I have a RHEL 6.3 machine successfully bound to AD using winbind, and commands like wbinfo -u and wbinfo -g output the users and groups. I can also log in as any AD user. The problem is, I can log on as any AD user. require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in. I've put this option in both /etc/pam.d/system-auth and /etc/security/pam_winbind.conf and any user can log in. Any suggestions, or advice on how I can better troubleshoot this? I'm not seeing anything in the logs that is helpful, but I may not be looking in the right place. I've asked a few other people who have told me "oh, that never works" but I can't imagine that is the case. Running 3.5.10-125.el6 by the way.. Thanks -John John Arends Senior Systems Engineer School of Communication Northwestern University 847-491-5789
John, When you say that you can log on as any AD user, do you mean using SSH? On our systems I use "pam_succeed_if.so user ingroup" in our /etc/pam.d/sshd files, see below: auth include system-auth account required pam_nologin.so #account include system-auth account sufficient pam_succeed_if.so user ingroup local_admin_group account sufficient pam_succeed_if.so user ingroup active_directory_group password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so Note that I comment out "account include system-auth " and add a local admin group so as not to lock out local users. Andrew -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of John P Arends Sent: Thursday, January 24, 2013 1:45 PM To: samba at lists.samba.org Subject: [Samba] require_membership_of is ignored I have a RHEL 6.3 machine successfully bound to AD using winbind, and commands like wbinfo -u and wbinfo -g output the users and groups. I can also log in as any AD user. The problem is, I can log on as any AD user. require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in. I've put this option in both /etc/pam.d/system-auth and /etc/security/pam_winbind.conf and any user can log in. Any suggestions, or advice on how I can better troubleshoot this? I'm not seeing anything in the logs that is helpful, but I may not be looking in the right place. I've asked a few other people who have told me "oh, that never works" but I can't imagine that is the case. Running 3.5.10-125.el6 by the way.. Thanks -John John Arends Senior Systems Engineer School of Communication Northwestern University 847-491-5789 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
I want to make sure if someone also gets local console access somehow they still can't get in. That's my concern with just making changes to how sshd authenticates. (I know nearly nothing about PAM.) On Jan 24, 2013, at 4:21 PM, "Philipoff, Andrew" <aphilipoff at medicine.ucsf.edu> wrote:> John, > > When you say that you can log on as any AD user, do you mean using SSH? On our systems I use "pam_succeed_if.so user ingroup" in our /etc/pam.d/sshd files, see below: > > auth include system-auth > account required pam_nologin.so > #account include system-auth > account sufficient pam_succeed_if.so user ingroup local_admin_group > account sufficient pam_succeed_if.so user ingroup active_directory_group > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > session required pam_loginuid.so > > Note that I comment out "account include system-auth " and add a local admin group so as not to lock out local users. > > Andrew > > -----Original Message----- > From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of John P Arends > Sent: Thursday, January 24, 2013 1:45 PM > To: samba at lists.samba.org > Subject: [Samba] require_membership_of is ignored > > I have a RHEL 6.3 machine successfully bound to AD using winbind, and commands like wbinfo -u and wbinfo -g output the users and groups. I can also log in as any AD user. > > The problem is, I can log on as any AD user. > > require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in. > > I've put this option in both /etc/pam.d/system-auth and /etc/security/pam_winbind.conf and any user can log in. > > Any suggestions, or advice on how I can better troubleshoot this? I'm not seeing anything in the logs that is helpful, but I may not be looking in the right place. > > I've asked a few other people who have told me "oh, that never works" but I can't imagine that is the case. > > Running 3.5.10-125.el6 by the way.. > > Thanks > > -John > > John Arends > Senior Systems Engineer > School of Communication > Northwestern University > 847-491-5789 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
From: John P Arends <jarends at northwestern.edu> Date: Thu, 24 Jan 2013 21:45:13 +0000> The problem is, I can log on as any AD user. > > require_membership_of is being ignored. I can put in a valid group with > no spaces in the name, a group by SID, and either way, everyone can log > in.As far as I examined Samba 3.5.6 shipped with Debian Squeeze, it worked. I added these lines into my smb.conf: ----- obey pam restrictions = yes template shell = /bin/bash ----- Also I added these lines into /etc/pam.d/common_auth: ----- ... pam_winbind.so require-membership-of=W2K8R2AD1\samba01g debug ----- samba01g is a global security group. I tried to login as an user who does not belong to samba01g from other box via ssh and cannnot login with these logs: ----- Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): request wbcLogon User failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): user 'W2K8R2AD1\samba01' denied access (incorrect password or invalid membership) Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): [pamh: 0x7f2a6c630f40] LEAVE: pam_sm_authenticate returning 7 (PAM_AUTH_ERR) ----- To join the user to samba01g, the user can login. --- TAKAHASHI Motonobu <monyo at monyo.com> / @damemonyo facebook.com/takahashi.motonobu