[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers

Georg Vorlaufer georg.vorlaufer at gmail.com
Thu Jan 2 12:54:25 MST 2014


Ok, here are the smb confs

Active Directory domain controller (hostname: raspberrypi.bivoro.lan, file:
/usr/local/samba/etc/smb.conf)

[global]
    log level = 3

    workgroup = BIVORO
    realm = BIVORO.LAN
    netbios name = RASPBERRYPI
    server role = active directory domain controller
    allow dns updates = disabled
    dns forwarder = 192.168.0.1

    idmap_ldb:use rfc2307 = yes

    kerberos method = secrets and keytab

    tls enabled = yes
    tls keyfile = tls/raspberrypi.key
    tls certfile = tls/raspberrypi.crt
    tls cafile = tls/ca.crt

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/bivoro.lan/scripts
    read only = No

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

Domain member (which does not allow me to log on via ssh, hostname:
websrv.bivoro.lan, file: /etc/samba/smb.conf)

[global]
    workgroup = BIVORO
    realm = BIVORO.LAN
    security = ADS
    kerberos method = secrets and keytab
    create krb5 conf = no

    idmap config *:backend = tdb
    idmap config *:range = 100000-199999
    idmap config BIVORO:backend = ad
    idmap config BIVORO:range = 2000-99999
    idmap config BIVORO:schema_mode = rfc2307
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind expand groups = 3
    winbind nss info = rfc2307
    winbind refresh tickets = yes

    client max protocol = SMB3

    winbind offline logon = yes


Georg


2014/1/2 Rowland Penny <rowlandpenny at googlemail.com>

> On 02/01/14 17:53, Georg Vorlaufer wrote:
>
>> Dear Rowland,
>>
>> thank you for your quick reply.
>>
>> I tried again using the "cached_login" option as you pointed out (also
>> changed "winbind offline logon = yes" in my smb.conf), but that did not
>> change anything.
>>
>> I also checked for apparmor and selinux, none of which seem to be active
>> (not even installed on my debian systems)
>>
>> Here is my (latest) stack of pam configs for ssh:
>>
>> /etc/pam.d/sshd:
>>
>> # PAM configuration for the Secure Shell service
>>
>> # Read environment variables from /etc/environment and
>> # /etc/security/pam_env.conf.
>> auth       required     pam_env.so # [1]
>> # In Debian 4.0 (etch), locale-related environment variables were moved to
>> # /etc/default/locale, so read that as well.
>> auth       required     pam_env.so envfile=/etc/default/locale
>>
>> # Standard Un*x authentication.
>> @include common-auth
>>
>> # Disallow non-root logins when /etc/nologin exists.
>> account    required     pam_nologin.so
>>
>> # Uncomment and edit /etc/security/access.conf if you need to set complex
>> # access limits that are hard to express in sshd_config.
>> # account  required     pam_access.so
>>
>> # Standard Un*x authorization.
>> @include common-account
>>
>> # Standard Un*x session setup and teardown.
>> @include common-session
>>
>> # Print the message of the day upon successful login.
>> # This includes a dynamically generated part from /run/motd.dynamic
>> # and a static (admin-editable) part from /etc/motd.
>> session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
>> session    optional     pam_motd.so # [1]
>>
>> # Print the status of the user's mailbox upon successful login.
>> session    optional     pam_mail.so standard noenv # [1]
>>
>> # Set up user limits from /etc/security/limits.conf.
>> session    required     pam_limits.so
>>
>> # Set up SELinux capabilities (need modified pam)
>> # session  required     pam_selinux.so multiple
>>
>> # Standard Un*x password updating.
>> @include common-password
>>
>> /etc/pam.d/common-auth
>>
>> #
>> # /etc/pam.d/common-auth - authentication settings common to all services
>> #
>> # This file is included from other service-specific PAM config files,
>> # and should contain a list of the authentication modules that define
>> # the central authentication scheme for use on the system
>> # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
>> # traditional Unix authentication mechanisms.
>> #
>> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
>> # To take advantage of this, it is recommended that you configure any
>> # local modules either before or after the default block, and use
>> # pam-auth-update to manage selection of other modules.  See
>> # pam-auth-update(8) for details.
>>
>> # here are the per-package modules (the "Primary" block)
>> auth    [success=2 default=ignore]    pam_unix.so nullok_secure
>> auth    [success=1 default=ignore]    pam_winbind.so krb5_auth
>> krb5_ccache_type=FILE cached_login try_first_pass
>> # here's the fallback if no module succeeds
>> auth    requisite            pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success
>> code
>> # since the modules above will each just jump around
>> auth    required            pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> # end of pam-auth-update config
>>
>> /etc/pam.d/common-account
>>
>> #
>> # /etc/pam.d/common-account - authorization settings common to all
>> services
>> #
>> # This file is included from other service-specific PAM config files,
>> # and should contain a list of the authorization modules that define
>> # the central access policy for use on the system.  The default is to
>> # only deny service to users whose accounts are expired in /etc/shadow.
>> #
>> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
>> # To take advantage of this, it is recommended that you configure any
>> # local modules either before or after the default block, and use
>> # pam-auth-update to manage selection of other modules.  See
>> # pam-auth-update(8) for details.
>> #
>>
>> # here are the per-package modules (the "Primary" block)
>> account    [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
>> account    [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
>> # here's the fallback if no module succeeds
>> account    requisite            pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success
>> code
>> # since the modules above will each just jump around
>> account    required            pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> # end of pam-auth-update config
>>
>> /etc/pam.d/common-session
>>
>> #
>> # /etc/pam.d/common-session - session-related modules common to all
>> services
>> #
>> # This file is included from other service-specific PAM config files,
>> # and should contain a list of modules that define tasks to be performed
>> # at the start and end of sessions of *any* kind (both interactive and
>> # non-interactive).
>> #
>> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
>> # To take advantage of this, it is recommended that you configure any
>> # local modules either before or after the default block, and use
>> # pam-auth-update to manage selection of other modules.  See
>> # pam-auth-update(8) for details.
>>
>> # here are the per-package modules (the "Primary" block)
>> session    [default=1]            pam_permit.so
>> # here's the fallback if no module succeeds
>> session    requisite            pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success
>> code
>> # since the modules above will each just jump around
>> session    required            pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> session    required    pam_unix.so
>> session    optional            pam_winbind.so
>> # end of pam-auth-update config
>>
>> /etc/common-password
>>
>> #
>> # /etc/pam.d/common-password - password-related modules common to all
>> services
>> #
>> # This file is included from other service-specific PAM config files,
>> # and should contain a list of modules that define the services to be
>> # used to change user passwords.  The default is pam_unix.
>>
>> # Explanation of pam_unix options:
>> #
>> # The "sha512" option enables salted SHA512 passwords. Without this
>> option,
>> # the default is Unix crypt.  Prior releases used the option "md5".
>> #
>> # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
>> # login.defs.
>> #
>> # See the pam_unix manpage for other options.
>>
>> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
>> # To take advantage of this, it is recommended that you configure any
>> # local modules either before or after the default block, and use
>> # pam-auth-update to manage selection of other modules.  See
>> # pam-auth-update(8) for details.
>>
>> # here are the per-package modules (the "Primary" block)
>> password    [success=2 default=ignore]    pam_unix.so obscure sha512
>> password    [success=1 default=ignore]    pam_winbind.so use_authtok
>> try_first_pass
>> # here's the fallback if no module succeeds
>> password    requisite            pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success
>> code
>> # since the modules above will each just jump around
>> password    required            pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> # end of pam-auth-update config
>>
>> I don't have pam_mkhomedir.so because the user home directories for my
>> domain users are already existing
>> I also don't have pam_cap.so -- actually don't know what it is good for
>>
>> I also checked the authentication logs again and compared them to the
>> logs generated on the opensuse domain member (where pam_winbind works
>> nicely). The lines which seem to be the most suspicious on the debian
>> wheezy machines are:
>>
>> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): request
>> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4),
>> NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
>> NT_STATUS_CONNECTION_DISCONNECTED
>> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): internal
>> module error (retval = PAM_SYSTEM_ERR(4), user = 'georg')
>> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth):
>> [pamh:0x7f1d54cb2030] LEAVE: pam_sm_authenticate returning 4
>> (PAM_SYSTEM_ERR)
>>
>> on OpenSuSE the request wbcLogonUser reports ok (or success, don't
>> remember exactly)
>>
>> So, if I interpret the logs correctly, already the AUTH module of
>> pam_winbind fails, and the other sections of pam sshd are not even processed
>>
>> With kind regards,
>>
>> Georg
>>
>>  There doesn't really seem to be that much difference in my pam stack and
> yours and what differences there are shouldn't stop ssh working.
> I have a feeling it may be kerberos related, could you post a sanitized
> version of your smb.conf, both from the client & server.
>
> Rowland
>
>


More information about the samba mailing list