[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers
Rowland Penny
rowlandpenny at googlemail.com
Thu Jan 2 13:31:18 MST 2014
On 02/01/14 19:54, Georg Vorlaufer wrote:
> Ok, here are the smb confs
>
> Active Directory domain controller (hostname: raspberrypi.bivoro.lan,
> file: /usr/local/samba/etc/smb.conf)
>
> [global]
> log level = 3
>
> workgroup = BIVORO
> realm = BIVORO.LAN
> netbios name = RASPBERRYPI
> server role = active directory domain controller
> allow dns updates = disabled
> dns forwarder = 192.168.0.1
>
Just in passing, I take that 192.168.0.1 is running a dns server ?
> idmap_ldb:use rfc2307 = yes
>
> kerberos method = secrets and keytab
>
Try adding here:
template shell = /bin/bash
> tls enabled = yes
> tls keyfile = tls/raspberrypi.key
> tls certfile = tls/raspberrypi.crt
> tls cafile = tls/ca.crt
If adding the line above doesn't work, comment out the four lines above,
I do not use tls and ssh works, so it may be failing here.
Rowland
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/bivoro.lan/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> Domain member (which does not allow me to log on via ssh, hostname:
> websrv.bivoro.lan, file: /etc/samba/smb.conf)
>
> [global]
> workgroup = BIVORO
> realm = BIVORO.LAN
> security = ADS
> kerberos method = secrets and keytab
> create krb5 conf = no
>
> idmap config *:backend = tdb
> idmap config *:range = 100000-199999
> idmap config BIVORO:backend = ad
> idmap config BIVORO:range = 2000-99999
> idmap config BIVORO:schema_mode = rfc2307
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind expand groups = 3
> winbind nss info = rfc2307
> winbind refresh tickets = yes
>
> client max protocol = SMB3
>
> winbind offline logon = yes
>
>
> Georg
>
>
> 2014/1/2 Rowland Penny <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>>
>
> On 02/01/14 17:53, Georg Vorlaufer wrote:
>
> Dear Rowland,
>
> thank you for your quick reply.
>
> I tried again using the "cached_login" option as you pointed
> out (also changed "winbind offline logon = yes" in my
> smb.conf), but that did not change anything.
>
> I also checked for apparmor and selinux, none of which seem to
> be active (not even installed on my debian systems)
>
> Here is my (latest) stack of pam configs for ssh:
>
> /etc/pam.d/sshd:
>
> # PAM configuration for the Secure Shell service
>
> # Read environment variables from /etc/environment and
> # /etc/security/pam_env.conf.
> auth required pam_env.so # [1]
> # In Debian 4.0 (etch), locale-related environment variables
> were moved to
> # /etc/default/locale, so read that as well.
> auth required pam_env.so envfile=/etc/default/locale
>
> # Standard Un*x authentication.
> @include common-auth
>
> # Disallow non-root logins when /etc/nologin exists.
> account required pam_nologin.so
>
> # Uncomment and edit /etc/security/access.conf if you need to
> set complex
> # access limits that are hard to express in sshd_config.
> # account required pam_access.so
>
> # Standard Un*x authorization.
> @include common-account
>
> # Standard Un*x session setup and teardown.
> @include common-session
>
> # Print the message of the day upon successful login.
> # This includes a dynamically generated part from
> /run/motd.dynamic
> # and a static (admin-editable) part from /etc/motd.
> session optional pam_motd.so motd=/run/motd.dynamic
> noupdate
> session optional pam_motd.so # [1]
>
> # Print the status of the user's mailbox upon successful login.
> session optional pam_mail.so standard noenv # [1]
>
> # Set up user limits from /etc/security/limits.conf.
> session required pam_limits.so
>
> # Set up SELinux capabilities (need modified pam)
> # session required pam_selinux.so multiple
>
> # Standard Un*x password updating.
> @include common-password
>
> /etc/pam.d/common-auth
>
> #
> # /etc/pam.d/common-auth - authentication settings common to
> all services
> #
> # This file is included from other service-specific PAM config
> files,
> # and should contain a list of the authentication modules that
> define
> # the central authentication scheme for use on the system
> # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is
> to use the
> # traditional Unix authentication mechanisms.
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update
> by default.
> # To take advantage of this, it is recommended that you
> configure any
> # local modules either before or after the default block, and use
> # pam-auth-update to manage selection of other modules. See
> # pam-auth-update(8) for details.
>
> # here are the per-package modules (the "Primary" block)
> auth [success=2 default=ignore] pam_unix.so nullok_secure
> auth [success=1 default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> # here's the fallback if no module succeeds
> auth requisite pam_deny.so
> # prime the stack with a positive return value if there isn't
> one already;
> # this avoids us returning an error just because nothing sets
> a success code
> # since the modules above will each just jump around
> auth required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
>
> /etc/pam.d/common-account
>
> #
> # /etc/pam.d/common-account - authorization settings common to
> all services
> #
> # This file is included from other service-specific PAM config
> files,
> # and should contain a list of the authorization modules that
> define
> # the central access policy for use on the system. The
> default is to
> # only deny service to users whose accounts are expired in
> /etc/shadow.
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update
> by default.
> # To take advantage of this, it is recommended that you
> configure any
> # local modules either before or after the default block, and use
> # pam-auth-update to manage selection of other modules. See
> # pam-auth-update(8) for details.
> #
>
> # here are the per-package modules (the "Primary" block)
> account [success=2 new_authtok_reqd=done default=ignore]
> pam_unix.so
> account [success=1 new_authtok_reqd=done default=ignore]
> pam_winbind.so
> # here's the fallback if no module succeeds
> account requisite pam_deny.so
> # prime the stack with a positive return value if there isn't
> one already;
> # this avoids us returning an error just because nothing sets
> a success code
> # since the modules above will each just jump around
> account required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
>
> /etc/pam.d/common-session
>
> #
> # /etc/pam.d/common-session - session-related modules common
> to all services
> #
> # This file is included from other service-specific PAM config
> files,
> # and should contain a list of modules that define tasks to be
> performed
> # at the start and end of sessions of *any* kind (both
> interactive and
> # non-interactive).
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update
> by default.
> # To take advantage of this, it is recommended that you
> configure any
> # local modules either before or after the default block, and use
> # pam-auth-update to manage selection of other modules. See
> # pam-auth-update(8) for details.
>
> # here are the per-package modules (the "Primary" block)
> session [default=1] pam_permit.so
> # here's the fallback if no module succeeds
> session requisite pam_deny.so
> # prime the stack with a positive return value if there isn't
> one already;
> # this avoids us returning an error just because nothing sets
> a success code
> # since the modules above will each just jump around
> session required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> session required pam_unix.so
> session optional pam_winbind.so
> # end of pam-auth-update config
>
> /etc/common-password
>
> #
> # /etc/pam.d/common-password - password-related modules common
> to all services
> #
> # This file is included from other service-specific PAM config
> files,
> # and should contain a list of modules that define the
> services to be
> # used to change user passwords. The default is pam_unix.
>
> # Explanation of pam_unix options:
> #
> # The "sha512" option enables salted SHA512 passwords. Without
> this option,
> # the default is Unix crypt. Prior releases used the option
> "md5".
> #
> # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB'
> option in
> # login.defs.
> #
> # See the pam_unix manpage for other options.
>
> # As of pam 1.0.1-6, this file is managed by pam-auth-update
> by default.
> # To take advantage of this, it is recommended that you
> configure any
> # local modules either before or after the default block, and use
> # pam-auth-update to manage selection of other modules. See
> # pam-auth-update(8) for details.
>
> # here are the per-package modules (the "Primary" block)
> password [success=2 default=ignore] pam_unix.so obscure sha512
> password [success=1 default=ignore] pam_winbind.so
> use_authtok try_first_pass
> # here's the fallback if no module succeeds
> password requisite pam_deny.so
> # prime the stack with a positive return value if there isn't
> one already;
> # this avoids us returning an error just because nothing sets
> a success code
> # since the modules above will each just jump around
> password required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
>
> I don't have pam_mkhomedir.so because the user home
> directories for my domain users are already existing
> I also don't have pam_cap.so -- actually don't know what it is
> good for
>
> I also checked the authentication logs again and compared them
> to the logs generated on the opensuse domain member (where
> pam_winbind works nicely). The lines which seem to be the most
> suspicious on the debian wheezy machines are:
>
> Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth):
> request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error:
> PAM_SYSTEM_ERR (4), NTSTATUS:
> NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
> NT_STATUS_CONNECTION_DISCONNECTED
> Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth):
> internal module error (retval = PAM_SYSTEM_ERR(4), user = 'georg')
> Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth):
> [pamh:0x7f1d54cb2030] LEAVE: pam_sm_authenticate returning 4
> (PAM_SYSTEM_ERR)
>
> on OpenSuSE the request wbcLogonUser reports ok (or success,
> don't remember exactly)
>
> So, if I interpret the logs correctly, already the AUTH module
> of pam_winbind fails, and the other sections of pam sshd are
> not even processed
>
> With kind regards,
>
> Georg
>
> There doesn't really seem to be that much difference in my pam
> stack and yours and what differences there are shouldn't stop ssh
> working.
> I have a feeling it may be kerberos related, could you post a
> sanitized version of your smb.conf, both from the client & server.
>
> Rowland
>
>
More information about the samba
mailing list