1. Forum
  2. Usenet
  3. LINUX.SAMBA

  • [Samba] pam_winbind with trusted domain

    From James Dingwall via samba@21:1/5 to All on Mon Mar 13 11:20:01 2017
    Hi,

    I am having problems using pam_winbind to log in as a user in a trusted domain. The arrangement is that Samba is joined to a local domain DOMLOCAL which has a trust setup with DOMREMOTE. getent passwd/group correctly enumerates users and groups from
    DOMLOCAL.
    If I try getent passwd for the DOMREMOTE account no result is returned. pam_winbind has a requirement that the user is a member of a group in DOMREMOTE configured in /etc/security/pam_winbind.conf:

    require_membership_of=DOMREMOTE\linux-admin

    DOMREMOTE is mapped using the idmap rid module:

    idmap config DOMREMOTE : backend = rid
    idmap config DOMREMOTE : range = 4000000001-4010000000

    winbind options in smb.conf are:

    winbind cache time = 10
    winbind enum groups = yes
    winbind enum users = yes
    winbind nested groups = yes
    winbind refresh tickets = yes
    winbind rpc only = yes

    kinit for the testuser@DOMREMOTE.LOCAL works correctly.

    This is on Ubuntu 14.04 with winbind 4.3.11+dfsg-0ubuntu0.14.04.4.

    Enabling debug debug_state for pam_winbind auth configuration results in these log messages for an ssh login attempt, I get a similar trace if I try a local logon.

    sshd[9567]: Invalid user DOMREMOTE\\testuser from 192.168.1.1
    sshd[9567]: input_userauth_request: invalid user DOMREMOTE\\\\testuser [preauth]
    sshd[9567]: Postponed keyboard-interactive for invalid user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
    sshd[9569]: pam_unix(sshd:auth): check pass; user unknown
    sshd[9569]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] ENTER: pam_sm_authenticate (flags: 0x0001)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0
    sshd[9569]: pam_winbind(sshd:auth): getting password (0x00001389)
    sshd[9569]: pam_winbind(sshd:auth): pam_get_item returned a password sshd[9569]: pam_winbind(sshd:auth): Verify user 'DOMREMOTE\testuser' sshd[9569]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE' sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] LEAVE: pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0
    sshd[9567]: error: PAM: Authentication failure for illegal user DOMREMOTE\\testuser from 192.168.1.1
    sshd[9567]: Failed keyboard-interactive/pam for invalid user DOMREMOTE\\testuser from 192.168.1.1 port 44848 ssh2
    sshd[9567]: error: maximum authentication attempts exceeded for invalid user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
    sshd[9567]: Disconnecting: Too many authentication failures for DOMREMOTE\\\\testuser [preauth]

    After I execute wbinfo -a testuser@DOMREMOTE.LOCAL%password this does something which allows the ssh connection to start working but I would rather pam_winbind does whatever needs to be done behind the scenes:)

    Thanks,
    James

    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From James Dingwall via samba@21:1/5 to James Dingwall on Fri Mar 17 13:30:02 2017
    On Mon, Mar 13, 2017 at 09:54:40AM +0000, James Dingwall wrote:
    Hi,

    I am having problems using pam_winbind to log in as a user in a trusted domain. The arrangement is that Samba is joined to a local domain DOMLOCAL which has a trust setup with DOMREMOTE. getent passwd/group correctly enumerates users and groups from
    DOMLOCAL.
    If I try getent passwd for the DOMREMOTE account no result is returned. pam_winbind has a requirement that the user is a member of a group in DOMREMOTE configured in /etc/security/pam_winbind.conf:

    require_membership_of=DOMREMOTE\linux-admin

    DOMREMOTE is mapped using the idmap rid module:

    idmap config DOMREMOTE : backend = rid
    idmap config DOMREMOTE : range = 4000000001-4010000000

    winbind options in smb.conf are:

    winbind cache time = 10
    winbind enum groups = yes
    winbind enum users = yes
    winbind nested groups = yes
    winbind refresh tickets = yes
    winbind rpc only = yes

    kinit for the testuser@DOMREMOTE.LOCAL works correctly.

    This is on Ubuntu 14.04 with winbind 4.3.11+dfsg-0ubuntu0.14.04.4.

    Enabling debug debug_state for pam_winbind auth configuration results in these log messages for an ssh login attempt, I get a similar trace if I try a local logon.

    sshd[9567]: Invalid user DOMREMOTE\\testuser from 192.168.1.1
    sshd[9567]: input_userauth_request: invalid user DOMREMOTE\\\\testuser [preauth]
    sshd[9567]: Postponed keyboard-interactive for invalid user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
    sshd[9569]: pam_unix(sshd:auth): check pass; user unknown
    sshd[9569]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] ENTER: pam_sm_authenticate (flags: 0x0001)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0
    sshd[9569]: pam_winbind(sshd:auth): getting password (0x00001389)
    sshd[9569]: pam_winbind(sshd:auth): pam_get_item returned a password sshd[9569]: pam_winbind(sshd:auth): Verify user 'DOMREMOTE\testuser' sshd[9569]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE' sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] LEAVE: pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
    sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0
    sshd[9567]: error: PAM: Authentication failure for illegal user DOMREMOTE\\testuser from 192.168.1.1
    sshd[9567]: Failed keyboard-interactive/pam for invalid user DOMREMOTE\\testuser from 192.168.1.1 port 44848 ssh2
    sshd[9567]: error: maximum authentication attempts exceeded for invalid user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
    sshd[9567]: Disconnecting: Too many authentication failures for DOMREMOTE\\\\testuser [preauth]

    After I execute wbinfo -a testuser@DOMREMOTE.LOCAL%password this does something which allows the ssh connection to start working but I would rather pam_winbind does whatever needs to be done behind the scenes:)


    If I make the trust between forests two way then winbind will authenticate the user in the remote forest but unfortunately this is not an acceptable solution. I have also tested winbind 4.4.5+dfsg-2ubuntu5.2 with the same behaviour. I'm running short
    of hair to
    pull out now:)

    Thanks,
    James

    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)