[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers
Georg Vorlaufer
georg.vorlaufer at gmail.com
Thu Jan 2 12:54:25 MST 2014
Ok, here are the smb confs
Active Directory domain controller (hostname: raspberrypi.bivoro.lan, file:
/usr/local/samba/etc/smb.conf)
[global]
log level = 3
workgroup = BIVORO
realm = BIVORO.LAN
netbios name = RASPBERRYPI
server role = active directory domain controller
allow dns updates = disabled
dns forwarder = 192.168.0.1
idmap_ldb:use rfc2307 = yes
kerberos method = secrets and keytab
tls enabled = yes
tls keyfile = tls/raspberrypi.key
tls certfile = tls/raspberrypi.crt
tls cafile = tls/ca.crt
[netlogon]
path = /usr/local/samba/var/locks/sysvol/bivoro.lan/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Domain member (which does not allow me to log on via ssh, hostname:
websrv.bivoro.lan, file: /etc/samba/smb.conf)
[global]
workgroup = BIVORO
realm = BIVORO.LAN
security = ADS
kerberos method = secrets and keytab
create krb5 conf = no
idmap config *:backend = tdb
idmap config *:range = 100000-199999
idmap config BIVORO:backend = ad
idmap config BIVORO:range = 2000-99999
idmap config BIVORO:schema_mode = rfc2307
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 3
winbind nss info = rfc2307
winbind refresh tickets = yes
client max protocol = SMB3
winbind offline logon = yes
Georg
2014/1/2 Rowland Penny <rowlandpenny at googlemail.com>
> On 02/01/14 17:53, Georg Vorlaufer wrote:
>
>> Dear Rowland,
>>
>> thank you for your quick reply.
>>
>> I tried again using the "cached_login" option as you pointed out (also
>> changed "winbind offline logon = yes" in my smb.conf), but that did not
>> change anything.
>>
>> I also checked for apparmor and selinux, none of which seem to be active
>> (not even installed on my debian systems)
>>
>> Here is my (latest) stack of pam configs for ssh:
>>
>> /etc/pam.d/sshd:
>>
>> # PAM configuration for the Secure Shell service
>>
>> # Read environment variables from /etc/environment and
>> # /etc/security/pam_env.conf.
>> auth required pam_env.so # [1]
>> # In Debian 4.0 (etch), locale-related environment variables were moved to
>> # /etc/default/locale, so read that as well.
>> auth required pam_env.so envfile=/etc/default/locale
>>
>> # Standard Un*x authentication.
>> @include common-auth
>>
>> # Disallow non-root logins when /etc/nologin exists.
>> account required pam_nologin.so
>>
>> # Uncomment and edit /etc/security/access.conf if you need to set complex
>> # access limits that are hard to express in sshd_config.
>> # account required pam_access.so
>>
>> # Standard Un*x authorization.
>> @include common-account
>>
>> # Standard Un*x session setup and teardown.
>> @include common-session
>>
>> # Print the message of the day upon successful login.
>> # This includes a dynamically generated part from /run/motd.dynamic
>> # and a static (admin-editable) part from /etc/motd.
>> session optional pam_motd.so motd=/run/motd.dynamic noupdate
>> session optional pam_motd.so # [1]
>>
>> # Print the status of the user's mailbox upon successful login.
>> session optional pam_mail.so standard noenv # [1]
>>
>> # Set up user limits from /etc/security/limits.conf.
>> session required pam_limits.so
>>
>> # Set up SELinux capabilities (need modified pam)
>> # session required pam_selinux.so multiple
>>
>> # Standard Un*x password updating.
>> @include common-password
>>
>> /etc/pam.d/common-auth
>>
>> #
>> # /etc/pam.d/common-auth - authentication settings common to all services
>> #
>> # This file is included from other service-specific PAM config files,
>> # and should contain a list of the authentication modules that define
>> # the central authentication scheme for use on the system
>> # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
>> # traditional Unix authentication mechanisms.
>> #
>> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
>> # To take advantage of this, it is recommended that you configure any
>> # local modules either before or after the default block, and use
>> # pam-auth-update to manage selection of other modules. See
>> # pam-auth-update(8) for details.
>>
>> # here are the per-package modules (the "Primary" block)
>> auth [success=2 default=ignore] pam_unix.so nullok_secure
>> auth [success=1 default=ignore] pam_winbind.so krb5_auth
>> krb5_ccache_type=FILE cached_login try_first_pass
>> # here's the fallback if no module succeeds
>> auth requisite pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success
>> code
>> # since the modules above will each just jump around
>> auth required pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> # end of pam-auth-update config
>>
>> /etc/pam.d/common-account
>>
>> #
>> # /etc/pam.d/common-account - authorization settings common to all
>> services
>> #
>> # This file is included from other service-specific PAM config files,
>> # and should contain a list of the authorization modules that define
>> # the central access policy for use on the system. The default is to
>> # only deny service to users whose accounts are expired in /etc/shadow.
>> #
>> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
>> # To take advantage of this, it is recommended that you configure any
>> # local modules either before or after the default block, and use
>> # pam-auth-update to manage selection of other modules. See
>> # pam-auth-update(8) for details.
>> #
>>
>> # here are the per-package modules (the "Primary" block)
>> account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
>> account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
>> # here's the fallback if no module succeeds
>> account requisite pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success
>> code
>> # since the modules above will each just jump around
>> account required pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> # end of pam-auth-update config
>>
>> /etc/pam.d/common-session
>>
>> #
>> # /etc/pam.d/common-session - session-related modules common to all
>> services
>> #
>> # This file is included from other service-specific PAM config files,
>> # and should contain a list of modules that define tasks to be performed
>> # at the start and end of sessions of *any* kind (both interactive and
>> # non-interactive).
>> #
>> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
>> # To take advantage of this, it is recommended that you configure any
>> # local modules either before or after the default block, and use
>> # pam-auth-update to manage selection of other modules. See
>> # pam-auth-update(8) for details.
>>
>> # here are the per-package modules (the "Primary" block)
>> session [default=1] pam_permit.so
>> # here's the fallback if no module succeeds
>> session requisite pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success
>> code
>> # since the modules above will each just jump around
>> session required pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> session required pam_unix.so
>> session optional pam_winbind.so
>> # end of pam-auth-update config
>>
>> /etc/common-password
>>
>> #
>> # /etc/pam.d/common-password - password-related modules common to all
>> services
>> #
>> # This file is included from other service-specific PAM config files,
>> # and should contain a list of modules that define the services to be
>> # used to change user passwords. The default is pam_unix.
>>
>> # Explanation of pam_unix options:
>> #
>> # The "sha512" option enables salted SHA512 passwords. Without this
>> option,
>> # the default is Unix crypt. Prior releases used the option "md5".
>> #
>> # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
>> # login.defs.
>> #
>> # See the pam_unix manpage for other options.
>>
>> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
>> # To take advantage of this, it is recommended that you configure any
>> # local modules either before or after the default block, and use
>> # pam-auth-update to manage selection of other modules. See
>> # pam-auth-update(8) for details.
>>
>> # here are the per-package modules (the "Primary" block)
>> password [success=2 default=ignore] pam_unix.so obscure sha512
>> password [success=1 default=ignore] pam_winbind.so use_authtok
>> try_first_pass
>> # here's the fallback if no module succeeds
>> password requisite pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success
>> code
>> # since the modules above will each just jump around
>> password required pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> # end of pam-auth-update config
>>
>> I don't have pam_mkhomedir.so because the user home directories for my
>> domain users are already existing
>> I also don't have pam_cap.so -- actually don't know what it is good for
>>
>> I also checked the authentication logs again and compared them to the
>> logs generated on the opensuse domain member (where pam_winbind works
>> nicely). The lines which seem to be the most suspicious on the debian
>> wheezy machines are:
>>
>> Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): request
>> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4),
>> NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
>> NT_STATUS_CONNECTION_DISCONNECTED
>> Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): internal
>> module error (retval = PAM_SYSTEM_ERR(4), user = 'georg')
>> Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth):
>> [pamh:0x7f1d54cb2030] LEAVE: pam_sm_authenticate returning 4
>> (PAM_SYSTEM_ERR)
>>
>> on OpenSuSE the request wbcLogonUser reports ok (or success, don't
>> remember exactly)
>>
>> So, if I interpret the logs correctly, already the AUTH module of
>> pam_winbind fails, and the other sections of pam sshd are not even processed
>>
>> With kind regards,
>>
>> Georg
>>
>> There doesn't really seem to be that much difference in my pam stack and
> yours and what differences there are shouldn't stop ssh working.
> I have a feeling it may be kerberos related, could you post a sanitized
> version of your smb.conf, both from the client & server.
>
> Rowland
>
>
More information about the samba
mailing list