[Samba] SSH - Winbind and Keybased Auth

Nathan Frankish nfrankish at qldmotorways.com.au
Sun Dec 8 20:16:28 MST 2013


Sorry not verbatim. Did a find and replace that might have introduced spaces. I am happy to send you the configuration directly if you want to see the original config

This is an old configuration that’s migrated forward a few times. It originally would have been system generated by one of the red hat system tools, however its been handcrafted since.

Trying to understand what you mean by making this directive illegal, do you mean that the require_membership directive wont restrict users anymore in the account section, thereby not fixing the issue ive raised about ssh-keys and winbind?

Nathan Frankish  |  Network & Systems Team Lead

Queensland Motorways Pty Limited

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Friday, 6 December 2013 6:20 AM
To: Nathan Frankish
Cc: 'samba at lists.samba.org'
Subject: Re: [Samba] SSH - Winbind and Keybased Auth

On Thu, 2013-11-28 at 07:50 +0000, Nathan Frankish wrote:
> Hi Team,
> We have a weird issue that we are trying to understand. We have winbind set up and working successfully for user authentication with passwords via ssh. We have pam.d/system-auth-ac and password-auth-ac (symlinked) set to require membership of a group which works great via password authentication.
> However, if the user has a ssh key set up, they seem to bypass the group membership requirement. The user isnt defined on the box in either shadow or passwd, they are only defined in AD, but are successfully able to authenticate as shown in the log below.
> Some logs below:]: Accepted publickey for nathan from port 
> 61767 ssh2
> System-auth-ac:
> [root at testbox01 pam.d]# cat system-auth-ac auth required 
> /lib/security/$ISA/pam_env.so auth sufficient 
> /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient 
> /lib/security/$ISA/pam_winbind.so debug debug_state use_first_pass 
> require_membership_of=testbox02_access_sg, testbox02_2_access_sg auth 
> required /lib/security/$ISA/pam_deny.so
> account required /lib/security/$ISA/pam_unix.so account sufficient 
> /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required 
> /lib/security/$ISA/pam_winbind.so debug debug_state 
> require_membership_of= testbox_access_sg,testbox02_2_access_sg
> account required /lib/security/$ISA/pam_permit.so

> Not sure where to go next, or what else to provide.

Can you confirm the above text is verbatim, or have extra spaces been inserted?

The other issues remain as I described, but I noticed the extra spaces when re-examining the issue and wanted to confirm before I proceeded.
(They would make the configuration invalid, I hope). 

Also, did some tool generate this configuration, or did you just do it based on the manpage?  I'm trying to evaluate the possible impact of making this directive illegal for the account module. 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list