[Samba] account locks not working ssh/winbind?
L.P.H. van Belle
belle at bazuin.nl
Thu Apr 26 07:53:33 UTC 2018
Hai.
Config.
Debian Stretch, samba 4.7.7. member server AD backend.
Network setup like in the howtos here. : https://github.com/thctlo/samba4/tree/master/howtos
Today i discovered that somehow a disabled user was able to login after a few retries.
I run a SSH/SFTP server for data exchange with the customer of the company here.
The SSH/SFTP server is restricted by groups, this includes a windows (AD) group and linux groups, with an GID assigned.
Other important settings are these these from sshd_config
UsePAM yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
/etc/pam.d had the following. ( all settings are done with pam-auth-update )
samba
@include common-auth
@include common-account
@include common-session-noninteractive
common-auth
auth [success=5 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=4 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=3 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
auth [default=ignore] pam_ccreds.so minimum_uid=1000 action=update
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ccreds.so minimum_uid=1000 action=store
auth optional pam_cap.so
common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so minimum_uid=1000
common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_winbind.so
common-password
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
On Begin feb 2018, i disabled an account in the AD. Just checked again and yes its still set to "Account disabled"
Today i noticed the following.
From my SFTP server log. and this should not be possible.
2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start download file '/folder1/file1.csv'
2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]End download file '/folder1/file1.csv' (82 bytes) : 100%
2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start download file '/folder1/file1.csv'
2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]End download file '/folder1/file1.csv' (82 bytes) : 100%
2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]Try to remove file '/folder1/file1.csv' : success
Now the strange thing is the follow from my auth logs.
Apr 25 07:00:02 hostname1 sshd[27413]: reverse mapping checking getaddrinfo for unknown.domain.tld [1.2.3.4] failed.
Apr 25 07:00:02 hostname1 sshd[27413]: pam_krb5(sshd:auth): authentication failure; logname=username uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
Apr 25 07:00:02 hostname1 sshd[27413]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=username
Apr 25 07:00:02 hostname1 sshd[27413]: pam_winbind(sshd:auth): getting password (0x00000388)
Apr 25 07:00:02 hostname1 sshd[27413]: pam_winbind(sshd:auth): pam_get_item returned a password
Apr 25 07:00:02 hostname1 sshd[27413]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
Apr 25 07:00:02 hostname1 sshd[27413]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'username')
Apr 25 07:00:02 hostname1 sshd[27413]: Accepted password for username from 1.2.3.4 port 10400 ssh2
Apr 25 07:00:02 hostname1 sshd[27413]: pam_unix(sshd:session): session opened for user username by (uid=0)
Apr 25 07:00:02 hostname1 systemd-logind[25400]: New session 4871 of user username.
Apr 25 07:00:02 hostname1 systemd: pam_unix(systemd-user:session): session opened for user username by (uid=0)
Apr 25 07:00:02 hostname1 CRON[27410]: pam_unix(cron:session): session closed for user nobody
Apr 25 07:00:03 hostname1 sshd[27413]: pam_unix(sshd:session): session closed for user username
Apr 25 07:00:03 hostname1 sshd[27413]: pam_winbind(sshd:setcred): user 'username' OK
Apr 25 07:00:03 hostname1 systemd-logind[25400]: Removed session 4871.
Apr 25 07:00:04 hostname1 sshd[27490]: reverse mapping checking getaddrinfo for unknown.domain.tld [1.2.3.4] failed.
Apr 25 07:00:04 hostname1 sshd[27490]: pam_krb5(sshd:auth): authentication failure; logname=username uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=username
Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): getting password (0x00000388)
Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): pam_get_item returned a password
Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'username')
Apr 25 07:00:04 hostname1 sshd[27490]: Accepted password for username from 1.2.3.4 port 10500 ssh2
Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:session): session opened for user username by (uid=0)
Apr 25 07:00:04 hostname1 systemd-logind[25400]: New session 4873 of user username.
Apr 25 07:00:04 hostname1 systemd: pam_unix(systemd-user:session): session opened for user username by (uid=0)
Apr 25 07:00:07 hostname1 sshd[27490]: pam_unix(sshd:session): session closed for user username
Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred): user 'username' OK
Apr 25 07:00:07 hostname1 systemd-logind[25400]: Removed session 4873.
Apr 25 07:00:07 hostname1 systemd: pam_unix(systemd-user:session): session closed for user username
Apr 25 07:00:10 hostname1 sshd[27625]: reverse mapping checking getaddrinfo for unknown.domain.tld [1.2.3.4] failed.
Apr 25 07:00:10 hostname1 sshd[27625]: pam_krb5(sshd:auth): authentication failure; logname=username uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
Apr 25 07:00:10 hostname1 sshd[27625]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=username
Apr 25 07:00:10 hostname1 sshd[27625]: pam_winbind(sshd:auth): getting password (0x00000388)
Apr 25 07:00:10 hostname1 sshd[27625]: pam_winbind(sshd:auth): pam_get_item returned a password
Apr 25 07:00:10 hostname1 sshd[27625]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
Apr 25 07:00:10 hostname1 sshd[27625]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'username')
Apr 25 07:00:10 hostname1 sshd[27625]: Accepted password for username from 1.2.3.4 port 10600 ssh2
Apr 25 07:00:10 hostname1 sshd[27625]: pam_unix(sshd:session): session opened for user username by (uid=0)
Apr 25 07:00:10 hostname1 systemd-logind[25400]: New session 4875 of user username.
Apr 25 07:00:10 hostname1 systemd: pam_unix(systemd-user:session): session opened for user username by (uid=0)
Apr 25 07:00:10 hostname1 sshd[27625]: pam_unix(sshd:session): session closed for user username
Apr 25 07:00:10 hostname1 sshd[27625]: pam_winbind(sshd:setcred): user 'username' OK
Apr 25 07:00:10 hostname1 systemd-logind[25400]: Removed session 4875.
Apr 25 07:00:10 hostname1 systemd: pam_unix(systemd-user:session): session closed for user username
I suspect that : Ccreds credential caching - password saving part in pam is the cause or did i misconfigure something here, can happen, nobody is perfect.. :-(
I cannot disabled ccreds right now, i use the caching also for my logins from lan.
So if anyone has ideas please tell me.
Greetz,
Louis
More information about the samba
mailing list