[Samba] authentication issue moving from Samba 4.11.x to 4.13.14
Patrick Goetz
pgoetz at math.utexas.edu
Thu Mar 24 17:30:28 UTC 2022
On 3/22/22 12:22, Gaiseric Vandal via samba wrote:
>
> Yes, Solaris has PAM. the ssh module (assuming password
> authentication is needed) should call the pam_unix module, with in turn
> looks at /etc/nsswitch.conf. I am guessing the issue is that
> somewhere in the stack something is looking for a shadow entry to see if
> the account has expired.
>
So, the PAM/NSS thing is rather confusing. pam_unix does use
nsswitch.conf, so technically can do LDAP authentication, but I think
you also need to have the shadow entry referencing LDAP for this to
work? And Active Directory likely doesn't even have a schema for this?
Not sure, also not sure how pam_unix is written on Solaris. However, we
can certainly do an empirical test.
This is an Ubuntu 20.04 system using Louis van Belle's package repo.
"dhales" is an active directory test user.
Here is /etc/nsswitch.conf:
--------------------------------------------------------
passwd: files systemd winbind
group: files systemd winbind
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
--------------------------------------------------------
The dhales user is able to successfully ssh to the domain-bound linux
client.
Here is how the Samba package installation sets up
/etc/pam.d/common-auth, which is imported at the very beginning of
/etc/pam.d/ssshd:
---------------------------------------------------
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
---------------------------------------------------
If I comment out the first entry, as in
---------------------------------------------------
# auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
---------------------------------------------------
The dhales user can still ssh to the host. If I comment out the
pam_winbind entry instead:
---------------------------------------------------
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok try_first_pass
# auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
---------------------------------------------------
The dhales user can still ssh to the host. If I however comment out
both of them, leaving only pam_unix:
---------------------------------------------------
# auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok try_first_pass
# auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
---------------------------------------------------
Then dhales is no longer able to ssh to the host as the password isn't
recognized. Adding winbind to the shadow entry in /etc/nsswitch.conf
does not resolve this issue. You need either pam_krb5 or pam_winbind in
order to ssh to a Samba AD-bound linux client.
It's possible that the second test (3rd example) above only works
because the user credentials are cached on the Ubuntu linux client, but
I did not take the time to clear the cache and test again. If someone
tells me how to clear the winbind cache, I can test this as well, but
the point is you won't be able to authenticate an ssh connection
initiated by a domain user unless you have something other than pam_unix
in or imported into /etc/pam.d/sshd
More information about the samba
mailing list