Jason Caylor
2013-Aug-22 11:49 UTC
[Samba] Not Obeying "require_membership_of" winbind.so when "User must change password at next logon"
Okay, so I have an Active Directory server running on Windows Server 2012
Standard
I have configured Samba/Kerberos/Winbind on Ubuntu 13.04 to bind to the DC
properly.
I am able to login with my Active Directory users credentials.
When I use the 'require_membership_of' option in pam.d/common-auth for
winbind.so using the SID of the group I want to restrict access to, it works
like a charm.
There is a drawback to using this it seems. When I go into my AD server and
check the box marked "User must change password at next logon" then
that user, regardless of being apart of the required group, is granted access on
my ubuntu client.
Has anyone ever experienced this before? Would anyone know of a fix?
When I first install winbind and samba I run this command with a ReadOnly
account:
/usr/bin/net ads join -U ${join_user}%${join_pass}
My files are listed below
Common-Account:
Code:
________________________________
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so
________________________________
Common-Auth:
Code:
________________________________
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so
require_membership_of=S-1-5-21-5555555-5555555-5555555-5555 krb5_auth
krb5_ccache_type=FILE cached_login use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so
auth optional pam_cap.so
________________________________
Common-Password:
Code:
________________________________
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
________________________________
Common-Session:
Code:
________________________________
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_winbind.so
session optional pam_mount.so
session optional pam_xdg_support.so
session optional pam_ck_connector.so nox11
________________________________
Common-Session-NonInteractive:
Code:
________________________________
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_winbind.so
session optional pam_xdg_support.so
________________________________
/etc/krb5.conf
Code:
________________________________
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = IN.MYCOMPANY.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
IN.MYCOMPANY.COM = {
kdc = in.mycompany.com
admin_server = in.mycompany.com
default_domain = in.mycompany.com
}
[domain_realm]
.in.mycompany.com = in.mycompany.com
in.mycompany.com = in.mycompany.com
________________________________
/etc/nsswitch.conf
Code:
________________________________
passwd: files compat ldap winbind
group: files compat ldap winbind
shadow: files compat ldap winbind
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
________________________________
/etc/samba/smb.conf:
Code:
________________________________
[global]
workgroup = inCOMPANY
server string = %h server (Samba, Ubuntu)
netbios name = %h
dns proxy = no
realm = IN.MYCOMPANY.COM
local master = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
wtmp directory = /var/log
utmp = yes
utmp directory = /var/run
security = ADS
client ntlmv2 auth = yes
ntlm auth = no
guest account = nobody
restrict anonymous = 2
idmap backend = tdb
idmap uid = 10000000-30000000
idmap gid = 10000000-30000000
idmap config inIS:backend = rid
idmap config inIS:range = 100000-999999
template shell = /bin/bash
template homedir = /home/%D/%U
winbind separator = +
winbind use default domain = yes
winbind offline logon = true
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = true
winbind cache time = 60
allow trusted domains = yes
smb ports = 445
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
password server = in.mycompany.com
client use spnego = yes
encrypt passwords = no
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
map untrusted to domain = Yes
usershare allow guests = yes
load printers = no
Jason Caylor
DevOps Engineer
Ionic Security, Inc.
1170 Peachtree St. NE, Suite 2285
Atlanta, GA 30309
www.ionicsecurity.com<http://www.IonicSecurity.com>
steve
2013-Sep-01 07:56 UTC
[Samba] Not Obeying "require_membership_of" winbind.so when "User must change password at next logon"
On Thu, 2013-08-22 at 11:49 +0000, Jason Caylor wrote:> Okay, so I have an Active Directory server running on Windows Server 2012 Standard > I have configured Samba/Kerberos/Winbind on Ubuntu 13.04 to bind to the DC properly. > I am able to login with my Active Directory users credentials. > When I use the 'require_membership_of' option in pam.d/common-auth for winbind.so using the SID of the group I want to restrict access to, it works like a charm.Hi Say the group with that SID is mygroup. Does: getent group mygroup return a gidNumber? If so, then: Put only the users you want. Then common-account: account required pam_succeed_if.so user ingroup mygroup man pam_succeed_if BTW, I'd strongly advise changing to the ad backend. HTH Steve