[Samba] authentication issue moving from Samba 4.11.x to 4.13.14

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Mar 22 17:22:15 UTC 2022 

On 3/22/2022 12:58 PM, Patrick Goetz via samba wrote:
>
>
> On 3/22/22 11:34, Rowland Penny via samba wrote:
>> On Tue, 2022-03-22 at 11:24 -0500, Patrick Goetz via samba wrote:
>>>
>>> On 3/21/22 21:52, Gaiseric Vandal via samba wrote:
>>>> On 3/21/2022 3:19 PM, Rowland Penny via samba wrote:
>>>>> On Mon, 2022-03-21 at 15:08 -0400, Gaiseric Vandal via samba
>>>>> wrote:
>>>>>> On 3/21/22 13:38, Rowland Penny via samba wrote:
>>>>>>> On Mon, 2022-03-21 at 13:17 -0400, Gaiseric Vandal via samba
>>>>>>> wrote:
>>>>>>>> LDAP is used for user and group lookups at the Unix/Linux
>>>>>>>> level.
>>>>>>>> This
>>>>>>>> includes nfs and ssh.  The authentication itself is
>>>>>>>> typically
>>>>>>>> kerberos.   Presumably if nsswitch.conf pointed to winbind
>>>>>>>> but
>>>>>>>> not
>>>>>>>> ldap
>>>>>>>> it everything would continue to work.
>>>>>>> Got to ask this, why are you using ldap for Unix user & group
>>>>>>> lookups ?
>>>>>>> I presume that the ldap lookups are searching for RFC2307
>>>>>>> attributes,
>>>>>>> if so, ldap is a bit redundant, your 'ad' backend will use
>>>>>>> the same
>>>>>>> IDs
>>>>>>>
>>>>>>> While there a numerous superfluous lines in your smb.conf, it
>>>>>>> is
>>>>>>> basically sound.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>> A lot of the engineering/scientific software we use runs on
>>>>>> Linux.
>>>>>> A
>>>>>> lot of the software development we do is also on Linux, so the
>>>>>> focus
>>>>>> of
>>>>>> services on Solaris machines was to support Linux clients
>>>>>> first, and
>>>>>> Windows clients 2nd.    I am fairly confident that if I
>>>>>> configure
>>>>>> /etc/nsswitch.conf to use winbind (not ldap) network users and
>>>>>> groups
>>>>>> that ssh login would still work.
>>>>> I am absolutely positive it will work, it is how I run Samba on
>>>>> Linux.
>>>>>
>>>>>>     but I don't know about NFS (which is
>>>>>> dependent on kerberos security.)
>>>>> This should also work, I do not use NFS, but kerberos works well
>>>>> on
>>>>> Linux, not sure about Solaris. If this was Debian, I would advise
>>>>> installing the libnss-winbind, libpam-winbind and libpam-krb5
>>>>> packages,
>>>>> does Solaris have similar packages ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>> With /etc/nsswitch.conf set to use
>>>>
>>>>
>>>>       passwd: files winbind
>>>>       group:  files winbind
>>>>
>>>>
>>>> Ssh logins fail, and the log shows the following
>>>>
>>>>
>>>>          Mar 21 20:41:00 server1 sshd[28725]: [ID 800047 auth.error]
>>>>          error: PAM: Authentication failed for myname from 192.x.x.x
>>>>
>>>>          Mar 21 20:41:06 server1 sshd[28725]: [ID 720393 auth.error]
>>>>          PAM-KRB5 (setcred): pam_setcred failed for myname (Failure
>>>>          setting user credentials).
>>>>
>>>>          Mar 21 20:43:43 server1 sshd[29042]: [ID 800047 auth.error]
>>>>          error: PAM: User account has expired for myname from
>>>> 192.x.x.x
>>>>
>>>>          Mar 21 20:43:51 server1 sshd[29046]: [ID 800047 auth.error]
>>>>          error: PAM: User account has expired for myname from
>>>> 192.x.x.x
>>>>
>>>>
>>>
>>> For ssh to authenticate against AD, you will need to have
>>> /etc/pam.d/sssd configured to use pam_winbind.so.
>>
>> No you don't, I do not use sssd anywhere and I can ssh into any of my
>> Linux machines.
>>
>
> Um, that was a typo:  I meant to say /etc/pam.d/sshd
>
> The reference to pam_winbind.so should have given this away.
>
>
>> /var/log/auth.log
>>
>> Mar 22 16:32:09 rpidc2 sshd[31208]: Authorized to rowland, krb5
>> principal rowland at SAMDOM.EXAMPLE.COM (krb5_kuserok)
>> Mar 22 16:32:09 rpidc2 sshd[31208]: Accepted gssapi-with-mic for
>> rowland from 192.168.0.49 port 45704 ssh2: rowland at SAMDOM.EXAMPLE.COM
>> Mar 22 16:32:10 rpidc2 sshd[31208]: pam_unix(sshd:session): session
>> opened for user rowland by (uid=0)
>> Mar 22 16:32:10 rpidc2 systemd-logind[404]: New session 1190 of user
>> SAMDOM\rowland.
>> Mar 22 16:32:10 rpidc2 systemd: pam_unix(systemd-user:session): session
>> opened for user SAMDOM\rowland by (uid=0)
>>>
>>
>>

Yes, Solaris has PAM.    the ssh module  (assuming password 
authentication is needed) should call the pam_unix module, with in turn 
looks at /etc/nsswitch.conf.       I am guessing the issue is that 
somewhere in the stack something is looking for a shadow entry to see if 
the account has expired.

More information about the samba mailing list