[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers

Rowland Penny rowlandpenny at googlemail.com
Thu Jan 2 13:31:18 MST 2014


On 02/01/14 19:54, Georg Vorlaufer wrote:
> Ok, here are the smb confs
>
> Active Directory domain controller (hostname: raspberrypi.bivoro.lan, 
> file: /usr/local/samba/etc/smb.conf)
>
> [global]
>     log level = 3
>
>     workgroup = BIVORO
>     realm = BIVORO.LAN
>     netbios name = RASPBERRYPI
>     server role = active directory domain controller
>     allow dns updates = disabled
>     dns forwarder = 192.168.0.1
>
Just in passing, I take that 192.168.0.1 is running a dns server ?

>     idmap_ldb:use rfc2307 = yes
>
>     kerberos method = secrets and keytab
>
Try adding here:
        template shell = /bin/bash


>     tls enabled = yes
>     tls keyfile = tls/raspberrypi.key
>     tls certfile = tls/raspberrypi.crt
>     tls cafile = tls/ca.crt
If adding the line above doesn't work, comment out the four lines above, 
I do not use tls and ssh works, so it may be failing here.

Rowland

>
> [netlogon]
>     path = /usr/local/samba/var/locks/sysvol/bivoro.lan/scripts
>     read only = No
>
> [sysvol]
>     path = /usr/local/samba/var/locks/sysvol
>     read only = No
>
> Domain member (which does not allow me to log on via ssh, hostname: 
> websrv.bivoro.lan, file: /etc/samba/smb.conf)
>
> [global]
>     workgroup = BIVORO
>     realm = BIVORO.LAN
>     security = ADS
>     kerberos method = secrets and keytab
>     create krb5 conf = no
>
>     idmap config *:backend = tdb
>     idmap config *:range = 100000-199999
>     idmap config BIVORO:backend = ad
>     idmap config BIVORO:range = 2000-99999
>     idmap config BIVORO:schema_mode = rfc2307
>     winbind use default domain = yes
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind expand groups = 3
>     winbind nss info = rfc2307
>     winbind refresh tickets = yes
>
>     client max protocol = SMB3
>
>     winbind offline logon = yes
>
>
> Georg
>
>
> 2014/1/2 Rowland Penny <rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>>
>
>     On 02/01/14 17:53, Georg Vorlaufer wrote:
>
>         Dear Rowland,
>
>         thank you for your quick reply.
>
>         I tried again using the "cached_login" option as you pointed
>         out (also changed "winbind offline logon = yes" in my
>         smb.conf), but that did not change anything.
>
>         I also checked for apparmor and selinux, none of which seem to
>         be active (not even installed on my debian systems)
>
>         Here is my (latest) stack of pam configs for ssh:
>
>         /etc/pam.d/sshd:
>
>         # PAM configuration for the Secure Shell service
>
>         # Read environment variables from /etc/environment and
>         # /etc/security/pam_env.conf.
>         auth       required     pam_env.so # [1]
>         # In Debian 4.0 (etch), locale-related environment variables
>         were moved to
>         # /etc/default/locale, so read that as well.
>         auth       required     pam_env.so envfile=/etc/default/locale
>
>         # Standard Un*x authentication.
>         @include common-auth
>
>         # Disallow non-root logins when /etc/nologin exists.
>         account    required     pam_nologin.so
>
>         # Uncomment and edit /etc/security/access.conf if you need to
>         set complex
>         # access limits that are hard to express in sshd_config.
>         # account  required     pam_access.so
>
>         # Standard Un*x authorization.
>         @include common-account
>
>         # Standard Un*x session setup and teardown.
>         @include common-session
>
>         # Print the message of the day upon successful login.
>         # This includes a dynamically generated part from
>         /run/motd.dynamic
>         # and a static (admin-editable) part from /etc/motd.
>         session    optional     pam_motd.so  motd=/run/motd.dynamic
>         noupdate
>         session    optional     pam_motd.so # [1]
>
>         # Print the status of the user's mailbox upon successful login.
>         session    optional     pam_mail.so standard noenv # [1]
>
>         # Set up user limits from /etc/security/limits.conf.
>         session    required     pam_limits.so
>
>         # Set up SELinux capabilities (need modified pam)
>         # session  required     pam_selinux.so multiple
>
>         # Standard Un*x password updating.
>         @include common-password
>
>         /etc/pam.d/common-auth
>
>         #
>         # /etc/pam.d/common-auth - authentication settings common to
>         all services
>         #
>         # This file is included from other service-specific PAM config
>         files,
>         # and should contain a list of the authentication modules that
>         define
>         # the central authentication scheme for use on the system
>         # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is
>         to use the
>         # traditional Unix authentication mechanisms.
>         #
>         # As of pam 1.0.1-6, this file is managed by pam-auth-update
>         by default.
>         # To take advantage of this, it is recommended that you
>         configure any
>         # local modules either before or after the default block, and use
>         # pam-auth-update to manage selection of other modules.  See
>         # pam-auth-update(8) for details.
>
>         # here are the per-package modules (the "Primary" block)
>         auth    [success=2 default=ignore]    pam_unix.so nullok_secure
>         auth    [success=1 default=ignore]    pam_winbind.so krb5_auth
>         krb5_ccache_type=FILE cached_login try_first_pass
>         # here's the fallback if no module succeeds
>         auth    requisite            pam_deny.so
>         # prime the stack with a positive return value if there isn't
>         one already;
>         # this avoids us returning an error just because nothing sets
>         a success code
>         # since the modules above will each just jump around
>         auth    required            pam_permit.so
>         # and here are more per-package modules (the "Additional" block)
>         # end of pam-auth-update config
>
>         /etc/pam.d/common-account
>
>         #
>         # /etc/pam.d/common-account - authorization settings common to
>         all services
>         #
>         # This file is included from other service-specific PAM config
>         files,
>         # and should contain a list of the authorization modules that
>         define
>         # the central access policy for use on the system.  The
>         default is to
>         # only deny service to users whose accounts are expired in
>         /etc/shadow.
>         #
>         # As of pam 1.0.1-6, this file is managed by pam-auth-update
>         by default.
>         # To take advantage of this, it is recommended that you
>         configure any
>         # local modules either before or after the default block, and use
>         # pam-auth-update to manage selection of other modules.  See
>         # pam-auth-update(8) for details.
>         #
>
>         # here are the per-package modules (the "Primary" block)
>         account    [success=2 new_authtok_reqd=done default=ignore]
>         pam_unix.so
>         account    [success=1 new_authtok_reqd=done default=ignore]
>         pam_winbind.so
>         # here's the fallback if no module succeeds
>         account    requisite            pam_deny.so
>         # prime the stack with a positive return value if there isn't
>         one already;
>         # this avoids us returning an error just because nothing sets
>         a success code
>         # since the modules above will each just jump around
>         account    required            pam_permit.so
>         # and here are more per-package modules (the "Additional" block)
>         # end of pam-auth-update config
>
>         /etc/pam.d/common-session
>
>         #
>         # /etc/pam.d/common-session - session-related modules common
>         to all services
>         #
>         # This file is included from other service-specific PAM config
>         files,
>         # and should contain a list of modules that define tasks to be
>         performed
>         # at the start and end of sessions of *any* kind (both
>         interactive and
>         # non-interactive).
>         #
>         # As of pam 1.0.1-6, this file is managed by pam-auth-update
>         by default.
>         # To take advantage of this, it is recommended that you
>         configure any
>         # local modules either before or after the default block, and use
>         # pam-auth-update to manage selection of other modules.  See
>         # pam-auth-update(8) for details.
>
>         # here are the per-package modules (the "Primary" block)
>         session    [default=1]            pam_permit.so
>         # here's the fallback if no module succeeds
>         session    requisite            pam_deny.so
>         # prime the stack with a positive return value if there isn't
>         one already;
>         # this avoids us returning an error just because nothing sets
>         a success code
>         # since the modules above will each just jump around
>         session    required            pam_permit.so
>         # and here are more per-package modules (the "Additional" block)
>         session    required    pam_unix.so
>         session    optional            pam_winbind.so
>         # end of pam-auth-update config
>
>         /etc/common-password
>
>         #
>         # /etc/pam.d/common-password - password-related modules common
>         to all services
>         #
>         # This file is included from other service-specific PAM config
>         files,
>         # and should contain a list of modules that define the
>         services to be
>         # used to change user passwords.  The default is pam_unix.
>
>         # Explanation of pam_unix options:
>         #
>         # The "sha512" option enables salted SHA512 passwords. Without
>         this option,
>         # the default is Unix crypt.  Prior releases used the option
>         "md5".
>         #
>         # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB'
>         option in
>         # login.defs.
>         #
>         # See the pam_unix manpage for other options.
>
>         # As of pam 1.0.1-6, this file is managed by pam-auth-update
>         by default.
>         # To take advantage of this, it is recommended that you
>         configure any
>         # local modules either before or after the default block, and use
>         # pam-auth-update to manage selection of other modules.  See
>         # pam-auth-update(8) for details.
>
>         # here are the per-package modules (the "Primary" block)
>         password    [success=2 default=ignore]  pam_unix.so obscure sha512
>         password    [success=1 default=ignore]  pam_winbind.so
>         use_authtok try_first_pass
>         # here's the fallback if no module succeeds
>         password    requisite            pam_deny.so
>         # prime the stack with a positive return value if there isn't
>         one already;
>         # this avoids us returning an error just because nothing sets
>         a success code
>         # since the modules above will each just jump around
>         password    required            pam_permit.so
>         # and here are more per-package modules (the "Additional" block)
>         # end of pam-auth-update config
>
>         I don't have pam_mkhomedir.so because the user home
>         directories for my domain users are already existing
>         I also don't have pam_cap.so -- actually don't know what it is
>         good for
>
>         I also checked the authentication logs again and compared them
>         to the logs generated on the opensuse domain member (where
>         pam_winbind works nicely). The lines which seem to be the most
>         suspicious on the debian wheezy machines are:
>
>         Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth):
>         request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error:
>         PAM_SYSTEM_ERR (4), NTSTATUS:
>         NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
>         NT_STATUS_CONNECTION_DISCONNECTED
>         Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth):
>         internal module error (retval = PAM_SYSTEM_ERR(4), user = 'georg')
>         Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth):
>         [pamh:0x7f1d54cb2030] LEAVE: pam_sm_authenticate returning 4
>         (PAM_SYSTEM_ERR)
>
>         on OpenSuSE the request wbcLogonUser reports ok (or success,
>         don't remember exactly)
>
>         So, if I interpret the logs correctly, already the AUTH module
>         of pam_winbind fails, and the other sections of pam sshd are
>         not even processed
>
>         With kind regards,
>
>         Georg
>
>     There doesn't really seem to be that much difference in my pam
>     stack and yours and what differences there are shouldn't stop ssh
>     working.
>     I have a feeling it may be kerberos related, could you post a
>     sanitized version of your smb.conf, both from the client & server.
>
>     Rowland
>
>



More information about the samba mailing list