[Samba] pam_winbind with trusted domain

Mon Mar 13 09:54:40 UTC 2017

Hi,

I am having problems using pam_winbind to log in as a user in a trusted domain.  The arrangement is that Samba is joined to a local domain DOMLOCAL which has a trust setup with DOMREMOTE.  getent passwd/group correctly enumerates users and groups from DOMLOCAL.  
If I try getent passwd for the DOMREMOTE account no result is returned.  pam_winbind has a requirement that the user is a member of a group in DOMREMOTE configured in /etc/security/pam_winbind.conf:

require_membership_of=DOMREMOTE\linux-admin

DOMREMOTE is mapped using the idmap rid module:

  idmap config DOMREMOTE : backend = rid
  idmap config DOMREMOTE : range = 4000000001-4010000000

winbind options in smb.conf are:

  winbind cache time = 10
  winbind enum groups = yes
  winbind enum users = yes
  winbind nested groups = yes
  winbind refresh tickets = yes
  winbind rpc only = yes

kinit for the testuser at DOMREMOTE.LOCAL works correctly.

This is on Ubuntu 14.04 with winbind 4.3.11+dfsg-0ubuntu0.14.04.4.

Enabling debug debug_state for pam_winbind auth configuration results in these log messages for an ssh login attempt, I get a similar trace if I try a local logon.

sshd[9567]: Invalid user DOMREMOTE\\testuser from 192.168.1.1
sshd[9567]: input_userauth_request: invalid user DOMREMOTE\\\\testuser [preauth]
sshd[9567]: Postponed keyboard-interactive for invalid user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
sshd[9569]: pam_unix(sshd:auth): check pass; user unknown
sshd[9569]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] ENTER: pam_sm_authenticate (flags: 0x0001)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0
sshd[9569]: pam_winbind(sshd:auth): getting password (0x00001389)
sshd[9569]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[9569]: pam_winbind(sshd:auth): Verify user 'DOMREMOTE\testuser'
sshd[9569]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] LEAVE: pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0
sshd[9567]: error: PAM: Authentication failure for illegal user DOMREMOTE\\testuser from 192.168.1.1
sshd[9567]: Failed keyboard-interactive/pam for invalid user DOMREMOTE\\testuser from 192.168.1.1 port 44848 ssh2
sshd[9567]: error: maximum authentication attempts exceeded for invalid user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
sshd[9567]: Disconnecting: Too many authentication failures for DOMREMOTE\\\\testuser [preauth]

After I execute wbinfo -a testuser at DOMREMOTE.LOCAL%password this does something which allows the ssh connection to start working but I would rather pam_winbind does whatever needs to be done behind the scenes:)

Thanks,
James