1 try_first_pass
OTHER auth required libpam_unix.so.1
#
# Account management
#
login account required libpam_hpsec.so.1
login account sufficient libpam_krb5.so.1
login account required libpam_unix.so.1
su account required libpam_hpsec.so.1
su account sufficient libpam_krb5.so.1
su account required libpam_unix.so.1
dtlogin account required libpam_hpsec.so.1
dtlogin account sufficient libpam_krb5.so.1
dtlogin account required libpam_unix.so.1
dtaction account required libpam_hpsec.so.1
dtaction account sufficient libpam_krb5.so.1
dtaction account required libpam_unix.so.1
ftp account required libpam_hpsec.so.1
ftp account sufficient libpam_krb5.so.1
ftp account required libpam_unix.so.1
sshd account required libpam_hpsec.so.1
sshd account sufficient libpam_krb5.so.1
sshd account required libpam_unix.so.1
OTHER account required libpam_unix.so.1
#
# Session management
#
login session required libpam_hpsec.so.1
login session required libpam_krb5.so.1
login session required libpam_unix.so.1
dtlogin session required libpam_hpsec.so.1
dtlogin session sufficient libpam_krb5.so.1
dtlogin session required libpam_unix.so.1
dtaction session required libpam_hpsec.so.1
dtaction session sufficient libpam_krb5.so.1
dtaction session required libpam_unix.so.1
sshd account required libpam_hpsec.so.1
sshd account sufficient libpam_krb5.so.1
sshd account required libpam_unix.so.1
OTHER session required libpam_unix.so.1
#
# Password management
#
login password required libpam_hpsec.so.1
login password sufficient libpam_krb5.so.1
login password required libpam_unix.so.1
passwd password required libpam_hpsec.so.1
passwd password sufficient libpam_krb5.so.1
passwd password required libpam_unix.so.1
dtlogin password required libpam_hpsec.so.1
dtlogin password sufficient libpam_krb5.so.1
dtlogin password required libpam_unix.so.1
dtaction password required libpam_hpsec.so.1
dtaction password sufficient libpam_krb5.so.1
dtaction password required libpam_unix.so.1
sshd account required libpam_hpsec.so.1
sshd account sufficient libpam_krb5.so.1
sshd account required libpam_unix.so.1
OTHER password required libpam_unix.so.1

It's probably overkill, but I was trying anything at this point. When I try to login via ssh to the box I get the following errors:

Dec 6 12:04:12 mihp0093 sshd[2276]: Invalid user cwcamp from 172.20.16.214
Dec 6 12:04:12 mihp0093 sshd[2276]: Failed none for invalid user cwcamp from 172.20.16.214 port 65278 ssh2
Dec 6 12:04:16 mihp0093 sshd[2276]: [Authentication failed] Password not valid
Dec 6 12:04:18 mihp0093 sshd[2276]: error: PAM: No account present for user for illegal user cwcampfrom siisysman.corp.smith.com
Dec 6 12:04:18 mihp0093 sshd[2276]: Failed keyboard-interactive/pam for invalid user cwcamp from 172.20.16.214 port 65278 ssh2

Any ideas? Has anyone got this to work? I see a couple of post, but nothing stating they got ssh to work. I am also including a link to a powerpoint that I found, but hasn't helped with this issue.

http://www.sambaxp.com/files/SambaXP2007-PDF/McCall-SambaXP%20presentation-4.7.2007.ppt
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
9 REPLIES 9
Court Campbell
Honored Contributor

‎12-07-2007 09:31 PM

‎12-07-2007 09:31 PM

Re: sshd+pam kerberos+winbind

I find it funny that I am able to help people on ITRC but all my threads seem to come to the forum and die. I guess I need to ask more trivial questions like, "how do I reset roots password on a trusted system?" How many times do we see that?
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
skt_skt
Honored Contributor

‎12-09-2007 04:50 PM

‎12-09-2007 04:50 PM

Re: sshd+pam kerberos+winbind



"Dec 6 12:04:12 mihp0093 sshd[2276]: Invalid user cwcamp from 172.20.16.214"

Check if you have the same user on both sides.


"Dec 6 12:04:12 mihp0093 sshd[2276]: Failed none for invalid user cwcamp from 172.20.16.214 port 65278 ssh2"

Check if you have the same user on both sides.


"Dec 6 12:04:16 mihp0093 sshd[2276]: [Authentication failed] Password not valid
Dec 6 12:04:18 mihp0093 sshd[2276]: error: PAM: No account present for user for illegal user cwcampfrom siisysman.corp.smith.com"

if the account is there check if you have the ssh relation setup.

Dec 6 12:04:18 mihp0093 sshd[2276]: Failed keyboard-interactive/pam for invalid user cwcamp from 172.20.16.214 port 65278 ssh2

you are implemeting some thing which is NOT that widely done..My wild guess is that kerbersos is doing the auth only and ssh still restrict to its on rules.
0 Kudos
Court Campbell
Honored Contributor

‎12-10-2007 06:40 AM

‎12-10-2007 06:40 AM

Re: sshd+pam kerberos+winbind

The user account only exists in windows AD. I wish that where the issue. Kerberos works if I use kinit, etc. I actually think it is more of a winbind resolution issue. I don't think that winbind is returning the user info.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Sameer_Nirmal
Honored Contributor

‎12-10-2007 12:25 PM

‎12-10-2007 12:25 PM

Re: sshd+pam kerberos+winbind

Maybe the problem is during keytab validation?

I would run "pamkrbval" tool to test the basic setup and use "-c" argument for CIFS.
0 Kudos
Court Campbell
Honored Contributor

‎12-10-2007 12:30 PM

‎12-10-2007 12:30 PM

Re: sshd+pam kerberos+winbind

I don't have a keytab setup. In the documentation I was reading, it doesn't state that I have to have that. But that could be an issue.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Sameer_Nirmal
Honored Contributor

‎12-10-2007 12:44 PM

‎12-10-2007 12:44 PM

Re: sshd+pam kerberos+winbind

/etc/krb5.keytab should be setup. The sshd does verify/validate the file for the authentication.

I hope you have had checked the user credentials using klist?

http://www.docs.hp.com/en/T1417-90006/index.html
0 Kudos
Maurice Skubski_1
Valued Contributor

‎04-29-2008 04:05 AM

‎04-29-2008 04:05 AM

Re: sshd+pam kerberos+winbind

Hi,

have the same issue. Do you have a solution?

thank you
regards
Maurice
0 Kudos
Court Campbell
Honored Contributor

‎04-29-2008 04:11 AM

‎04-29-2008 04:11 AM

Re: sshd+pam kerberos+winbind

No. I gave up on the idea. The extra time it was taking to get it to work wasn't worth the effort. Plus with HPUX's issues with using user names of only 8 characters -- I could foresee other issues. My recommendation would be not to use it, at this time.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Court Campbell
Honored Contributor

‎04-29-2008 04:11 AM

‎04-29-2008 04:11 AM

Re: sshd+pam kerberos+winbind

---
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.