Rowland Penny
2024-Nov-19 17:56 UTC
[Samba] Working through the PAM Offline Authentication Wiki page, but...
On Tue, 19 Nov 2024 11:33:07 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote:> ...the tests for initial online login to my newly joined Linux domain > member the machine through ssh are failing. I ran: > > ??? terra ~ # ssh HOME\\jgraham at localhost > ??? (HOME\jgraham at localhost) Password: > ??? (HOME\jgraham at localhost) Password: > ??? (HOME\jgraham at localhost) Password: > ??? HOME\jgraham at localhost's password: > ??? Permission denied, please try again. > ??? HOME\jgraham at localhost's password: > ??? Received disconnect from ::1 port 22:2: Too many authentication > failures > ??? Disconnected from ::1 port 22 > > (Password was entered each time it was prompted for.) Log excerpts: > > /var/log/messages: > > ??? Nov 19 11:18:29 terra samba-dcerpcd[25488]: [2024/11/19 > 11:18:29.613623,? 0] ../../source3/rpc_server/rpc_host.c:2843(main) > ??? Nov 19 11:18:29 terra samba-dcerpcd[25488]:?? samba-dcerpcd > version 4.19.7 started. > ??? Nov 19 11:18:29 terra samba-dcerpcd[25488]:?? Copyright Andrew > Tridgell and the Samba Team 1992-2023 > ??? Nov 19 11:18:29 terra rpcd_lsad[25499]: [2024/11/19 > 11:18:29.696642,? 0] > ../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main) > ??? Nov 19 11:18:29 terra rpcd_lsad[25499]:?? rpcd_lsad version > 4.19.7 started. > ??? Nov 19 11:18:29 terra rpcd_lsad[25499]:?? Copyright Andrew > Tridgell and the Samba Team 1992-2023 > ??? Nov 19 11:18:29 terra rpcd_lsad[25501]: [2024/11/19 > 11:18:29.739755,? 0] > ../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main) > ??? Nov 19 11:18:29 terra rpcd_lsad[25501]:?? rpcd_lsad version > 4.19.7 started. > ??? Nov 19 11:18:29 terra rpcd_lsad[25501]:?? Copyright Andrew > Tridgell and the Samba Team 1992-2023 > ??? Nov 19 11:18:29 terra rpcd_lsad[25504]: [2024/11/19 > 11:18:29.790433,? 0] > ../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main) > ??? Nov 19 11:18:29 terra rpcd_lsad[25504]:?? rpcd_lsad version > 4.19.7 started. > ??? Nov 19 11:18:29 terra rpcd_lsad[25504]:?? Copyright Andrew > Tridgell and the Samba Team 1992-2023 > ??? Nov 19 11:18:29 terra rpcd_lsad[25507]: [2024/11/19 > 11:18:29.822732,? 0] > ../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main) > ??? Nov 19 11:18:29 terra rpcd_lsad[25507]:?? rpcd_lsad version > 4.19.7 started. > ??? Nov 19 11:18:29 terra rpcd_lsad[25507]:?? Copyright Andrew > Tridgell and the Samba Team 1992-2023 > ??? Nov 19 11:18:34 terra sshd-session[25516]: pam_unix(sshd:auth): > authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser= > rhost=::1? user=HOME\jgraham > ??? Nov 19 11:18:36 terra sshd-session[25479]: error: PAM: > Authentication failure for HOME\\jgraham from ::1 > ??? Nov 19 11:18:40 terra sshd-session[25683]: pam_unix(sshd:auth): > authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser= > rhost=::1? user=HOME\jgrahamAt a guess, your PAM stack is incorrect, it doesn't seem to be using winbind, I would expect to see lines like this: 2024-11-19T17:48:38.678440+00:00 devstation sshd[9437]: pam_winbind(sshd:auth): getting password (0x00000388) Rowland
John R. Graham
2024-Nov-25 14:57 UTC
[Samba] Working through the PAM Offline Authentication Wiki page, but...
On 11/19/24 12:56, Rowland Penny via samba wrote:> At a guess, your PAM stack is incorrect, it doesn't seem to be using > winbind, I would expect to see lines like this: > > 2024-11-19T17:48:38.678440+00:00 devstation sshd[9437]: pam_winbind(sshd:auth): getting password (0x00000388) > > RowlandYes, that was it. Thank you! That was a deeper rabbit hole than I had anticipated, requiring learning YASMCL (Yet Another State Machine Configuration Language). I have a PAM configuration working except for a few corner cases and a few puzzling things. The first of the latter is that bringing the winbind daemon offline with ??? smbcontrol winbind offline doesn't appear do do anything. Commands like ??? wbinfo --ping-dc still show the DC as reachable. I ended up doing my testing with an unplugged network cable but encountered some rather long network timeouts as a result, by which I conclude that an explicit offline state is beneficial. - John