winbind pam security problem

Tue Jun 12 05:22:11 MDT 2012

Hi,

I have recently implemented winbind to authenticate our users using our domain AD and in order to control access by group I am using the "require-membership-of" argument to pam_winbind.so.  There appears to be a security issue that I came across due to a typo in the membership argument.  If the group does not exist in the domain, the fallback behaviour is to bypass the rest of the pam authentication stack and to allow the user in immediately.  This would seem to be add odds with positive authentication to gain access.  I will post the debug at the end.  Here are my system details:

[root at srv-lon-ftp ~]# cat /etc/issue
CentOS release 6.2 (Final)

[root at srv-lon-ftp ~]# uname -a
Linux srv-lon-ftp 2.6.32-220.7.1.el6.centos.plus.x86_64 #1 SMP Wed Mar 7 11:06:23 GMT 2012 x86_64                                x86_64 x86_64 GNU/Linux

[root at srv-lon-ftp ~]# yum list installed | grep winb
samba-winbind.x86_64   3.5.10-116.el6_2 @updates
samba-winbind-clients.x86_64

Here's the line I use in /etc/pam.d/system-auth-ac
auth        sufficient    pam_winbind.so use_first_pass require_membership_of=Linux-Admins

this works fine.   Now I will add a typo to the group name:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=Linux-AdminsTYPO

tail -f /var/log/secure:

Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=                                  lt-wall-783.groupgti.net  user=kim.olsen
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] ENTER: pam_sm_authenticate (flags: 0x0001                                  )
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f08                                  6602fc70)
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: ITEM(PAM_USER) = "kim.olsen" (0x7f                                  086602fc90)
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: ITEM(PAM_TTY) = "ssh" (0x7f086603a                                  fb0)
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: ITEM(PAM_RHOST) = "lt-wall-783.gro                                  upgti.net" (0x7f0866027d70)
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: ITEM(PAM_AUTHTOK) = 0x7f086603df60
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: ITEM(PAM_CONV) = 0x7f086603e5f0
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): getting password (0x00001251)
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): Verify user 'kim.olsen'
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): PAM config: require_membership_of 'Linux-AdminsTYPO'
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): enabling cached login flag
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): no sid given, looking up: Linux-AdminsTYPO
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): could not lookup name: Linux-AdminsTYPO
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): cannot convert group Linux-AdminsTYPO to sid, check if group Lin                                  ux-AdminsTYPO is valid group.
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): request wbcLogonUser succeeded
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): user 'kim.olsen' granted access

Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): Returned user was 'kim.olsen'
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] LEAVE: pam_sm_authenticate returning 0 (P                                  AM_SUCCESS)
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f08                                  6602fc70)
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: ITEM(PAM_USER) = "kim.olsen" (0x7f                                  086603e200)
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: ITEM(PAM_TTY) = "ssh" (0x7f086603a                                  fb0)
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: ITEM(PAM_RHOST) = "lt-wall-783.gro                                  upgti.net" (0x7f0866027d70)
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: ITEM(PAM_AUTHTOK) = 0x7f086603df60
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: ITEM(PAM_CONV) = 0x7f086603e5f0
Jun 12 12:11:54 SRV-LON-FTP sshd[6310]: pam_winbind(sshd:auth): [pamh: 0x7f086602faf0] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "S                                  RV-LON-DCADDC1" (0x7f0866042040)

This seems to be the problem.  I'm sure winbind should deny the user if the group name is not present.

Hope this helps.

Regards,

Kim Olsen

GTI, The Fountain Building, Howbery Park, Benson Lane, Wallingford, Oxfordshire OX10 8BA UK

Dept tel: +44 (0)1491 828919  Main tel: +44 (0)1491 826262 Fax: +44 (0)1491 826401 Web: www.groupgti.com<http://www.groupgti.com>

Internet communications are not secure and therefore GTI Media Ltd does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of GTI Media Ltd unless otherwise specifically stated. Company Reg. no. 2347472. Registered in England & Wales.