Jason Caylor
2013-Aug-22 11:49 UTC
[Samba] Not Obeying "require_membership_of" winbind.so when "User must change password at next logon"
Okay, so I have an Active Directory server running on Windows Server 2012 Standard I have configured Samba/Kerberos/Winbind on Ubuntu 13.04 to bind to the DC properly. I am able to login with my Active Directory users credentials. When I use the 'require_membership_of' option in pam.d/common-auth for winbind.so using the SID of the group I want to restrict access to, it works like a charm. There is a drawback to using this it seems. When I go into my AD server and check the box marked "User must change password at next logon" then that user, regardless of being apart of the required group, is granted access on my ubuntu client. Has anyone ever experienced this before? Would anyone know of a fix? When I first install winbind and samba I run this command with a ReadOnly account: /usr/bin/net ads join -U ${join_user}%${join_pass} My files are listed below Common-Account: Code: ________________________________ account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account required pam_permit.so ________________________________ Common-Auth: Code: ________________________________ auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so require_membership_of=S-1-5-21-5555555-5555555-5555555-5555 krb5_auth krb5_ccache_type=FILE cached_login use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_mount.so auth optional pam_cap.so ________________________________ Common-Password: Code: ________________________________ password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 default=ignore] pam_winbind.so password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so ________________________________ Common-Session: Code: ________________________________ session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel session optional pam_winbind.so session optional pam_mount.so session optional pam_xdg_support.so session optional pam_ck_connector.so nox11 ________________________________ Common-Session-NonInteractive: Code: ________________________________ session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_winbind.so session optional pam_xdg_support.so ________________________________ /etc/krb5.conf Code: ________________________________ [logging] default = FILE:/var/log/krb5.log [libdefaults] default_realm = IN.MYCOMPANY.COM kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] IN.MYCOMPANY.COM = { kdc = in.mycompany.com admin_server = in.mycompany.com default_domain = in.mycompany.com } [domain_realm] .in.mycompany.com = in.mycompany.com in.mycompany.com = in.mycompany.com ________________________________ /etc/nsswitch.conf Code: ________________________________ passwd: files compat ldap winbind group: files compat ldap winbind shadow: files compat ldap winbind hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ________________________________ /etc/samba/smb.conf: Code: ________________________________ [global] workgroup = inCOMPANY server string = %h server (Samba, Ubuntu) netbios name = %h dns proxy = no realm = IN.MYCOMPANY.COM local master = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d wtmp directory = /var/log utmp = yes utmp directory = /var/run security = ADS client ntlmv2 auth = yes ntlm auth = no guest account = nobody restrict anonymous = 2 idmap backend = tdb idmap uid = 10000000-30000000 idmap gid = 10000000-30000000 idmap config inIS:backend = rid idmap config inIS:range = 100000-999999 template shell = /bin/bash template homedir = /home/%D/%U winbind separator = + winbind use default domain = yes winbind offline logon = true winbind enum users = yes winbind enum groups = yes winbind refresh tickets = true winbind cache time = 60 allow trusted domains = yes smb ports = 445 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 password server = in.mycompany.com client use spnego = yes encrypt passwords = no passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user map untrusted to domain = Yes usershare allow guests = yes load printers = no Jason Caylor DevOps Engineer Ionic Security, Inc. 1170 Peachtree St. NE, Suite 2285 Atlanta, GA 30309 www.ionicsecurity.com<http://www.IonicSecurity.com>
steve
2013-Sep-01 07:56 UTC
[Samba] Not Obeying "require_membership_of" winbind.so when "User must change password at next logon"
On Thu, 2013-08-22 at 11:49 +0000, Jason Caylor wrote:> Okay, so I have an Active Directory server running on Windows Server 2012 Standard > I have configured Samba/Kerberos/Winbind on Ubuntu 13.04 to bind to the DC properly. > I am able to login with my Active Directory users credentials. > When I use the 'require_membership_of' option in pam.d/common-auth for winbind.so using the SID of the group I want to restrict access to, it works like a charm.Hi Say the group with that SID is mygroup. Does: getent group mygroup return a gidNumber? If so, then: Put only the users you want. Then common-account: account required pam_succeed_if.so user ingroup mygroup man pam_succeed_if BTW, I'd strongly advise changing to the ad backend. HTH Steve