[Samba] Working through the PAM Offline Authentication Wiki page, but...

John R. Graham john at graham-family.org
Tue Nov 19 16:33:07 UTC 2024


...the tests for initial online login to my newly joined Linux domain 
member the machine through ssh are failing. I ran:

     terra ~ # ssh HOME\\jgraham at localhost
     (HOME\jgraham at localhost) Password:
     (HOME\jgraham at localhost) Password:
     (HOME\jgraham at localhost) Password:
     HOME\jgraham at localhost's password:
     Permission denied, please try again.
     HOME\jgraham at localhost's password:
     Received disconnect from ::1 port 22:2: Too many authentication 
failures
     Disconnected from ::1 port 22

(Password was entered each time it was prompted for.) Log excerpts:

/var/log/messages:

     Nov 19 11:18:29 terra samba-dcerpcd[25488]: [2024/11/19 
11:18:29.613623,  0] ../../source3/rpc_server/rpc_host.c:2843(main)
     Nov 19 11:18:29 terra samba-dcerpcd[25488]:   samba-dcerpcd version 
4.19.7 started.
     Nov 19 11:18:29 terra samba-dcerpcd[25488]:   Copyright Andrew 
Tridgell and the Samba Team 1992-2023
     Nov 19 11:18:29 terra rpcd_lsad[25499]: [2024/11/19 
11:18:29.696642,  0] 
../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
     Nov 19 11:18:29 terra rpcd_lsad[25499]:   rpcd_lsad version 4.19.7 
started.
     Nov 19 11:18:29 terra rpcd_lsad[25499]:   Copyright Andrew Tridgell 
and the Samba Team 1992-2023
     Nov 19 11:18:29 terra rpcd_lsad[25501]: [2024/11/19 
11:18:29.739755,  0] 
../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
     Nov 19 11:18:29 terra rpcd_lsad[25501]:   rpcd_lsad version 4.19.7 
started.
     Nov 19 11:18:29 terra rpcd_lsad[25501]:   Copyright Andrew Tridgell 
and the Samba Team 1992-2023
     Nov 19 11:18:29 terra rpcd_lsad[25504]: [2024/11/19 
11:18:29.790433,  0] 
../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
     Nov 19 11:18:29 terra rpcd_lsad[25504]:   rpcd_lsad version 4.19.7 
started.
     Nov 19 11:18:29 terra rpcd_lsad[25504]:   Copyright Andrew Tridgell 
and the Samba Team 1992-2023
     Nov 19 11:18:29 terra rpcd_lsad[25507]: [2024/11/19 
11:18:29.822732,  0] 
../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
     Nov 19 11:18:29 terra rpcd_lsad[25507]:   rpcd_lsad version 4.19.7 
started.
     Nov 19 11:18:29 terra rpcd_lsad[25507]:   Copyright Andrew Tridgell 
and the Samba Team 1992-2023
     Nov 19 11:18:34 terra sshd-session[25516]: pam_unix(sshd:auth): 
authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser= 
rhost=::1  user=HOME\jgraham
     Nov 19 11:18:36 terra sshd-session[25479]: error: PAM: 
Authentication failure for HOME\\jgraham from ::1
     Nov 19 11:18:40 terra sshd-session[25683]: pam_unix(sshd:auth): 
authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser= 
rhost=::1  user=HOME\jgraham
     Nov 19 11:18:42 terra sshd-session[25479]: error: PAM: 
Authentication failure for HOME\\jgraham from ::1
     Nov 19 11:18:42 terra sshd-session[25479]: Postponed 
keyboard-interactive for HOME\\\\jgraham from ::1 port 34982 ssh2 [preauth]
     Nov 19 11:18:46 terra sshd-session[25859]: pam_unix(sshd:auth): 
authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser= 
rhost=::1  user=HOME\jgraham
     Nov 19 11:18:46 terra sshd-session[25859]: pam_faillock(sshd:auth): 
Consecutive login failures for user HOME\jgraham account temporarily locked
     Nov 19 11:18:48 terra sshd-session[25479]: error: PAM: 
Authentication failure for HOME\\jgraham from ::1
     Nov 19 11:19:03 terra sshd-session[25479]: Failed password for 
HOME\\jgraham from ::1 port 34982 ssh2
     Nov 19 11:19:37 terra sshd-session[25479]: Failed password for 
HOME\\jgraham from ::1 port 34982 ssh2
     Nov 19 11:19:37 terra sshd-session[25479]: error: maximum 
authentication attempts exceeded for HOME\\\\jgraham from ::1 port 34982 
ssh2 [preauth]
     Nov 19 11:19:37 terra sshd-session[25479]: Disconnecting 
authenticating user HOME\\\\jgraham ::1 port 34982: Too many 
authentication failures [preauth]

/var/log/samba/log.winbindd.idmap:
     [2024/11/19 10:28:48.321163,  1] 
../../source3/winbindd/idmap_ad.c:289(idmap_ad_tldap_debug)
       idmap_ad_tldap: tldap_context_disconnect: TLDAP_SERVER_DOWN at 
../../source3/lib/tldap.c:762
     [2024/11/19 10:28:48.326623,  1] 
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
       ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No 
such file or directory
     [2024/11/19 10:28:48.326684,  1] 
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
       ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' 
with backend 'tdb': Unable to open tdb 
'/var/lib/samba/private/secrets.ldb': No such file or directory

and indeed that file doesn't exist. However, 
"/var/lib/samba/private/secrets.tdb" does exist.

Does any of this suggest what might be going wrong with the ssh session?

Incidentally, the "wbinfo -K" test succeeds:

     terra ~ # wbinfo -K 'HOME\jgraham%redacted-password'
     plaintext kerberos password authentication for [HOME\jgraham] 
succeeded (requesting cctype: FILE)
     user_flgs: NETLOGON_CACHED_ACCOUNT
     credentials were put in: FILE:/tmp/krb5cc_0

and, maybe less surprisingly, su'ing into the domain user also works:

     terra ~ # sudo su HOME\\jgraham
     HOME\jgraham at terra /root $

My current /etc/samba/smb.conf is:

     [global]
        security = ADS
        workgroup = HOME
        realm = HOME.EXAMPLE.COM
        server string = "John's Terra Workstation"
        server role = member server

        log file = /var/log/samba/log.%m
        log level = 1
        max log size = 50

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        username map = /etc/samba/user.map

        winbind refresh tickets = yes
        winbind offline logon = yes
        winbind request timeout = 10
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config HOME:backend = ad
        idmap config HOME:schema_mode = rfc2307
        idmap config HOME:range = 10000-9999999
        idmap config HOME:unix_nss_info = yes

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        template shell = /bin/bash
        template homedir = /home/%U

- John





More information about the samba mailing list