My AD (Debian) is functioning and I am able to ssh with another Debian domain member but I can’t seem to get the settings right for Fedora. The Fedora server is able to join the domain but it doesn’t allow an AD user to log on or ssh. Here are the settings that work on Debian and are currently on my Fedora domain member.
cat /etc/samba/smb.conf
[global]
workgroup = HOME
security = ADS
realm = HOME.TEST-SERVER.LAN
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
idmap config * : backend = autorid
idmap config * : range = 10000-24999999
template shell = /bin/bash
template homedir = /home/HOME/%U
username map = /etc/samba/user.map
cat /etc/krb5.conf
[libdefaults]
default_realm = HOME.TEST-SERVER.LAN
dns_lookup_realm = false
dns_lookup_kdc = false
renew_lifetime = 7d
[realms]
HOME.TEST-SERVER.LAN = {
auth_to_local = RULE:[1:HOME\$1]
admin_server = DC01.HOME.TEST-SERVER.LAN
kdc = DC01.HOME.TEST-SERVER.LAN
}
[domain_realm]
.home.test-server.lan = HOME.TEST-SERVER.LAN
cat /etc/ssh/sshd_config | egrep -v ‘^#|^$’
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# It's best to limit this option to only trusted hosts:
# It's best to limit this option to only trusted hosts:
cat /etc/ssh/ssh_config | egrep -v ‘^#|^$’
Include /etc/ssh/ssh_config.d/*.conf
Host *
PasswordAuthentication yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIRenewalForcesRekey yes
GSSAPITrustDns yes
Host *.home.test-server.lan
# It's best to limit this option to only trusted hosts:
GSSAPIDelegateCredentials yes
cat /etc/nsswitch.conf | egrep -v ‘^#|^$’
passwd: sss files winbind systemd
group: sss files winbind systemd
netgroup: sss files
automount: sss files
services: sss files
shadow: files
hosts: files myhostname mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns
aliases: files
ethers: files
gshadow: files
networks: files dns
protocols: files
publickey: files
rpc: files
audit.log from Debian domain member
Oct 30 12:30:01 dm01 CRON[2665]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Oct 30 12:30:01 dm01 CRON[2665]: pam_unix(cron:session): session closed for user root
Oct 30 13:09:54 dm01 sshd[2729]: pam_krb5(sshd:auth): (user redhat) krb5_kuserok for user redhat failed
Oct 30 13:09:54 dm01 sshd[2729]: pam_krb5(sshd:auth): failed authorization check; logname=redhat uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.19
Oct 30 13:09:54 dm01 sshd[2729]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.19 user=redhat
Oct 30 13:09:54 dm01 sshd[2729]: pam_winbind(sshd:auth): getting password (0x00000388)
Oct 30 13:09:54 dm01 sshd[2729]: pam_winbind(sshd:auth): pam_get_item returned a password
Oct 30 13:09:59 dm01 sshd[2729]: pam_winbind(sshd:auth): user ‘redhat’ granted access
Oct 30 13:10:02 dm01 sshd[2729]: Accepted password for redhat from 10.0.0.19 port 35748 ssh2
Oct 30 13:10:02 dm01 sshd[2729]: pam_unix(sshd:session): session opened for user redhat(uid=111104) by (uid=0)
Oct 30 13:10:02 dm01 systemd-logind[725]: New session 9 of user redhat.
Oct 30 13:10:02 dm01 systemd: pam_unix(systemd-user:session): session opened for user redhat(uid=111104) by (uid=0)
Oct 30 13:10:02 dm01 gnome-keyring-daemon[2829]: couldn’t access control socket: /run/user/111104/keyring/control: No such file or directory
audit.log from Fedora domain member
type=CRYPTO_KEY_USER msg=audit(1635613921.401:2379): pid=37135 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA… direction=? spid=37135 suid=0 exe=“/usr/sbin/sshd” hostname=? addr=? terminal=? res=success’UID=“root” AUID=“unset” SUID=“root”
type=CRYPTO_SESSION msg=audit(1635613921.404:2380): pid=37134 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256 spid=37135 suid=74 rport=35032 laddr=10.0.0.17 lport=22 exe=“/usr/sbin/sshd” hostname=? addr=10.0.0.19 terminal=? res=success’UID=“root” AUID=“unset” SUID=“sshd”
type=CRYPTO_SESSION msg=audit(1635613921.406:2381): pid=37134 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256 spid=37135 suid=74 rport=35032 laddr=10.0.0.17 lport=22 exe=“/usr/sbin/sshd” hostname=? addr=10.0.0.19 terminal=? res=success’UID=“root” AUID=“unset” SUID=“sshd”
type=USER_AUTH msg=audit(1635613930.491:2382): pid=37134 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct=“redhat” exe=“/usr/sbin/sshd” hostname=10.0.0.19 addr=10.0.0.19 terminal=ssh res=failed’UID=“root” AUID=“unset”