[Samba] account locks not working ssh/winbind?

L.P.H. van Belle belle at bazuin.nl
Thu Apr 26 09:18:10 UTC 2018 

Hai Rowland, 

Thanks for the reply. Ok so we suspect and buggie pam module

The pam.d/ssh is the default

@include common-auth
account    required     pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
@include common-session
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    required     pam_limits.so
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
@include common-password

But what i dont understand is this line:
> Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred): user 'username' OK

pam_winbind(sshd:setcred) 
I'll go search for this a bit, and start with the build of 4.8.1  while doing that.

I forgot the pam winbind config, this one is used also. 

/usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
        [success=end default=ignore]    pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
        [success=end new_authtok_reqd=done default=ignore]      pam_winbind.so
Password-Type: Primary
Password:
        [success=end default=ignore]    pam_winbind.so use_authtok try_first_pass
Password-Initial:
        [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
Session:
        optional                        pam_winbind.so


If anyone has ideas or suggestion where to look, please add them.
Because this should never happen.. To be able to login with an locked account. 



Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: donderdag 26 april 2018 11:03
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] account locks not working ssh/winbind?
> 
> On Thu, 26 Apr 2018 09:53:33 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> > Hai. 
> >  
> > Config. 
> > Debian Stretch, samba 4.7.7. member server AD backend. 
> > Network setup like in the howtos here. :
> > https://github.com/thctlo/samba4/tree/master/howtos 
> >  
> > Today i discovered that somehow a disabled user was able to login
> > after a few retries. 
> > I run a SSH/SFTP server for data exchange with the customer of the
> > company here. 
> > The SSH/SFTP server is restricted by groups, this includes a windows
> > (AD) group and linux groups, with an GID assigned. 
> 
> Hi Louis, I think you are going to have to put the sshd server into
> debug mode to sort this.
> 
> I have examined your logs, sorted and shortened them to what I believe
> are the relevant parts:
> 
> Apr 25 07:00:04 hostname1 sshd[27490]: reverse mapping 
> checking getaddrinfo for unknown.domain.tld [1.2.3.4] failed.
> Apr 25 07:00:04 hostname1 sshd[27490]: pam_krb5(sshd:auth): 
> authentication failure; logname=username uid=0 euid=0 tty=ssh 
> ruser= rhost=1.2.3.4
> Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=1.2.3.4  user=username
> Apr 25 07:00:04 hostname1 sshd[27490]: 
> pam_winbind(sshd:auth): getting password (0x00000388)
> Apr 25 07:00:04 hostname1 sshd[27490]: 
> pam_winbind(sshd:auth): pam_get_item returned a password
> Apr 25 07:00:04 hostname1 sshd[27490]: 
> pam_winbind(sshd:auth): request wbcLogonUser failed: 
> WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: 
> NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user 
> account has been automatically locked because too many 
> invalid logon attempts or password change attempts have been 
> requested.
> Apr 25 07:00:04 hostname1 sshd[27490]: 
> pam_winbind(sshd:auth): internal module error (retval = 
> PAM_MAXTRIES(11), user = 'username')
> 
> The above seems to show that pam_krb5, pam_unix and 
> pam_winbind are rejecting the user
> 
> Apr 25 07:00:04 hostname1 sshd[27490]: Accepted password for 
> username from 1.2.3.4 port 10500 ssh2
> Apr 25 07:00:04 hostname1 sshd[27490]: 
> pam_unix(sshd:session): session opened for user username by (uid=0)
> Apr 25 07:00:04 hostname1 systemd-logind[25400]: New session 
> 4873 of user username.
> Apr 25 07:00:04 hostname1 systemd: 
> pam_unix(systemd-user:session): session opened for user 
> username by (uid=0)
> 
> Something in the above 4 lines is allowing access.
> 
> From my SFTP server log.  and this should not be possible. 
> 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start 
> download file '/folder1/file1.csv'
> 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]End 
> download file '/folder1/file1.csv' (82 bytes) : 100%
> 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start 
> download file '/folder1/file1.csv'
> 2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]End 
> download file '/folder1/file1.csv' (82 bytes) : 100%
> 2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]Try to 
> remove file '/folder1/file1.csv' : success
> 
> 
> Apr 25 07:00:07 hostname1 sshd[27490]: 
> pam_unix(sshd:session): session closed for user username
> Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred): user 'username' OK
> Apr 25 07:00:07 hostname1 systemd-logind[25400]: Removed session 4873.
> Apr 25 07:00:07 hostname1 systemd: pam_unix(systemd-user:session):
> session closed for user username
> 
> I believe this is all coming from /etc/pam.d/sshd
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list