[Samba] pam_winbind with trusted domain

James Dingwall james-samba at dingwall.me.uk
Fri Mar 17 12:25:40 UTC 2017 

On Mon, Mar 13, 2017 at 09:54:40AM +0000, James Dingwall wrote:
> Hi,
> 
> I am having problems using pam_winbind to log in as a user in a trusted domain.  The arrangement is that Samba is joined to a local domain DOMLOCAL which has a trust setup with DOMREMOTE.  getent passwd/group correctly enumerates users and groups from DOMLOCAL.  
> If I try getent passwd for the DOMREMOTE account no result is returned.  pam_winbind has a requirement that the user is a member of a group in DOMREMOTE configured in /etc/security/pam_winbind.conf:
> 
> require_membership_of=DOMREMOTE\linux-admin
> 
> DOMREMOTE is mapped using the idmap rid module:
> 
>   idmap config DOMREMOTE : backend = rid
>   idmap config DOMREMOTE : range = 4000000001-4010000000
> 
> winbind options in smb.conf are:
> 
>   winbind cache time = 10
>   winbind enum groups = yes
>   winbind enum users = yes
>   winbind nested groups = yes
>   winbind refresh tickets = yes
>   winbind rpc only = yes
> 
> kinit for the testuser at DOMREMOTE.LOCAL works correctly.
> 
> This is on Ubuntu 14.04 with winbind 4.3.11+dfsg-0ubuntu0.14.04.4.
> 
> Enabling debug debug_state for pam_winbind auth configuration results in these log messages for an ssh login attempt, I get a similar trace if I try a local logon.
> 
> sshd[9567]: Invalid user DOMREMOTE\\testuser from 192.168.1.1
> sshd[9567]: input_userauth_request: invalid user DOMREMOTE\\\\testuser [preauth]
> sshd[9567]: Postponed keyboard-interactive for invalid user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
> sshd[9569]: pam_unix(sshd:auth): check pass; user unknown
> sshd[9569]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] ENTER: pam_sm_authenticate (flags: 0x0001)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0
> sshd[9569]: pam_winbind(sshd:auth): getting password (0x00001389)
> sshd[9569]: pam_winbind(sshd:auth): pam_get_item returned a password
> sshd[9569]: pam_winbind(sshd:auth): Verify user 'DOMREMOTE\testuser'
> sshd[9569]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] LEAVE: pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0
> sshd[9567]: error: PAM: Authentication failure for illegal user DOMREMOTE\\testuser from 192.168.1.1
> sshd[9567]: Failed keyboard-interactive/pam for invalid user DOMREMOTE\\testuser from 192.168.1.1 port 44848 ssh2
> sshd[9567]: error: maximum authentication attempts exceeded for invalid user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
> sshd[9567]: Disconnecting: Too many authentication failures for DOMREMOTE\\\\testuser [preauth]
> 
> After I execute wbinfo -a testuser at DOMREMOTE.LOCAL%password this does something which allows the ssh connection to start working but I would rather pam_winbind does whatever needs to be done behind the scenes:)
> 

If I make the trust between forests two way then winbind will authenticate the user in the remote forest but unfortunately this is not an acceptable solution.  I have also tested winbind 4.4.5+dfsg-2ubuntu5.2 with the same behaviour.  I'm running short of hair to 
pull out now:)

Thanks,
James

More information about the samba mailing list