[Samba] account locks not working ssh/winbind?
L.P.H. van Belle
belle at bazuin.nl
Thu Apr 26 09:18:10 UTC 2018
Hai Rowland,
Thanks for the reply. Ok so we suspect and buggie pam module
The pam.d/ssh is the default
@include common-auth
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session required pam_limits.so
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password
But what i dont understand is this line:
> Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred): user 'username' OK
pam_winbind(sshd:setcred)
I'll go search for this a bit, and start with the build of 4.8.1 while doing that.
I forgot the pam winbind config, this one is used also.
/usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_winbind.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_winbind.so use_authtok try_first_pass
Password-Initial:
[success=end default=ignore] pam_winbind.so
Session-Type: Additional
Session:
optional pam_winbind.so
If anyone has ideas or suggestion where to look, please add them.
Because this should never happen.. To be able to login with an locked account.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: donderdag 26 april 2018 11:03
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] account locks not working ssh/winbind?
>
> On Thu, 26 Apr 2018 09:53:33 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> > Hai.
> >
> > Config.
> > Debian Stretch, samba 4.7.7. member server AD backend.
> > Network setup like in the howtos here. :
> > https://github.com/thctlo/samba4/tree/master/howtos
> >
> > Today i discovered that somehow a disabled user was able to login
> > after a few retries.
> > I run a SSH/SFTP server for data exchange with the customer of the
> > company here.
> > The SSH/SFTP server is restricted by groups, this includes a windows
> > (AD) group and linux groups, with an GID assigned.
>
> Hi Louis, I think you are going to have to put the sshd server into
> debug mode to sort this.
>
> I have examined your logs, sorted and shortened them to what I believe
> are the relevant parts:
>
> Apr 25 07:00:04 hostname1 sshd[27490]: reverse mapping
> checking getaddrinfo for unknown.domain.tld [1.2.3.4] failed.
> Apr 25 07:00:04 hostname1 sshd[27490]: pam_krb5(sshd:auth):
> authentication failure; logname=username uid=0 euid=0 tty=ssh
> ruser= rhost=1.2.3.4
> Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=1.2.3.4 user=username
> Apr 25 07:00:04 hostname1 sshd[27490]:
> pam_winbind(sshd:auth): getting password (0x00000388)
> Apr 25 07:00:04 hostname1 sshd[27490]:
> pam_winbind(sshd:auth): pam_get_item returned a password
> Apr 25 07:00:04 hostname1 sshd[27490]:
> pam_winbind(sshd:auth): request wbcLogonUser failed:
> WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS:
> NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user
> account has been automatically locked because too many
> invalid logon attempts or password change attempts have been
> requested.
> Apr 25 07:00:04 hostname1 sshd[27490]:
> pam_winbind(sshd:auth): internal module error (retval =
> PAM_MAXTRIES(11), user = 'username')
>
> The above seems to show that pam_krb5, pam_unix and
> pam_winbind are rejecting the user
>
> Apr 25 07:00:04 hostname1 sshd[27490]: Accepted password for
> username from 1.2.3.4 port 10500 ssh2
> Apr 25 07:00:04 hostname1 sshd[27490]:
> pam_unix(sshd:session): session opened for user username by (uid=0)
> Apr 25 07:00:04 hostname1 systemd-logind[25400]: New session
> 4873 of user username.
> Apr 25 07:00:04 hostname1 systemd:
> pam_unix(systemd-user:session): session opened for user
> username by (uid=0)
>
> Something in the above 4 lines is allowing access.
>
> From my SFTP server log. and this should not be possible.
> 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start
> download file '/folder1/file1.csv'
> 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]End
> download file '/folder1/file1.csv' (82 bytes) : 100%
> 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start
> download file '/folder1/file1.csv'
> 2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]End
> download file '/folder1/file1.csv' (82 bytes) : 100%
> 2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]Try to
> remove file '/folder1/file1.csv' : success
>
>
> Apr 25 07:00:07 hostname1 sshd[27490]:
> pam_unix(sshd:session): session closed for user username
> Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred): user 'username' OK
> Apr 25 07:00:07 hostname1 systemd-logind[25400]: Removed session 4873.
> Apr 25 07:00:07 hostname1 systemd: pam_unix(systemd-user:session):
> session closed for user username
>
> I believe this is all coming from /etc/pam.d/sshd
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list