[Samba] account locks not working ssh/winbind?
Rowland Penny
rpenny at samba.org
Thu Apr 26 09:02:50 UTC 2018
On Thu, 26 Apr 2018 09:53:33 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai.
>
> Config.
> Debian Stretch, samba 4.7.7. member server AD backend.
> Network setup like in the howtos here. :
> https://github.com/thctlo/samba4/tree/master/howtos
>
> Today i discovered that somehow a disabled user was able to login
> after a few retries.
> I run a SSH/SFTP server for data exchange with the customer of the
> company here.
> The SSH/SFTP server is restricted by groups, this includes a windows
> (AD) group and linux groups, with an GID assigned.
Hi Louis, I think you are going to have to put the sshd server into
debug mode to sort this.
I have examined your logs, sorted and shortened them to what I believe
are the relevant parts:
Apr 25 07:00:04 hostname1 sshd[27490]: reverse mapping checking getaddrinfo for unknown.domain.tld [1.2.3.4] failed.
Apr 25 07:00:04 hostname1 sshd[27490]: pam_krb5(sshd:auth): authentication failure; logname=username uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=username
Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): getting password (0x00000388)
Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): pam_get_item returned a password
Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'username')
The above seems to show that pam_krb5, pam_unix and pam_winbind are rejecting the user
Apr 25 07:00:04 hostname1 sshd[27490]: Accepted password for username from 1.2.3.4 port 10500 ssh2
Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:session): session opened for user username by (uid=0)
Apr 25 07:00:04 hostname1 systemd-logind[25400]: New session 4873 of user username.
Apr 25 07:00:04 hostname1 systemd: pam_unix(systemd-user:session): session opened for user username by (uid=0)
Something in the above 4 lines is allowing access.
From my SFTP server log. and this should not be possible.
2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start download file '/folder1/file1.csv'
2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]End download file '/folder1/file1.csv' (82 bytes) : 100%
2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start download file '/folder1/file1.csv'
2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]End download file '/folder1/file1.csv' (82 bytes) : 100%
2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]Try to remove file '/folder1/file1.csv' : success
Apr 25 07:00:07 hostname1 sshd[27490]: pam_unix(sshd:session): session closed for user username
Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred): user 'username' OK
Apr 25 07:00:07 hostname1 systemd-logind[25400]: Removed session 4873.
Apr 25 07:00:07 hostname1 systemd: pam_unix(systemd-user:session):
session closed for user username
I believe this is all coming from /etc/pam.d/sshd
Rowland
More information about the samba
mailing list