[Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?

Rowland Penny rpenny at samba.org
Thu Feb 28 16:45:29 UTC 2019 

On Thu, 28 Feb 2019 09:35:31 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> 
> A bit more then a curiosity.
> 
> Mobing from Samba/NT to Samba/AD i'm now switching some 'one-purpose'
> (mostly containers) from libpam-ldaps to libpam-krb5.
> In these box normally i don't need user access, so i create 'manually'
> (eg, in /etc/passwd) only the admin users, and i add only the PAM
> layer to do external auth.
> Still i use ssh keys for direct root access, but as an alternative ssh
> access i keep the ability to enter with domain password (and sudo).
> 
> 
> Some of these box are internet-facing. So looking at logs with
> previous setup, for non-existant user i get:
> 
> 	Feb  3 04:45:47 tank sshd[18545]: Invalid user admin from
> 216.127.174.116 Feb  3 04:45:47 tank sshd[18545]:
> input_userauth_request: invalid user admin [preauth] Feb  3 04:45:49
> tank sshd[18545]: Failed password for invalid user admin from
> 216.127.174.116 port 2333 ssh2
> 
> while now i get:
> 
> 	Feb 28 07:23:16 tank sshd[28440]: Invalid user admin from
> 123.21.91.111 Feb 28 07:23:16 tank sshd[28440]:
> input_userauth_request: invalid user admin [preauth] Feb 28 07:23:16
> tank sshd[28440]: pam_krb5(sshd:auth): authentication failure;
> logname=admin uid=0 euid=0 tty=ssh ruser= rhost=123.21.91.111 Feb 28
> 07:23:18 tank sshd[28440]: Failed password for invalid user admin
> from 123.21.91.111 port 51911 ssh2
> 
> (clearly 'admin' is not in /etc/passwd).
> 
> 
> So seems to me that libpam-ldaps dopn't even try to do a login if user
> does not exist, while libpam-krb5 do.
> 
> 
> There's something to fear about? Thanks.
> 

So you want to turn this:

Feb 28 16:19:36 testkar sshd[3003]: pam_krb5(sshd:auth): authentication failure; logname=adminuser uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.88
Feb 28 16:19:36 testkar sshd[3003]: Accepted password for adminuser from 192.168.0.88 port 39297 ssh2
Feb 28 16:19:36 testkar sshd[3003]: pam_unix(sshd:session): session opened for user adminuser by (uid=0)

into this:

Feb 28 16:32:56 testkar sshd[3459]: Accepted password for adminuser from 192.168.0.88 port 39399 ssh2
Feb 28 16:32:56 testkar sshd[3459]: pam_unix(sshd:session): session opened for user adminuser by (uid=0)

for non domain users ?

Open /etc/pam.c/common-auth and find this line:

auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000

Change the number '1000' to the lower range number you set in smb.conf.

Example:
You have 'idmap config SAMDOM : range = 10000-99999999' in smb.conf
Change the line to this:

auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=10000

Rowland

More information about the samba mailing list