[Samba] pam doesn't work.
Edson Wolf
edsonwolf at vivaldi.net
Mon Mar 2 09:54:26 UTC 2020
pam doesn't work.
Samba Version 4.12.0rc4
openSUSE Leap 15.2
./configure --with-ads --systemd-install-services
--with-shared-modules=idmap_ad --enable-debug --enable-selftest
--with-systemd
# Global parameters
[global]
dns forwarder = 172.16.0.1
netbios name = WNETIN
realm = WNETINFO.LAN
server role = active directory domain controller
workgroup = WNETINFO
idmap_ldb:use rfc2307 = yes
###Winbind
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
[sysvol]
path = /opt/samba4/var/locks/sysvol
read only = No
[netlogon]
path = /opt/samba4/var/locks/sysvol/wnetinfo.lan/scripts
read only = No
https://wiki.samba.org/index.php/Pam_winbind_Link
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files mdns_minimal [NOTFOUND=return] dns
#hosts: files dns wins
networks: files dns
/etc/pam.d/common.session
session optional pam_systemd.so
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_env.so
session required pam_winbind.so try_first_pass
session required pam_mkhomedir.so
/etc/pam.d/common-password
password required pam_unix.so use_authtok nullok
shadow try_first_pass
password requisite pam_cracklib.so
password [success=1 default=ignore] pam_winbind.so
try_first_pass
ln -s /op/samba/lib/libnss_winbind.so.2 /lib64/
ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
ldconfig
Tests
wnetin:~ # wbinfo --ping-dc
checking the NETLOGON for domain[WNETINFO] dc connection to
"wnetin.wnetinfo.lan" succeeded
wnetin:~ # getent passwd WNETINFO\user
wnetin:~ #
wnetin:~ # getent group "WNETINFO\\Domain Users"
wnetin:~ # getent passwd "WNETINFO\\user"
wnetin:~ # getent passwd
root:x:0:0:root:/root:/bin/bash
messagebus:x:499:499:User for D-Bus:/run/dbus:/usr/bin/false
nobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash
man:x:13:62:Manual pages viewer:/var/lib/empty:/sbin/nologin
mail:x:498:498:Mailer daemon:/var/spool/clientmqueue:/sbin/nologin
daemon:x:2:2:Daemon:/sbin:/sbin/nologin
tftp:x:497:484:TFTP account:/srv/tftpboot:/bin/false
dnsmasq:x:496:65533:dnsmasq:/var/lib/empty:/bin/false
bin:x:1:1:bin:/bin:/sbin/nologin
lp:x:495:487:Printing daemon:/var/spool/lpd:/sbin/nologin
systemd-timesync:x:480:480:systemd Time Synchronization:/:/sbin/nologin
systemd-network:x:482:482:systemd Network Management:/:/sbin/nologin
systemd-coredump:x:481:481:systemd Core Dumper:/:/sbin/nologin
polkitd:x:479:479:User for polkitd:/var/lib/polkit:/sbin/nologin
rpc:x:478:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
nscd:x:477:478:User for nscd:/run/nscd:/sbin/nologin
statd:x:476:65533:NFS statd daemon:/var/lib/nfs:/sbin/nologin
chrony:x:475:477:Chrony Daemon:/var/lib/chrony:/bin/false
sshd:x:474:476:SSH daemon:/var/lib/sshd:/bin/false
avahi:x:473:475:User for Avahi:/run/avahi-daemon:/bin/false
scard:x:472:474:Smart Card Reader:/var/run/pcscd:/usr/sbin/nologin
ldap:x:76:70:User for OpenLDAP:/var/lib/ldap:/bin/false
ntp:x:74:473:NTP daemon:/var/lib/ntp:/bin/false
WNETINFO\administrator:*:0:100::/home/administrator:/bin/bash
WNETINFO\guest:*:3000012:100::/home/guest:/bin/bash
WNETINFO\krbtgt:*:3000018:100::/home/krbtgt:/bin/bash
WNETINFO\jose:*:3000019:100::/home/jose:/bin/bash
WNETINFO\user:*:3000021:100::/home/user:/bin/bash
wnetin:~ # getent group
root:x:0:
shadow:x:15:
trusted:x:42:
users:x:100:
messagebus:x:499:
nogroup:x:65533:nobody
nobody:x:65534:
man:x:62:
mail:!:498:postfix
daemon:x:2:
wheel:x:497:
kmem:x:496:
lock:x:495:
tty:x:5:
utmp:x:494:
audio:x:493:
cdrom:x:492:
dialout:x:491:
disk:x:490:
input:x:489:
kvm:x:488:
lp:x:487:
tape:x:486:
video:x:485:
tftp:x:484:tftp,dnsmasq
bin:x:1:daemon
systemd-timesync:x:480:
systemd-journal:x:483:
systemd-network:x:482:
systemd-coredump:x:481:
polkitd:x:479:
postfix:x:51:
maildrop:x:59:postfix
nscd:x:478:
chrony:x:477:
ntadmin:x:71:
sshd:x:476:
avahi:x:475:
scard:x:474:
ldap:x:70:
ntp:x:473:
BUILTIN\administrators:x:3000000:
BUILTIN\users:x:3000009:
BUILTIN\guests:x:3000011:
BUILTIN\account operators:x:3000022:
BUILTIN\server operators:x:3000001:
BUILTIN\print operators:x:3000023:
BUILTIN\backup operators:x:3000024:
BUILTIN\replicator:x:3000025:
BUILTIN\pre-windows 2000 compatible access:x:3000017:
BUILTIN\remote desktop users:x:3000026:
BUILTIN\network configuration operators:x:3000027:
BUILTIN\incoming forest trust builders:x:3000028:
BUILTIN\performance monitor users:x:3000029:
BUILTIN\performance log users:x:3000030:
BUILTIN\windows authorization access group:x:3000031:
BUILTIN\terminal server license servers:x:3000032:
BUILTIN\distributed com users:x:3000033:
BUILTIN\iis_iusrs:x:3000034:
BUILTIN\cryptographic operators:x:3000035:
BUILTIN\event log readers:x:3000036:
BUILTIN\certificate service dcom access:x:3000037:
WNETINFO\cert publishers:x:3000038:
WNETINFO\ras and ias servers:x:3000039:
WNETINFO\allowed rodc password replication group:x:3000040:
WNETINFO\denied rodc password replication group:x:3000005:
WNETINFO\dnsadmins:x:3000041:
WNETINFO\enterprise read-only domain controllers:x:3000042:
WNETINFO\domain admins:x:3000004:
WNETINFO\domain users:x:100:
WNETINFO\domain guests:x:3000013:
WNETINFO\domain computers:x:3000043:
WNETINFO\domain controllers:x:3000044:
WNETINFO\schema admins:x:3000006:
WNETINFO\enterprise admins:x:3000007:
WNETINFO\group policy creator owners:x:3000008:
WNETINFO\read-only domain controllers:x:3000045:
WNETINFO\dnsupdateproxy:x:3000046:
WNETINFO\ti:x:3000047:
wnetin:~ #
wnetin:~ # getent passwd | grep WNETINFO
WNETINFO\administrator:*:0:100::/home/administrator:/bin/bash
WNETINFO\guest:*:3000012:100::/home/guest:/bin/bash
WNETINFO\krbtgt:*:3000018:100::/home/krbtgt:/bin/bash
WNETINFO\user:*:3000021:100::/home/user:/bin/bash
wnetin:~ #
wnetin:~ # getent group | grep WNETINFO
WNETINFO\cert publishers:x:3000038:
WNETINFO\ras and ias servers:x:3000039:
WNETINFO\allowed rodc password replication group:x:3000040:
WNETINFO\denied rodc password replication group:x:3000005:
WNETINFO\dnsadmins:x:3000041:
WNETINFO\enterprise read-only domain controllers:x:3000042:
WNETINFO\domain admins:x:3000004:
WNETINFO\domain users:x:100:
WNETINFO\domain guests:x:3000013:
WNETINFO\domain computers:x:3000043:
WNETINFO\domain controllers:x:3000044:
WNETINFO\schema admins:x:3000006:
WNETINFO\enterprise admins:x:3000007:
WNETINFO\group policy creator owners:x:3000008:
WNETINFO\read-only domain controllers:x:3000045:
WNETINFO\dnsupdateproxy:x:3000046:
WNETINFO\ti:x:3000047:
wnetin:~ #
wnetin:~ # su - user
su: usuário "user" não existe
wnetin:~ # id user
id: "user": usuário inexistente
wnetin:~ # id root
uid=0(root) gid=0(root) grupos=0(root)
wnetin:~ #
Logon ssh:
2020-03-02T03:49:22.167299-04:00 wnetin sshd[3723]:
pam_winbind(sshd:auth): getting password (0x00000010)
2020-03-02T03:49:22.167601-04:00 wnetin sshd[3723]:
pam_winbind(sshd:auth): pam_get_item returned a password
2020-03-02T03:49:22.182994-04:00 wnetin sshd[3723]:
pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR,
PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER,
Error message was: The specified account does not exist.
2020-03-02T03:49:22.186560-04:00 wnetin sshd[3721]: Accepted
keyboard-interactive/pam for root from 192.168.0.100 port 45720 ssh2
2020-03-02T03:49:22.193139-04:00 wnetin systemd[1]: Started Session 2
of user root.
2020-03-02T03:49:22.193344-04:00 wnetin systemd-logind[1170]: New
session 2 of user root.
2020-03-02T03:49:22.195122-04:00 wnetin sshd[3721]:
pam_unix(sshd:session): session opened for user root by (uid=0)
--
A persistência é o caminho do êxito.
Charles Chaplin
More information about the samba
mailing list