Home / server / Questions / 93194
In Process
royco
Asked: 2009-12-11 14:11:01 +0800 CST

Enable ssh for CentOS system bound to Active Directory?

  • 772

I have a CentOS 5.4 system successfully bound to Active Directory. "net ads testjoin" says it's OK. I can run "id username" for AD users and see their accounts. However, I cannot log in remotely via SSH. /var/log/secure says the password is incorrect, but I know it's correct.

I suspect my /etc/pam.d/sshd is incorrect. What should it look like?

Does anything in /etc/security need to be changed?

active-directory

3 Answers

  1. Can I throw in $0.02 for Likewise Open? It's available for free at http://www.powerbrokeropen.org/ and since I've implemented it, I swear, it has saved me more time than anything I've ever used. I can't tell enough people about it.

    You basically download the package, install it, and then run the command

    domainjoin-cli join mydomain.com adminusername

    You can edit the configuration in /etc/likewise-open/ and setup things like "use default domain", and change the home directory and default shell to whatever you want at your site, and it's over. All authentication works perfectly. PAM works fine. Samba and Apache auth are both easy. It's really like butter.

    If you're having problems getting your Linux machines on the domain, I can't recommend this highly enough.

    • 1

  2. I believe this depends on how you connect to the domain (winbind or ldap). Given the "net ads testjoin" I'm going to assume that you're using winbind. In that case you would want

    auth    sufficient  pam_winbind.so

    in your /etc/pam.d/sshd.

    You also need

    passwd:         files winbind
group:          files winbind

    in /etc/nsswitch.conf

    Can you logon locally with Domain Accounts?

    • 0

  3. Does getent passwd return a listing of AD accounts?

    Check your /etc/pam.d/system-auth:

    auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

    Also verify that winbind is added to passwd, shadow, and group in /etc/nsswitch.conf.

    • 0