samba - Feb 2002 - Advice on: sshd[28182]: PAM pam_set_item: NULL pam handle passed

Hi,

Ive got winbind and samba working great (version 2.2.3) on our RH 7.1 box's.
But as we have about 200 users on our domain, we want to restrict ssh 
access on our linux box's.
So I created a group on the NT PDC called: Winbind
In this group, Ive only put our developers and us, the sy admins.

In the /etc/ssh/sshd_config, I entered the line: AllowGroups MMEBS+Winbind.

Thus, allowing sshd to only allowing access to the people in that 
particular group, whilst not affecting the users who browse the box via 
network neighborhood.

But this seemed to work fine for a few hrs and now no one in the Winbind 
group can login to ssh.

Looking thru the /var/log/secure, Iam getting the error:

Feb 15 10:21:27 yoda sshd[28182]: PAM pam_set_item: NULL pam handle passed
Feb 15 10:21:27 yoda sshd[28182]: PAM pam_set_item: NULL pam handle passed
Feb 15 10:21:27 yoda sshd[28182]: Failed password for illegal user 
MMEBS+mark from 192.168.*.* port 2166
Feb 15 10:21:29 yoda sshd[28182]: Connection closed by 192.168.*.*

If comment out the Allowgroups line in the sshd_config, It works fine.

Also getent passwd or getent group reports back correct as well.

Ive been looking thru google for the past 3 hrs, and cannot seem to find 
out what exactually is causing the problem, ie wrong option in a pam config 
file?, pam,ssh or samba themselves.

Iam running:

ssh: 2.9p2
pam: 0.75
samba: 2.2.3

If anyone could help, that would be appreciated greatly..

Regards

Mark



-----
----------
Mark Cooke
Internet Operations Technician
MM Group Ltd
Tel: 8141 (Internal)
Tel: (0117) 9168141 (External)
Email: mark@mmebs.co.uk
http://www.mmgroup.co.uk

Mark Cooke wrote:
> 
> Hi,
> 
> Ive got winbind and samba working great (version 2.2.3) on our RH 7.1
box's.
> But as we have about 200 users on our domain, we want to restrict ssh
> access on our linux box's.
> So I created a group on the NT PDC called: Winbind
> In this group, Ive only put our developers and us, the sy admins.
> 
> In the /etc/ssh/sshd_config, I entered the line: AllowGroups MMEBS+Winbind.
> 
> Thus, allowing sshd to only allowing access to the people in that
> particular group, whilst not affecting the users who browse the box via
> network neighborhood.
> 
> But this seemed to work fine for a few hrs and now no one in the Winbind
> group can login to ssh.
> 
> Looking thru the /var/log/secure, Iam getting the error:
> 
> Feb 15 10:21:27 yoda sshd[28182]: PAM pam_set_item: NULL pam handle passed
> Feb 15 10:21:27 yoda sshd[28182]: PAM pam_set_item: NULL pam handle passed
This basic error has now been 'corrected' in OpenSSH (I'm still
debating
it a little however).  As to weird behaviour with winbind users - I
wouldn't be supprised if there is some bug in there somewhere, I'm
getting odd behaviour with my LDAP users...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

>
> > Looking thru the /var/log/secure, Iam getting the error:
> >
> > Feb 15 10:21:27 yoda sshd[28182]: PAM pam_set_item: NULL pam handle
passed
> > Feb 15 10:21:27 yoda sshd[28182]: PAM pam_set_item: NULL pam handle
passed
>
>This basic error has now been 'corrected' in OpenSSH (I'm still
debating
>it a little however).  As to weird behaviour with winbind users - I
>wouldn't be supprised if there is some bug in there somewhere, I'm
>getting odd behaviour with my LDAP users...
>
>Andrew Bartlett
Hi,
So Am I correct in assuming than this is a SSH problem, rather than a 
winbind one?
As Iam now running: Openssh-3.0.2p1-2

And the error is still there, is the problem fixed in a newer version? or 
could it be something else as you mentioned?

Mark




-----
----------
Mark Cooke
Internet Operations Technician
MM Group Ltd
Tel: 8141 (Internal)
Tel: (0117) 9168141 (External)
Email: mark@mmebs.co.uk
http://www.mmgroup.co.uk