[Samba] SSH - Winbind and Keybased Auth

Nathan Frankish nfrankish at qldmotorways.com.au
Thu Nov 28 22:53:37 MST 2013 

Hi david,

As a follow up, I can confirm that method you recommended works. However we had to go back and add Unix attributes to a lot of groups. Whilst this is achievable, its certainly not the preferred group. As some of our users will show up as having over 200 groups.

Im still keen to understand why samba is the module approving key access when it shouldn't.

Thanks
NF



Nathan Frankish  |  Network & Systems Team Lead


Queensland Motorways Pty Limited
7 Brandl St, Eight Mile Plains Qld 4113
PO Box 2125, Mansfield Qld 4122

Telephone: +61 7 3323 0266  |  Mobile: 0418 723 492
Facsimile: +61 7 3423 0867
qldmotorways.com.au  |  govia.com.au



The information contained in this email and any of the files transmitted with it are confidential and intended for the sole use of the recipient. Opinions contained in this email do not necessarily reflect the opinions of Queensland Motorways Pty Limited. If you have received this email in error, please notify the sender, and destroy any electronic or printed copies of it, immediately.


-----Original Message-----
From: David Keegel [mailto:djk-samba at cyber.com.au] 
Sent: Thursday, 28 November 2013 9:17 PM
To: Nathan Frankish
Cc: Samba List
Subject: Re: [Samba] SSH - Winbind and Keybased Auth

Nathan,

Could you do the restriction of ssh to group members by putting 
	AllowGroups testbox02_access_sg testbox02_2_access_sg in /etc/ssh/sshd_config, instead of reconfiguring pam?

On Thu, Nov 28, 2013 at 07:50:20AM +0000, Nathan Frankish wrote:
> Hi Team,
> 
> We have a weird issue that we are trying to understand. We have winbind set up and working successfully for user authentication with passwords via ssh. We have pam.d/system-auth-ac and password-auth-ac (symlinked) set to require membership of a group which works great via password authentication.
> 
> However, if the user has a ssh key set up, they seem to bypass the group membership requirement. The user isnt defined on the box in either shadow or passwd, they are only defined in AD, but are successfully able to authenticate as shown in the log below.
> 
> Some logs below:
> 
> /var/log/secure
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): 
> [pamh: 0x7f6b82683650] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Nov 28 
> 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 
> 0x7f6b82683650] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f6b826837d0) Nov 
> 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 
> 0x7f6b82683650] STATE: ITEM(PAM_USER) = "nathan" (0x7f6b826837f0) Nov 
> 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 
> 0x7f6b82683650] STATE: ITEM(PAM_TTY) = "ssh" (0x7f6b8268dbd0) Nov 28 
> 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 
> 0x7f6b82683650] STATE: ITEM(PAM_RHOST) = "mycomputer.domain.local" 
> (0x7f6b82684610) Nov 28 17:34:58 testbox01 sshd[26078]: 
> pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: 
> ITEM(PAM_CONV) = 0x7f6b82683810 Nov 28 17:34:58 testbox01 sshd[26078]: 
> pam_winbind(sshd:account): user 'nathan' granted access Nov 28 
> 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 
> 0x7f6b82683650] LEAVE: pam_sm_acct_mgmt returning 0 (PAM_SUCCESS) Nov 
> 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 
> 0x7f6b82683650] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f6b826837d0) Nov 
> 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 
> 0x7f6b82683650] STATE: ITEM(PAM_USER) = "nathan" (0x7f6b826837f0) Nov 
> 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 
> 0x7f6b82683650] STATE: ITEM(PAM_TTY) = "ssh" (0x7f6b8268dbd0) Nov 28 
> 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 
> 0x7f6b82683650] STATE: ITEM(PAM_RHOST) = "mycomputer.domain.local" 
> (0x7f6b82684610) Nov 28 17:34:58 testbox01 sshd[26078]: 
> pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: 
> ITEM(PAM_CONV) = 0x7f6b82683810 Nov 28 17:34:58 testbox01 sshd[26078]: 
> Accepted publickey for nathan from 1.2.3.4 port 61767 ssh2
> 
> System-auth-ac:
> [root at testbox01 pam.d]# cat system-auth-ac auth required 
> /lib/security/$ISA/pam_env.so auth sufficient 
> /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient 
> /lib/security/$ISA/pam_winbind.so debug debug_state use_first_pass 
> require_membership_of=testbox02_access_sg, testbox02_2_access_sg auth 
> required /lib/security/$ISA/pam_deny.so
> 
> account required /lib/security/$ISA/pam_unix.so account sufficient 
> /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required 
> /lib/security/$ISA/pam_winbind.so debug debug_state 
> require_membership_of= testbox_access_sg,testbox02_2_access_sg
> account required /lib/security/$ISA/pam_permit.so
> 
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type= 
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok 
> md5 shadow password sufficient /lib/security/$ISA/pam_winbind.so 
> use_first_pass password required /lib/security/$ISA/pam_deny.so
> 
> session required /lib/security/$ISA/pam_limits.so session required 
> /lib/security/$ISA/pam_unix.so session required pam_mkhomedir.so 
> skel=/etc/skel umask=0022 session required 
> /lib/security/$ISA/pam_winbind.so
> 
> /etc/pam.d/sshd: #%PAM-1.0
> auth       required     pam_sepermit.so
> auth       include      password-auth
> account    required     pam_nologin.so
> account    include      password-auth
> password   include      password-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    required     pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed in the user context
> session    required     pam_selinux.so open env_params
> session    optional     pam_keyinit.so force revoke
> session    include      password-auth
> 
> 
> System information:
> Linux testbox01 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 
> 2013 x86_64 x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux Server 
> release 6.5 (Santiago) Samba packages: 3.6.9-164.el6
> 
> Not sure where to go next, or what else to provide.
> 
> 
> Nathan Frankish  |  Network & Systems Team Lead
> 
> 
> Queensland Motorways Pty Limited

--
___________________________________________________________________________
  David Keegel <djk-samba at cyber.com.au>      Cyber IT Solutions Pty. Ltd.   
   http://www.cyber.com.au/~djk/     Linux & Unix Systems Administration

More information about the samba mailing list