I'm trying to create a Windows user local account from Linux bash.
I use the following command from Linux server in order to create "foo" windows local account on Windows server:
net rpc user add foo password -SWindowsHostname -UwindowsAdminUser%windowsAdminPassword
After executing the command, "foo" was correctly created on WindowsHostname server as local account but it is set as "Disabled".
I opened the "Foo" account properties (from lusrmgr window) and the options in the General tab are:
User must change password at next logon (selected)
User cannot change password (disabled - not select-able)
Password never expires (disabled - not select-able)
Account is disabled (selected)
Account is locked out (disabled - not select-able)
Is there any way to enable account using Linux server with net rpc command or create account already enabled?
In the documentation of net rpc user add command I saw -F option:
(net [<method>] user ADD <name> [password] [-c container] [-F user flags] [misc. options] [targets])
But there isn't any explanation of this "user flag" and how to use the -F option.
Related
I've setup Cygwin and want to ssh with domain user account on windows server 2012 R2. It works fine if I start the sshd service with "Local system account" but if I start the service with a cygserver local account or domain\cygserver then the service starts fine but when I try to ssh I see the message sshd: PID 1944: fatal: seteuid 1801: No such device or address.
ssh in verbose mode on the client shows the following:
debug1: Authentication succeeded (publickey).
Connection to 10.10.10.10 closed by remote host.
Connection to 10.10.10.10 closed.
debug1: Exit status -1
Some articles like https://blog.peterwurst.com/2016/09/15/ssh-server-on-windows-with-cygwin/ suggest to enable the following GPO with cygserver account in it. I tried them still the same error.
Act as part of the operating system
Create a token object
Log on as a service
Replace a process level token
I've verified .ssh and authorized_keys permission and the user home directory exists and also passwd file has the /bin/bash shell for the user.
Any suggestion on how to resolve this issue?
I had this issue, and the solution was to start the CYGWIN ntsec servicem, before starting the CYGWIN OpenSSH service.
Verify the subject user and SSHD account are not locked / disabled.
Confirm that password login works. PKI and password login take different paths to create a process token.
I also had this issue in the log
seteuid XXXXXXXX: No such device or address
and this made the trick
passwd -R
I am running Jupyter-Hub with default authenticator and default spawner. Logged in to Jupyter-Hub with system username (admin). I added a new user called user1 in JupyterHub web console. The user got created in both the machine and Jupyter-Hub server as I added c.Authenticator.create_system_users = True in the config file. When I checked the machine users, user1 is added because of the above property added in the config file. Can anyone tell me what is the password for user1 as there is no password option to be given in Jupyter-Hub? I tried with empty, user1, 12345 and 123456.
I was trying to switch user by using su command. i.e su user1. It asks for the password.
when i cat /etc/shadow this is what i got,
user1:*:121212:0:99999:7:::
As stated in the docs (https://github.com/jupyterhub/jupyterhub/blob/master/docs/source/getting-started/authenticators-users-basics.md#use-localauthenticator-to-create-system-users), this option essentially acts like the adduser command. Even on command line this just creates the user, you cannot login to this user before you set a password via the passwd command.
Also, like the docs said, it is not recommended when JupyterHub users are directly mapped onto UNIX users, probably in part because of this password limitation...
I have Linux red-hat machine version 6.x
This machine is a server machine that serve many users ( 2000 diff users that login to this machine )
Login/password
Login – root
Password – Pass123
But on Some users I want to disable the login access
And all other users I want to enable the login access to the machine
As the following way
I want to create file - /etc/logins_users.txt
#Users disable/enable
Uhdwe 0
Hdec 0
Tfsge 1
Okdejb 0
Wfdxdswh 1
.
.
.
.
.
.
remark - User name is Uniq Name
So if user get value 0 then the access to the server is denied
but if value is 1 then users will login to the server
So the Question is how to disable/enable users login according to the file /etc/logins_users.txt ?
If you are using PAM to authenticate, you may use the pam_listfile.so module to achieve this: http://linux.die.net/man/8/pam_listfile
Basically you create a file here e.g. /etc/logins_users.txt with content
user1
user2
user3
and in your PAM configuration for e.g. /etc/pam.d/sshd you need to add:
auth required pam_listfile.so item=user onerr=fail sense=allow file=/etc/logins_user.txt
Doing so allows all users specified in your file to login via SSH.
nano /etc/ssh/sshd_config
Append following names (directives):
DenyUsers User1 User2 WhatEverYouLike
DenyGroups root finadmin WhatEverYouLike
Save, restart sshd
I am trying to connect to a new user account I created via SSH with the command
useradd -s /bin/false -d /home/username james
I added/edited the password via SSH with the command
passwd james
When trying to connect to my server using this user and pass via FileZilla I get the following error messages.
Response: 331 User James OK. Password required
Command: PASS *****
Response: 530 Login authentication failed
Error: Critical error
Error: Could not connect to server
When I try to login with this user/pass through SFTP I get the following error messages
Status: Connected to domain.com
Error: Connection closed by server with exitcode 1
Error: Could not connect to server
Either way it seems it doesn't allow me to use this newuser anywhere.
My server details
Linux 2.6.18-308.11.1.el5 GNU/Linux
(Red Hat 4.1.2-52)
Centos
Regarding FTP, the FTP server commonly used on Linux systems requires users to have a shell that's listed in the file /etc/shells. For example, this online ftpd man page says that, among other things, "The user must have a standard shell returned by getusershell(3).". The page for getusershell() shows that it reads shells from /etc/shells.
You could probably make FTP work adding /bin/false to /etc/shells. Your Linux system might have a more suitable shell available, like /usr/sbin/nologin.
Regarding SFTP, the ssh server normally provides SFTP service by by invoking a program called sftp-server. If you examine the server's sshd_config file, you'll probably find a line like this:
Subsystem sftp /usr/lib/openssh/sftp-server
sshd runs the subsystem program as a shell command, using the user's shell. If you set the user's shell to /bin/false, then sshd ends up running the command:
/bin/false -c /usr/lib/openssh/sftp-server
/bin/false ignores its command-line arguments and exits with code 1, so the SFTP client's session drops immediately after it starts.
sshd has an internal SFTP server component that can be used instead of the external program. The usual way of limiting SSH access to SFTP for some users is to set up a Match group within sshd_config, forcing the internal-sftp command for certain classes of users. Here are a couple examples of that:
http://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP#SFTP-only_Accounts
https://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh
Dont use "-s /bin/false". Use "-s /sbin/nologin" instead and it should be fine.
Make sure your account password hasn't expired. Mine did, and Filezilla exited with error code 1.
After logging onto the server and updating the account password (prompted immediately after connecting), I am now able to connect with SFTP & Filezilla.
Probably is a password related issue, check account
chage -l <user>
account must not be expired.
FTP doesn't allow /usr/sbin/nologin user
Response: 220 Welcome to the Scent Library's File Service.
Command: USER ftpuser
Response: 331 Please specify the password.
Command: PASS ******
Response: 530 Login incorrect.
filezilla 530 error - but password is correct
vsftpd: 530 Login incorrect
530 Login or password incorrect!
How can I connect via FTP using FileZilla? I get a 530 error.
Response: 220 Welcome to Test FTP service.
Command: USER ftpuser
Response: 331 Please specify the password.
Command: PASS ******
Response: 530 Login incorrect.
Error: Critical error
Error: Could not connect to server
Change user's shell
usermod -s /usr/sbin/nologin username
Then edit "/etc/shells" file and add this line
/usr/sbin/nologin
In order to connect to the server using ftp, you also need to run a ftp server / service or daemon.
An example of such ftp server is "vsftpd"
After installing it, you will also need to configure it and allow anonymous ftp access or ftp access to existing users
You will find the configuration file in the path "/etc/vsftpd/vsftpd.conf"
The below link might be useful for you --
https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-on-centos-6--2
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
Please if you could give me some advice of what I'm doing wrong you would make me very happy. I've been struggling with this with no luck and I'm kinda desperate.
I've got a virtual machine with an LDAP Server installed on Windows Xp. It's Apache Directory Studio.
Then I've got another virtual machine with Xubuntu on it. I want it to authenticate to Apache Directory Studio.
The two machines can see each other and do ping correctly.
Server part (Windows XP with Apache Directory Studio LDAP Server):
The server is working great, I did a domain on it dc=mydomain,dc=com with two ou's on it, ou=People and ou=Groups.
Did some posixAccounts and some posixGroup. Chose high uid numbers (2000 onwards) to avoid conflict.
All ok on server side.
Client part (Xubuntu):
Entered as root.
Did:
apt-get install libnss-ldap
Configured ip of my LDAP server (checked it, it's "pingable").
Then entered my domain, for example: dc=mydomain,dc=com.
Then chose the LDAP version my server is running:
Then chose "yes" to "make local root database admin".
Chose "no" to "does the LDAP database require login?".
Then chose the login of the admin of the LDAP Server and it's password. This is 100% confirmed to be true and the actual login, checked it in Apache Directory Studio and verified it many times.
Set the password encryption system to "clear".
Ok, I know that Apache Directory Studio is listening 10389 instead of 389, so I go to /etc/ldap.conf and change manually the port from 389 to 10389 (389 is the default and the GUI doesn't let change you).
Then IT WORKS, but only via terminal, if I do
su testuser
It works, because I got that user ONLY in LDAP server, when I test with other users it doesn't work. The same goes for getent passwd testuser.
Then I want to do graphical login, I close the session, enter credentials and it doesn't work. It works in the terminal, but with GUI don't, oh God, WHY?
PS: Did apt-get install nscd (as worked for someone) but didn't work out for me.
PS2: Thanks in advance for your time and patience, and for considering this question (it is not strict programming question).
PS3: I created the /home/testuser directory, it's not failing because of this, because it still fails to login to LDAP via GUI (but works via terminal).
Your problem is GDM Try following
Automatically create home folders
Just edit /etc/pam.d/common-session by hand and adding the following line before any pam_ldap and pam_krb5 settings:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
make sure you have gdm entry in /etc/security/group.conf
and following line in /etc/pam.d/gdm
auth optional pam_group.so
For users who login using X /etc/pam.d/gdm has to be modified so GDM will use LDAP.
Something like:
auth sufficient pam_ldap.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix_auth.so
account sufficient pam_ldap.so
account required pam_unix_acct.so
password required pam_ldap.so
session sufficient pam_ldap.so
session required pam_unix_session.so
You should be able to perform a
getent passwd
Form the command line and display if the users are being returned from the LDAP server.
All the users from the /etc/passwd and the users from LDAP should be displayed.
Too late answer but might help others as i got through this.
In the terminal use
sudo nano /etc/pam.d/common-auth
add these lines at the bottom auth required pam_access.so
and in this file sudo nano /etc/security/access.conf
add this line -:ALL EXCEPT root (admin):ALL EXCEPT LOCAL at the bottom
For more info: Authenticate Client Computers Using LDAP
Thanks.
I had a same issue and none of above answers solved it .This are config done by me on Ubuntu 18.04 and on kali as well
Steps we need to follow are as follows
Install libpam-ldap / libnss-ldap
Ubuntu:
apt-get install libpam-ldap
kali Linux:
apt-get install libpam-ldap libnss-ldapd
Configure ldap settings
dpkg-reconfigure libpam-ldap
do all setting as yes and local database creation : yes
base : ou-People,dc=sqtk,dc=team
root dn : dc=admin,dc=sqtk,dc=team
every option asked should be yes (store database on local yes and specify ldap admin username and password )
for database stuff use admin user only
Change /etc/nsswitch.conf to let passwd , group , shadow to use ldap and netgroup to nis
/etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
NOTE : Change netgroup to nis(network information system) this signifies that the groups are also
fetched from netgroup from nis so in below step we do group mapping (My assumption , dont question it, it worked)
Now we can verify whether we can connect to ldap server by using below command
ldapsearch -x -W -D 'cn=ldaptest,ou=People,dc=sqtk,dc=team' -b "" -s base
3.We need to set to create a home dir as soon as users logs in this is achieved by using pam_mkhomedir.so (verify if it is present by doing a find find / -name pam_mkhomedir.so if not present then install it should be present by default)
3.1 Currently when we run command
pam-auth-config
we dont see a option for mkhomedir (make home directory which is neccessary as user logs in)
3.2 to get this option we need to create a file /usr/share/pam-configs/mkhomedir if not present with following content
content :
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
3.3 Now if we run command
pam-auth-config
we see option for mkhomedir so we need to select it as well (we select option by using a space on keyboard )
3.4 To verify whether mkhomedir is set we can cat /etc/pam.d/common-session file and see a entry as below (dont edit the file manually try and use pam-auth-update only ) It will have a entry as below
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
ldap domain to group mapping
4.1 we need to do a domain mapping with the ldap group tehnical this mapping is nothing but we mapping ldap group name to group id of ldap in local .
I faced a issue where in i used to get the group id i.e > 500 of ldap group on local system but somehow system was not able to fetch the group name for the given id so i did below config
4.2 To assign local groups to a domain (ldap) user do the following edit /etc/security/group.conf and add something like the following to it
*;*;*;Al0000-2400;audio,cdrom,dialout,floppy
4.3 In order to get the pam_group module working you could create a file like /usr/share/pam-configs/my_groups:
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_group.so use_first_pass
Now we activate it by running
pam-auth-update
This roughly equals editing /etc/pam.d/common-auth by hand and adding the following line before any pam_ldap and pam_krb5 settings:
auth required pam_group.so use_first_pass
IMPORTANT # You should now have local groups showing up for users logging in via gdm and ssh and can
# verify this by # executing id or groups.
4.4 Now we need to verify whether we get just the group name and id use below command
getent group
If command doent work or display verify whether you can connect to ldap server
you can also verify whether we can fetch user from ldap by firing below command
getent passwd
id <username in ldap>
Again if anyone of the above commands doesnt perform as accepted then verify whether we can connect to ldap successfully use below command
ldapsearch -x -W -D 'cn=bumbum,ou=People,dc=sqtk,dc=team' -b "" -s base
-W == prompt for password
-D == User to validate
Ldap Group to be given sudo access
Give sudo access to the group that are present on ldap and are make sure user are part of the same group with whom you are login
visudo
% ALL=(ALL) ALL
if group name is ldaptest then below line needs to be added
%ldaptest ALL=(ALL) ALL
You should be able to login from desktop as well as terminal
(Note : for above things to works install libnss-ldapd package for kali Linux only then it works )