pam_winbind with trusted domain

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

pam_winbind with trusted domain

Samba - General mailing list
Hi,

I am having problems using pam_winbind to log in as a user in a trusted domain.  The arrangement is that Samba is joined to a local domain DOMLOCAL which has a trust setup with DOMREMOTE.  getent passwd/group correctly enumerates users and groups from DOMLOCAL.  
If I try getent passwd for the DOMREMOTE account no result is returned.  pam_winbind has a requirement that the user is a member of a group in DOMREMOTE configured in /etc/security/pam_winbind.conf:

require_membership_of=DOMREMOTE\linux-admin

DOMREMOTE is mapped using the idmap rid module:

  idmap config DOMREMOTE : backend = rid
  idmap config DOMREMOTE : range = 4000000001-4010000000

winbind options in smb.conf are:

  winbind cache time = 10
  winbind enum groups = yes
  winbind enum users = yes
  winbind nested groups = yes
  winbind refresh tickets = yes
  winbind rpc only = yes

kinit for the [hidden email] works correctly.

This is on Ubuntu 14.04 with winbind 4.3.11+dfsg-0ubuntu0.14.04.4.

Enabling debug debug_state for pam_winbind auth configuration results in these log messages for an ssh login attempt, I get a similar trace if I try a local logon.

sshd[9567]: Invalid user DOMREMOTE\\testuser from 192.168.1.1
sshd[9567]: input_userauth_request: invalid user DOMREMOTE\\\\testuser [preauth]
sshd[9567]: Postponed keyboard-interactive for invalid user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
sshd[9569]: pam_unix(sshd:auth): check pass; user unknown
sshd[9569]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] ENTER: pam_sm_authenticate (flags: 0x0001)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0
sshd[9569]: pam_winbind(sshd:auth): getting password (0x00001389)
sshd[9569]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[9569]: pam_winbind(sshd:auth): Verify user 'DOMREMOTE\testuser'
sshd[9569]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] LEAVE: pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0
sshd[9567]: error: PAM: Authentication failure for illegal user DOMREMOTE\\testuser from 192.168.1.1
sshd[9567]: Failed keyboard-interactive/pam for invalid user DOMREMOTE\\testuser from 192.168.1.1 port 44848 ssh2
sshd[9567]: error: maximum authentication attempts exceeded for invalid user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
sshd[9567]: Disconnecting: Too many authentication failures for DOMREMOTE\\\\testuser [preauth]

After I execute wbinfo -a [hidden email]%password this does something which allows the ssh connection to start working but I would rather pam_winbind does whatever needs to be done behind the scenes:)

Thanks,
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: pam_winbind with trusted domain

Samba - General mailing list
On Mon, Mar 13, 2017 at 09:54:40AM +0000, James Dingwall wrote:

> Hi,
>
> I am having problems using pam_winbind to log in as a user in a trusted domain.  The arrangement is that Samba is joined to a local domain DOMLOCAL which has a trust setup with DOMREMOTE.  getent passwd/group correctly enumerates users and groups from DOMLOCAL.  
> If I try getent passwd for the DOMREMOTE account no result is returned.  pam_winbind has a requirement that the user is a member of a group in DOMREMOTE configured in /etc/security/pam_winbind.conf:
>
> require_membership_of=DOMREMOTE\linux-admin
>
> DOMREMOTE is mapped using the idmap rid module:
>
>   idmap config DOMREMOTE : backend = rid
>   idmap config DOMREMOTE : range = 4000000001-4010000000
>
> winbind options in smb.conf are:
>
>   winbind cache time = 10
>   winbind enum groups = yes
>   winbind enum users = yes
>   winbind nested groups = yes
>   winbind refresh tickets = yes
>   winbind rpc only = yes
>
> kinit for the [hidden email] works correctly.
>
> This is on Ubuntu 14.04 with winbind 4.3.11+dfsg-0ubuntu0.14.04.4.
>
> Enabling debug debug_state for pam_winbind auth configuration results in these log messages for an ssh login attempt, I get a similar trace if I try a local logon.
>
> sshd[9567]: Invalid user DOMREMOTE\\testuser from 192.168.1.1
> sshd[9567]: input_userauth_request: invalid user DOMREMOTE\\\\testuser [preauth]
> sshd[9567]: Postponed keyboard-interactive for invalid user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
> sshd[9569]: pam_unix(sshd:auth): check pass; user unknown
> sshd[9569]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] ENTER: pam_sm_authenticate (flags: 0x0001)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0
> sshd[9569]: pam_winbind(sshd:auth): getting password (0x00001389)
> sshd[9569]: pam_winbind(sshd:auth): pam_get_item returned a password
> sshd[9569]: pam_winbind(sshd:auth): Verify user 'DOMREMOTE\testuser'
> sshd[9569]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] LEAVE: pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0
> sshd[9567]: error: PAM: Authentication failure for illegal user DOMREMOTE\\testuser from 192.168.1.1
> sshd[9567]: Failed keyboard-interactive/pam for invalid user DOMREMOTE\\testuser from 192.168.1.1 port 44848 ssh2
> sshd[9567]: error: maximum authentication attempts exceeded for invalid user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
> sshd[9567]: Disconnecting: Too many authentication failures for DOMREMOTE\\\\testuser [preauth]
>
> After I execute wbinfo -a [hidden email]%password this does something which allows the ssh connection to start working but I would rather pam_winbind does whatever needs to be done behind the scenes:)
>

If I make the trust between forests two way then winbind will authenticate the user in the remote forest but unfortunately this is not an acceptable solution.  I have also tested winbind 4.4.5+dfsg-2ubuntu5.2 with the same behaviour.  I'm running short of hair to
pull out now:)

Thanks,
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...