Hi Team, We have a weird issue that we are trying to understand. We have winbind set up and working successfully for user authentication with passwords via ssh. We have pam.d/system-auth-ac and password-auth-ac (symlinked) set to require membership of a group which works great via password authentication. However, if the user has a ssh key set up, they seem to bypass the group membership requirement. The user isnt defined on the box in either shadow or passwd, they are only defined in AD, but are successfully able to authenticate as shown in the log below. Some logs below: /var/log/secure Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f6b826837d0) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_USER) = "nathan" (0x7f6b826837f0) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_TTY) = "ssh" (0x7f6b8268dbd0) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_RHOST) = "mycomputer.domain.local" (0x7f6b82684610) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_CONV) = 0x7f6b82683810 Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): user 'nathan' granted access Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] LEAVE: pam_sm_acct_mgmt returning 0 (PAM_SUCCESS) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f6b826837d0) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_USER) = "nathan" (0x7f6b826837f0) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_TTY) = "ssh" (0x7f6b8268dbd0) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_RHOST) = "mycomputer.domain.local" (0x7f6b82684610) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_CONV) = 0x7f6b82683810 Nov 28 17:34:58 testbox01 sshd[26078]: Accepted publickey for nathan from 1.2.3.4 port 61767 ssh2 System-auth-ac: [root at testbox01 pam.d]# cat system-auth-ac auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_winbind.so debug debug_state use_first_pass require_membership_of=testbox02_access_sg, testbox02_2_access_sg auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_winbind.so debug debug_state require_membership_of= testbox_access_sg,testbox02_2_access_sg account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 typepassword sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 session required /lib/security/$ISA/pam_winbind.so /etc/pam.d/sshd: #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth System information: Linux testbox01 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux Server release 6.5 (Santiago) Samba packages: 3.6.9-164.el6 Not sure where to go next, or what else to provide. Nathan Frankish | Network & Systems Team Lead Queensland Motorways Pty Limited
Nathan, Could you do the restriction of ssh to group members by putting AllowGroups testbox02_access_sg testbox02_2_access_sg in /etc/ssh/sshd_config, instead of reconfiguring pam? On Thu, Nov 28, 2013 at 07:50:20AM +0000, Nathan Frankish wrote:> Hi Team, > > We have a weird issue that we are trying to understand. We have winbind set up and working successfully for user authentication with passwords via ssh. We have pam.d/system-auth-ac and password-auth-ac (symlinked) set to require membership of a group which works great via password authentication. > > However, if the user has a ssh key set up, they seem to bypass the group membership requirement. The user isnt defined on the box in either shadow or passwd, they are only defined in AD, but are successfully able to authenticate as shown in the log below. > > Some logs below: > > /var/log/secure > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] ENTER: pam_sm_acct_mgmt (flags: 0x0000) > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f6b826837d0) > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_USER) = "nathan" (0x7f6b826837f0) > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_TTY) = "ssh" (0x7f6b8268dbd0) > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_RHOST) = "mycomputer.domain.local" (0x7f6b82684610) > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_CONV) = 0x7f6b82683810 > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): user 'nathan' granted access > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] LEAVE: pam_sm_acct_mgmt returning 0 (PAM_SUCCESS) > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f6b826837d0) > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_USER) = "nathan" (0x7f6b826837f0) > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_TTY) = "ssh" (0x7f6b8268dbd0) > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_RHOST) = "mycomputer.domain.local" (0x7f6b82684610) > Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_CONV) = 0x7f6b82683810 > Nov 28 17:34:58 testbox01 sshd[26078]: Accepted publickey for nathan from 1.2.3.4 port 61767 ssh2 > > System-auth-ac: > [root at testbox01 pam.d]# cat system-auth-ac > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_winbind.so debug debug_state use_first_pass require_membership_of=testbox02_access_sg, testbox02_2_access_sg > auth required /lib/security/$ISA/pam_deny.so > > account required /lib/security/$ISA/pam_unix.so > account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet > account required /lib/security/$ISA/pam_winbind.so debug debug_state require_membership_of= testbox_access_sg,testbox02_2_access_sg > account required /lib/security/$ISA/pam_permit.so > > password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow > password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass > password required /lib/security/$ISA/pam_deny.so > > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > session required pam_mkhomedir.so skel=/etc/skel umask=0022 > session required /lib/security/$ISA/pam_winbind.so > > /etc/pam.d/sshd: #%PAM-1.0 > auth required pam_sepermit.so > auth include password-auth > account required pam_nologin.so > account include password-auth > password include password-auth > # pam_selinux.so close should be the first session rule > session required pam_selinux.so close > session required pam_loginuid.so > # pam_selinux.so open should only be followed by sessions to be executed in the user context > session required pam_selinux.so open env_params > session optional pam_keyinit.so force revoke > session include password-auth > > > System information: > Linux testbox01 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux > Red Hat Enterprise Linux Server release 6.5 (Santiago) > Samba packages: 3.6.9-164.el6 > > Not sure where to go next, or what else to provide. > > > Nathan Frankish | Network & Systems Team Lead > > > Queensland Motorways Pty Limited-- ___________________________________________________________________________ David Keegel <djk-samba at cyber.com.au> Cyber IT Solutions Pty. Ltd. http://www.cyber.com.au/~djk/ Linux & Unix Systems Administration
On Thu, 2013-11-28 at 07:50 +0000, Nathan Frankish wrote:> Hi Team, > > We have a weird issue that we are trying to understand. We have winbind set up and working successfully for user authentication with passwords via ssh. We have pam.d/system-auth-ac and password-auth-ac (symlinked) set to require membership of a group which works great via password authentication. > > However, if the user has a ssh key set up, they seem to bypass the group membership requirement. The user isnt defined on the box in either shadow or passwd, they are only defined in AD, but are successfully able to authenticate as shown in the log below. > > Some logs below:]: Accepted publickey for nathan from 1.2.3.4 port 61767 ssh2 > > System-auth-ac: > [root at testbox01 pam.d]# cat system-auth-ac > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_winbind.so debug debug_state use_first_pass require_membership_of=testbox02_access_sg, testbox02_2_access_sg > auth required /lib/security/$ISA/pam_deny.so > > account required /lib/security/$ISA/pam_unix.so > account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet > account required /lib/security/$ISA/pam_winbind.so debug debug_state require_membership_of= testbox_access_sg,testbox02_2_access_sg > account required /lib/security/$ISA/pam_permit.so> Not sure where to go next, or what else to provide.Can you confirm the above text is verbatim, or have extra spaces been inserted? The other issues remain as I described, but I noticed the extra spaces when re-examining the issue and wanted to confirm before I proceeded. (They would make the configuration invalid, I hope). Also, did some tool generate this configuration, or did you just do it based on the manpage? I'm trying to evaluate the possible impact of making this directive illegal for the account module. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
I'm running an AD DC on Samba 4.1.1 (Debian Wheezy underneath), and logging a Ubuntu 13.10 laptop in using samba 3.6.18. Everything works fine with winbind logins. I can even kill the network connection on the laptop and still be able to login as a domain user, However, when I reboot the machine with no network connection, domain users cannot log in, and getent passwd doesn't show any of the domain users. It seems to be the same as this bug: https://bugzilla.samba.org/show_bug.cgi?id=7760 Any ideas how I can get the winbind cache to survive reboots? Riomar Group <http://www.riomargroup.com>*Ron Garc?a-Vidal | President | Riomar Group (A NYC & NYS Certified MBE)* 1315 Prospect Ave., First Floor | Brooklyn, NY 11218 2655 Le Jeune Road, Suite 915 | Coral Gables, FL 33134 (347) 746-6276 | www.riomargroup.com <http://www.rionmargroup.com> ron at riomargroup.com <mailto:ron at riomargroup.com>
I should also mention that I have cached_login in my common-auth file. Is there any info I can provide to help diagnose the problem? -Ron Riomar Group <http://www.riomargroup.com>*Ron Garc?a-Vidal | President | Riomar Group (A NYC & NYS Certified MBE)* 1315 Prospect Ave., First Floor | Brooklyn, NY 11218 2655 Le Jeune Road, Suite 915 | Coral Gables, FL 33134 (347) 746-6276 | www.riomargroup.com <http://www.riomargroup.com> ron at riomargroup.com <mailto:ron at riomargroup.com> On 12/9/2013 11:26 PM, Ron Garc?a-Vidal wrote:> I'm running an AD DC on Samba 4.1.1 (Debian Wheezy underneath), and > logging a Ubuntu 13.10 laptop in using samba 3.6.18. Everything works > fine with winbind logins. I can even kill the network connection on > the laptop and still be able to login as a domain user, > > However, when I reboot the machine with no network connection, domain > users cannot log in, and getent passwd doesn't show any of the domain > users. > > It seems to be the same as this bug: > https://bugzilla.samba.org/show_bug.cgi?id=7760 > > Any ideas how I can get the winbind cache to survive reboots? > > > Riomar Group <http://www.riomargroup.com>*Ron Garc?a-Vidal | President > | Riomar Group (A NYC & NYS Certified MBE)* > 1315 Prospect Ave., First Floor | Brooklyn, NY 11218 > 2655 Le Jeune Road, Suite 915 | Coral Gables, FL 33134 > (347) 746-6276 | www.riomargroup.com <http://www.rionmargroup.com> > ron at riomargroup.com <mailto:ron at riomargroup.com> > > >