[Samba] Working through the PAM Offline Authentication Wiki page, but...
John R. Graham
john at graham-family.org
Tue Nov 19 16:33:07 UTC 2024
...the tests for initial online login to my newly joined Linux domain
member the machine through ssh are failing. I ran:
terra ~ # ssh HOME\\jgraham at localhost
(HOME\jgraham at localhost) Password:
(HOME\jgraham at localhost) Password:
(HOME\jgraham at localhost) Password:
HOME\jgraham at localhost's password:
Permission denied, please try again.
HOME\jgraham at localhost's password:
Received disconnect from ::1 port 22:2: Too many authentication
failures
Disconnected from ::1 port 22
(Password was entered each time it was prompted for.) Log excerpts:
/var/log/messages:
Nov 19 11:18:29 terra samba-dcerpcd[25488]: [2024/11/19
11:18:29.613623, 0] ../../source3/rpc_server/rpc_host.c:2843(main)
Nov 19 11:18:29 terra samba-dcerpcd[25488]: samba-dcerpcd version
4.19.7 started.
Nov 19 11:18:29 terra samba-dcerpcd[25488]: Copyright Andrew
Tridgell and the Samba Team 1992-2023
Nov 19 11:18:29 terra rpcd_lsad[25499]: [2024/11/19
11:18:29.696642, 0]
../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
Nov 19 11:18:29 terra rpcd_lsad[25499]: rpcd_lsad version 4.19.7
started.
Nov 19 11:18:29 terra rpcd_lsad[25499]: Copyright Andrew Tridgell
and the Samba Team 1992-2023
Nov 19 11:18:29 terra rpcd_lsad[25501]: [2024/11/19
11:18:29.739755, 0]
../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
Nov 19 11:18:29 terra rpcd_lsad[25501]: rpcd_lsad version 4.19.7
started.
Nov 19 11:18:29 terra rpcd_lsad[25501]: Copyright Andrew Tridgell
and the Samba Team 1992-2023
Nov 19 11:18:29 terra rpcd_lsad[25504]: [2024/11/19
11:18:29.790433, 0]
../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
Nov 19 11:18:29 terra rpcd_lsad[25504]: rpcd_lsad version 4.19.7
started.
Nov 19 11:18:29 terra rpcd_lsad[25504]: Copyright Andrew Tridgell
and the Samba Team 1992-2023
Nov 19 11:18:29 terra rpcd_lsad[25507]: [2024/11/19
11:18:29.822732, 0]
../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
Nov 19 11:18:29 terra rpcd_lsad[25507]: rpcd_lsad version 4.19.7
started.
Nov 19 11:18:29 terra rpcd_lsad[25507]: Copyright Andrew Tridgell
and the Samba Team 1992-2023
Nov 19 11:18:34 terra sshd-session[25516]: pam_unix(sshd:auth):
authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser=
rhost=::1 user=HOME\jgraham
Nov 19 11:18:36 terra sshd-session[25479]: error: PAM:
Authentication failure for HOME\\jgraham from ::1
Nov 19 11:18:40 terra sshd-session[25683]: pam_unix(sshd:auth):
authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser=
rhost=::1 user=HOME\jgraham
Nov 19 11:18:42 terra sshd-session[25479]: error: PAM:
Authentication failure for HOME\\jgraham from ::1
Nov 19 11:18:42 terra sshd-session[25479]: Postponed
keyboard-interactive for HOME\\\\jgraham from ::1 port 34982 ssh2 [preauth]
Nov 19 11:18:46 terra sshd-session[25859]: pam_unix(sshd:auth):
authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser=
rhost=::1 user=HOME\jgraham
Nov 19 11:18:46 terra sshd-session[25859]: pam_faillock(sshd:auth):
Consecutive login failures for user HOME\jgraham account temporarily locked
Nov 19 11:18:48 terra sshd-session[25479]: error: PAM:
Authentication failure for HOME\\jgraham from ::1
Nov 19 11:19:03 terra sshd-session[25479]: Failed password for
HOME\\jgraham from ::1 port 34982 ssh2
Nov 19 11:19:37 terra sshd-session[25479]: Failed password for
HOME\\jgraham from ::1 port 34982 ssh2
Nov 19 11:19:37 terra sshd-session[25479]: error: maximum
authentication attempts exceeded for HOME\\\\jgraham from ::1 port 34982
ssh2 [preauth]
Nov 19 11:19:37 terra sshd-session[25479]: Disconnecting
authenticating user HOME\\\\jgraham ::1 port 34982: Too many
authentication failures [preauth]
/var/log/samba/log.winbindd.idmap:
[2024/11/19 10:28:48.321163, 1]
../../source3/winbindd/idmap_ad.c:289(idmap_ad_tldap_debug)
idmap_ad_tldap: tldap_context_disconnect: TLDAP_SERVER_DOWN at
../../source3/lib/tldap.c:762
[2024/11/19 10:28:48.326623, 1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No
such file or directory
[2024/11/19 10:28:48.326684, 1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb'
with backend 'tdb': Unable to open tdb
'/var/lib/samba/private/secrets.ldb': No such file or directory
and indeed that file doesn't exist. However,
"/var/lib/samba/private/secrets.tdb" does exist.
Does any of this suggest what might be going wrong with the ssh session?
Incidentally, the "wbinfo -K" test succeeds:
terra ~ # wbinfo -K 'HOME\jgraham%redacted-password'
plaintext kerberos password authentication for [HOME\jgraham]
succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0
and, maybe less surprisingly, su'ing into the domain user also works:
terra ~ # sudo su HOME\\jgraham
HOME\jgraham at terra /root $
My current /etc/samba/smb.conf is:
[global]
security = ADS
workgroup = HOME
realm = HOME.EXAMPLE.COM
server string = "John's Terra Workstation"
server role = member server
log file = /var/log/samba/log.%m
log level = 1
max log size = 50
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
username map = /etc/samba/user.map
winbind refresh tickets = yes
winbind offline logon = yes
winbind request timeout = 10
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config HOME:backend = ad
idmap config HOME:schema_mode = rfc2307
idmap config HOME:range = 10000-9999999
idmap config HOME:unix_nss_info = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
template shell = /bin/bash
template homedir = /home/%U
- John
More information about the samba
mailing list