[Samba] SSH with User in Member Domain

Bjoern Trimborn samba at bjoern-trimborn.de
Tue Jan 16 21:10:55 UTC 2018 

Am 16.01.2018 um 21:31 schrieb Carlos via samba:
> Uhum, i tested with ssh:
> 
>  ssh XXX at FILESERVER
> 
>  journalctl -f
> 
> Jan 16 18:28:42 HOSTNAME  sshd[2250]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=IP-SOURCE  user=XXXXX
> Jan 16 18:28:43 HOSTNAME  sshd[2250]: Failed password for XXXX from
> IP-SOURCE  port 39896 ssh2
> 
> Regards;

I see no attempt here that pam_winbind is asked for the password:

My log on a failed login:
--------------
Jan 16 22:05:24 files sshd[9978]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
user=some_user
Jan 16 22:05:24 files sshd[9978]: pam_winbind(sshd:auth): getting
password (0x00000048)
Jan 16 22:05:24 files sshd[9978]: pam_winbind(sshd:auth): pam_get_item
returned a password
Jan 16 22:05:24 files sshd[9978]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7),
NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: When trying to
update a password, this return status indicates that the value provided
as the current password is not correct.
--------------

my logs on a successful attempt:
--------------
Jan 16 21:49:51 files sshd[9923]: Connection closed by 172.16.0.2 [preauth]
Jan 16 21:50:34 files sshd[9925]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
user=some_user
Jan 16 21:50:34 files sshd[9925]: pam_winbind(sshd:auth): getting
password (0x00000048)
Jan 16 21:50:34 files sshd[9925]: pam_winbind(sshd:auth): pam_get_item
returned a password
Jan 16 21:50:34 files sshd[9925]: pam_winbind(sshd:auth): user
'some_user' granted access
Jan 16 21:50:34 files sshd[9925]: Accepted password for some_user from
172.16.0.1 port 43499 ssh2
Jan 16 21:50:34 files sshd[9925]: pam_unix(sshd:session): session opened
for user some_user by (uid=0)



On my system (debian) the configurations looks like this:

--------------
cat /etc/pam.d/common-account
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
...
--------------
--------------
cat /etc/pam.d/common-auth
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_unix.so nullok_secure
auth [success=2 default=ignore] pam_winbind.so try_first_pass
[require_membership_of=File Server SSH Access Control Group]
auth [success=1 default=ignore] pam_winbind.so try_first_pass
[require_membership_of=File Server SFTP Access Control Group]
...
--------------
--------------
cat /etc/pam.d/common-password
# here are the per-package modules (the "Primary" block)
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so use_authtok
try_first_pass
...
--------------
--------------
cat /etc/pam.d/common-session
...
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session required pam_mkhomedir.so umask=0077 skel=/etc/skel/
session optional pam_winbind.so
...
--------------
--------------
cat
# Global parameters
[global]
    security = ADS
    realm = XXX.XXX.XXX

    disable netbios = yes

    username map = /etc/samba/user.map

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    idmap config * : backend = tdb
    idmap config * : range = 1000000-2000000

    # idmap config for the SAMDOM domain
    idmap config XXX:backend = rid
    idmap config XXX:range = 3000000-4000000
    idmap config XXX:unix_nss_info = no

    # Template settings for login shell and home directory
    template shell = /bin/bash
    template homedir = /home/profiles_linux/%U

    winbind use default domain = yes
    winbind refresh tickets = yes

    vfs objects = dfs_samba4,acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # network
    interfaces = lo eth0
    bind interfaces only = yes
    smb ports = 445

    # Logging
    log level = 1
    max log size = 512000
    log file = /var/log/samba/samba.log

    # Auditing
    full_audit:prefix = %u|%I|%S
    full_audit:facility = local5
    full_audit:priority = notice
    full_audit:success = mkdir rename unlink rmdir pwrite
    full_audit:failure = none
...
--------------
--------------
cat /etc/ssh/sshd_config

Port 22
ListenAddress 172.16.0.3
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

KexAlgorithms
curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256
Ciphers
chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-ripemd160-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128 at openssh.com

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

Match Group "file server sftp access"
    ChrootDirectory /var/cache/virtual_home
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

More information about the samba mailing list