[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers

Rowland Penny rowlandpenny at googlemail.com
Thu Jan 2 12:20:17 MST 2014 

On 02/01/14 17:53, Georg Vorlaufer wrote:
> Dear Rowland,
>
> thank you for your quick reply.
>
> I tried again using the "cached_login" option as you pointed out (also 
> changed "winbind offline logon = yes" in my smb.conf), but that did 
> not change anything.
>
> I also checked for apparmor and selinux, none of which seem to be 
> active (not even installed on my debian systems)
>
> Here is my (latest) stack of pam configs for ssh:
>
> /etc/pam.d/sshd:
>
> # PAM configuration for the Secure Shell service
>
> # Read environment variables from /etc/environment and
> # /etc/security/pam_env.conf.
> auth       required     pam_env.so # [1]
> # In Debian 4.0 (etch), locale-related environment variables were moved to
> # /etc/default/locale, so read that as well.
> auth       required     pam_env.so envfile=/etc/default/locale
>
> # Standard Un*x authentication.
> @include common-auth
>
> # Disallow non-root logins when /etc/nologin exists.
> account    required     pam_nologin.so
>
> # Uncomment and edit /etc/security/access.conf if you need to set complex
> # access limits that are hard to express in sshd_config.
> # account  required     pam_access.so
>
> # Standard Un*x authorization.
> @include common-account
>
> # Standard Un*x session setup and teardown.
> @include common-session
>
> # Print the message of the day upon successful login.
> # This includes a dynamically generated part from /run/motd.dynamic
> # and a static (admin-editable) part from /etc/motd.
> session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
> session    optional     pam_motd.so # [1]
>
> # Print the status of the user's mailbox upon successful login.
> session    optional     pam_mail.so standard noenv # [1]
>
> # Set up user limits from /etc/security/limits.conf.
> session    required     pam_limits.so
>
> # Set up SELinux capabilities (need modified pam)
> # session  required     pam_selinux.so multiple
>
> # Standard Un*x password updating.
> @include common-password
>
> /etc/pam.d/common-auth
>
> #
> # /etc/pam.d/common-auth - authentication settings common to all services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authentication modules that define
> # the central authentication scheme for use on the system
> # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
> # traditional Unix authentication mechanisms.
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
> # To take advantage of this, it is recommended that you configure any
> # local modules either before or after the default block, and use
> # pam-auth-update to manage selection of other modules.  See
> # pam-auth-update(8) for details.
>
> # here are the per-package modules (the "Primary" block)
> auth    [success=2 default=ignore]    pam_unix.so nullok_secure
> auth    [success=1 default=ignore]    pam_winbind.so krb5_auth 
> krb5_ccache_type=FILE cached_login try_first_pass
> # here's the fallback if no module succeeds
> auth    requisite            pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a 
> success code
> # since the modules above will each just jump around
> auth    required            pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
>
> /etc/pam.d/common-account
>
> #
> # /etc/pam.d/common-account - authorization settings common to all 
> services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authorization modules that define
> # the central access policy for use on the system.  The default is to
> # only deny service to users whose accounts are expired in /etc/shadow.
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
> # To take advantage of this, it is recommended that you configure any
> # local modules either before or after the default block, and use
> # pam-auth-update to manage selection of other modules.  See
> # pam-auth-update(8) for details.
> #
>
> # here are the per-package modules (the "Primary" block)
> account    [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
> account    [success=1 new_authtok_reqd=done default=ignore] 
> pam_winbind.so
> # here's the fallback if no module succeeds
> account    requisite            pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a 
> success code
> # since the modules above will each just jump around
> account    required            pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
>
> /etc/pam.d/common-session
>
> #
> # /etc/pam.d/common-session - session-related modules common to all 
> services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of modules that define tasks to be performed
> # at the start and end of sessions of *any* kind (both interactive and
> # non-interactive).
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
> # To take advantage of this, it is recommended that you configure any
> # local modules either before or after the default block, and use
> # pam-auth-update to manage selection of other modules.  See
> # pam-auth-update(8) for details.
>
> # here are the per-package modules (the "Primary" block)
> session    [default=1]            pam_permit.so
> # here's the fallback if no module succeeds
> session    requisite            pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a 
> success code
> # since the modules above will each just jump around
> session    required            pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> session    required    pam_unix.so
> session    optional            pam_winbind.so
> # end of pam-auth-update config
>
> /etc/common-password
>
> #
> # /etc/pam.d/common-password - password-related modules common to all 
> services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of modules that define the services to be
> # used to change user passwords.  The default is pam_unix.
>
> # Explanation of pam_unix options:
> #
> # The "sha512" option enables salted SHA512 passwords. Without this 
> option,
> # the default is Unix crypt.  Prior releases used the option "md5".
> #
> # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
> # login.defs.
> #
> # See the pam_unix manpage for other options.
>
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
> # To take advantage of this, it is recommended that you configure any
> # local modules either before or after the default block, and use
> # pam-auth-update to manage selection of other modules.  See
> # pam-auth-update(8) for details.
>
> # here are the per-package modules (the "Primary" block)
> password    [success=2 default=ignore]    pam_unix.so obscure sha512
> password    [success=1 default=ignore]    pam_winbind.so use_authtok 
> try_first_pass
> # here's the fallback if no module succeeds
> password    requisite            pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a 
> success code
> # since the modules above will each just jump around
> password    required            pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
>
> I don't have pam_mkhomedir.so because the user home directories for my 
> domain users are already existing
> I also don't have pam_cap.so -- actually don't know what it is good for
>
> I also checked the authentication logs again and compared them to the 
> logs generated on the opensuse domain member (where pam_winbind works 
> nicely). The lines which seem to be the most suspicious on the debian 
> wheezy machines are:
>
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): request 
> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR 
> (4), NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: 
> NT_STATUS_CONNECTION_DISCONNECTED
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): internal 
> module error (retval = PAM_SYSTEM_ERR(4), user = 'georg')
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): 
> [pamh:0x7f1d54cb2030] LEAVE: pam_sm_authenticate returning 4 
> (PAM_SYSTEM_ERR)
>
> on OpenSuSE the request wbcLogonUser reports ok (or success, don't 
> remember exactly)
>
> So, if I interpret the logs correctly, already the AUTH module of 
> pam_winbind fails, and the other sections of pam sshd are not even 
> processed
>
> With kind regards,
>
> Georg
>
There doesn't really seem to be that much difference in my pam stack and 
yours and what differences there are shouldn't stop ssh working.
I have a feeling it may be kerberos related, could you post a sanitized 
version of your smb.conf, both from the client & server.

Rowland

More information about the samba mailing list