[Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?

L.P.H. van Belle belle at bazuin.nl
Thu Feb 28 09:17:30 UTC 2019 

Hmm, marco, 

logname=admin uid=0 euid=0  << no no.. Uid=0 ? Thats not good, root = uid 0

User setup example. 
Linux: Root uid 0
LinuxAdmin uid doest not matter as long within range of (see /etc/adduser.conf) 
FIRST_UID=1000 LAST_UID=59999

Administrator is mapped through /etc/samba/smb.conf ( usermapping)

And that Admin of you, is probley migrated of ldap to AD, execpt now its not allowed to have uid 0. 
Remove it and re-recreated it or setup new UID/GID, something like that, and search for other "double" users and/or UID's. 
This depends also on what you needs. 

About this : In these box normally i don't need user access. 

Why creating users when you already have them?  Just simplify you maintainance. 
For example i use :  AllowGroups group1 group2-users  group2-admins  in /etc/ssh/sshd_config 

group1 is a linux group, needed for my linux admin user. ( more a backup user/group if ad breaks, only has 2 users in my case. ) 
Group2-users is a windows group in AD, with GID assigned, containing AD users that are allowed to login the linux servers.
Group2-admins is a windows group in AD, with GID assigned, containing admin users that are allowed to login the linux servers. 
Do note, ssh users must have UID and your are disallowing root(uid=)0) so you example admin(uid=0) can't login also.

Optional, but imo a must for internet connected servers. 
Read : https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04
And the debian instructions.
https://www.vultr.com/docs/how-to-setup-two-factor-authentication-2fa-for-ssh-on-debian-9-using-google-authenticator 
;-) 
 
Works great. 
More questions, ask. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: donderdag 28 februari 2019 9:36
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] [OT?] Kerberos, PAM, NSS: if user does not 
> exist, pam_krb5 try login?
> 
> 
> A bit more then a curiosity.
> 
> Mobing from Samba/NT to Samba/AD i'm now switching some 'one-purpose'
> (mostly containers) from libpam-ldaps to libpam-krb5.
> In these box normally i don't need user access, so i create 'manually'
> (eg, in /etc/passwd) only the admin users, and i add only the 
> PAM layer
> to do external auth.
> Still i use ssh keys for direct root access, but as an alternative ssh
> access i keep the ability to enter with domain password (and sudo).
> 
> 
> Some of these box are internet-facing. So looking at logs 
> with previous
> setup, for non-existant user i get:
> 
> 	Feb  3 04:45:47 tank sshd[18545]: Invalid user admin 
> from 216.127.174.116
> 	Feb  3 04:45:47 tank sshd[18545]: 
> input_userauth_request: invalid user admin [preauth]
> 	Feb  3 04:45:49 tank sshd[18545]: Failed password for 
> invalid user admin from 216.127.174.116 port 2333 ssh2
> 
> while now i get:
> 
> 	Feb 28 07:23:16 tank sshd[28440]: Invalid user admin 
> from 123.21.91.111
> 	Feb 28 07:23:16 tank sshd[28440]: 
> input_userauth_request: invalid user admin [preauth]
> 	Feb 28 07:23:16 tank sshd[28440]: pam_krb5(sshd:auth): 
> authentication failure; logname=admin uid=0 euid=0 tty=ssh 
> ruser= rhost=123.21.91.111
> 	Feb 28 07:23:18 tank sshd[28440]: Failed password for 
> invalid user admin from 123.21.91.111 port 51911 ssh2
> 
> (clearly 'admin' is not in /etc/passwd).
> 
> 
> So seems to me that libpam-ldaps dopn't even try to do a login if user
> does not exist, while libpam-krb5 do.
> 
> 
> There's something to fear about? Thanks.
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list