[Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?
L.P.H. van Belle
belle at bazuin.nl
Thu Feb 28 09:17:30 UTC 2019
Hmm, marco,
logname=admin uid=0 euid=0 << no no.. Uid=0 ? Thats not good, root = uid 0
User setup example.
Linux: Root uid 0
LinuxAdmin uid doest not matter as long within range of (see /etc/adduser.conf)
FIRST_UID=1000 LAST_UID=59999
Administrator is mapped through /etc/samba/smb.conf ( usermapping)
And that Admin of you, is probley migrated of ldap to AD, execpt now its not allowed to have uid 0.
Remove it and re-recreated it or setup new UID/GID, something like that, and search for other "double" users and/or UID's.
This depends also on what you needs.
About this : In these box normally i don't need user access.
Why creating users when you already have them? Just simplify you maintainance.
For example i use : AllowGroups group1 group2-users group2-admins in /etc/ssh/sshd_config
group1 is a linux group, needed for my linux admin user. ( more a backup user/group if ad breaks, only has 2 users in my case. )
Group2-users is a windows group in AD, with GID assigned, containing AD users that are allowed to login the linux servers.
Group2-admins is a windows group in AD, with GID assigned, containing admin users that are allowed to login the linux servers.
Do note, ssh users must have UID and your are disallowing root(uid=)0) so you example admin(uid=0) can't login also.
Optional, but imo a must for internet connected servers.
Read : https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04
And the debian instructions.
https://www.vultr.com/docs/how-to-setup-two-factor-authentication-2fa-for-ssh-on-debian-9-using-google-authenticator
;-)
Works great.
More questions, ask.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: donderdag 28 februari 2019 9:36
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] [OT?] Kerberos, PAM, NSS: if user does not
> exist, pam_krb5 try login?
>
>
> A bit more then a curiosity.
>
> Mobing from Samba/NT to Samba/AD i'm now switching some 'one-purpose'
> (mostly containers) from libpam-ldaps to libpam-krb5.
> In these box normally i don't need user access, so i create 'manually'
> (eg, in /etc/passwd) only the admin users, and i add only the
> PAM layer
> to do external auth.
> Still i use ssh keys for direct root access, but as an alternative ssh
> access i keep the ability to enter with domain password (and sudo).
>
>
> Some of these box are internet-facing. So looking at logs
> with previous
> setup, for non-existant user i get:
>
> Feb 3 04:45:47 tank sshd[18545]: Invalid user admin
> from 216.127.174.116
> Feb 3 04:45:47 tank sshd[18545]:
> input_userauth_request: invalid user admin [preauth]
> Feb 3 04:45:49 tank sshd[18545]: Failed password for
> invalid user admin from 216.127.174.116 port 2333 ssh2
>
> while now i get:
>
> Feb 28 07:23:16 tank sshd[28440]: Invalid user admin
> from 123.21.91.111
> Feb 28 07:23:16 tank sshd[28440]:
> input_userauth_request: invalid user admin [preauth]
> Feb 28 07:23:16 tank sshd[28440]: pam_krb5(sshd:auth):
> authentication failure; logname=admin uid=0 euid=0 tty=ssh
> ruser= rhost=123.21.91.111
> Feb 28 07:23:18 tank sshd[28440]: Failed password for
> invalid user admin from 123.21.91.111 port 51911 ssh2
>
> (clearly 'admin' is not in /etc/passwd).
>
>
> So seems to me that libpam-ldaps dopn't even try to do a login if user
> does not exist, while libpam-krb5 do.
>
>
> There's something to fear about? Thanks.
>
> --
> dott. Marco Gaiarin GNUPG
> Key ID: 240A3D66
> Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
> Polo FVG - Via della Bontà , 7 - 33078 - San Vito al
> Tagliamento (PN)
> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list