samba 4.5.8 @ debian 9 - wrong groups IDs for PAM authorization

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

samba 4.5.8 @ debian 9 - wrong groups IDs for PAM authorization

Samba - General mailing list
Hello list.

I’m using samba4 authorization with debian 8 without any problems. But in debian 9 very same config causes problems - unable to change GID. Here is my smb.conf:

[global]
        netbios name = testvm
        security = ADS
        workgroup = WRKGRP
        realm = EXAMPLE.COM
        password server = 172.24.0.253
        wins server = 172.24.0.253
        wins proxy = no
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%U
        template shell = /bin/zsh
        client use spnego = yes
        winbind use default domain = yes
        encrypt passwords = yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind nested groups = yes

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        inherit acls = Yes
        acl group control = yes

        idmap config *:backend = tdb
        idmap config *:range = 70001-80000
        idmap config <win domain>:backend = ad
        idmap config <win domain>:schema_mode = rfc2307
        idmap config <win domain>:range = 3000000-4000000

        socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY

With this configuraion on debian 8 domain user successfully logged in. On debian 9 domain user failed to log in. Relevant lines in auth.log:

Jul  6 18:58:58 testvm login[1230]: pam_winbind(login:auth): getting password (0x00000000)
Jul  6 18:59:02 testvm login[1230]: pam_winbind(login:auth): user ‘domainuser' granted access
Jul  6 18:59:02 testvm login[1230]: pam_winbind(login:account): user ‘domainuser' granted access
Jul  6 18:59:02 testvm login[1230]: pam_mail(login:session): pam_modutil_drop_priv: change_gid failed: Success
Jul  6 18:59:02 testvm login[1230]: pam_keyinit(login:session): Unable to change GID to 70005 temporarily
Jul  6 18:59:02 testvm login[1230]: pam_unix(login:session): session opened for user domainuser by LOGIN(uid=0)
Jul  6 18:59:02 testvm mkhomedir_helper: PAM unable to change perms on copy /home/domainuser/.profile: Invalid argument
Jul  6 18:59:02 testvm login[1230]: pam_systemd(login:session): Failed to create session: Seat has no VTs but VT number not 0
Jul  6 18:59:02 testvm login[1230]: Permission denied

GID 70005 is «domain admins» group.

AD DC is running in samba 4.2.14 on Gentoo. Client OS is running within LXC container, if it matters.

Any ideas?

--
With best regards,
Stanislav N. aka pztrn
Jabber: [hidden email]
E-Mail: [hidden email]
Blog: http://pztrn.name && http://en.pztrn.name
Telegram: @pztrn
Key ID: B3E1F07E


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba 4.5.8 @ debian 9 - wrong groups IDs for PAM authorization

Samba - General mailing list
On Fri, 7 Jul 2017 00:13:16 +0500
"Stanislav N. aka pztrn via samba" <[hidden email]> wrote:

> Hello list.
>
> I’m using samba4 authorization with debian 8 without any problems.
> But in debian 9 very same config causes problems - unable to change
> GID. Here is my smb.conf:
>
> [global]
>         netbios name = testvm
>         security = ADS
>         workgroup = WRKGRP
>         realm = EXAMPLE.COM
>         password server = 172.24.0.253
>         wins server = 172.24.0.253
>         wins proxy = no
>         winbind enum users = yes
>         winbind enum groups = yes
>         template homedir = /home/%U
>         template shell = /bin/zsh
>         client use spnego = yes
>         winbind use default domain = yes
>         encrypt passwords = yes
>         winbind nss info = rfc2307
>         winbind refresh tickets = Yes
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         winbind nested groups = yes
>
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>         inherit acls = Yes
>         acl group control = yes
>
>         idmap config *:backend = tdb
>         idmap config *:range = 70001-80000
>         idmap config <win domain>:backend = ad
>         idmap config <win domain>:schema_mode = rfc2307
>         idmap config <win domain>:range = 3000000-4000000
>
>         socket options = SO_RCVBUF=262144 SO_SNDBUF=262144
> SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>

OK, first, I would remove these lines:

        password server = 172.24.0.253
        wins server = 172.24.0.253
        wins proxy = no
        client use spnego = yes
        encrypt passwords = yes
        winbind nested groups = yes
        inherit acls = Yes
        acl group control = yes
        socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY

They are either default settings or shouldn't be set, 'password server'
for instance, you should allow Samba to find the DC (which, by the way,
you should really consider upgrading).

Why are you using the ranges '70001-80000' & '3000000-4000000' ?
Is this because the '3000000' range is used on the DC ?
Which leads us to the '<win domain>' , is this 'WRKGRP' or
'EXAMPLE.COM' ?
It should be 'WRKGRP'

Have you given your users a uidNumber attribute containing a number
between '3000000-4000000' ?
Have you also given 'Domain Users' a gidNumber attribute containing a
number in the same range ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...