samba - Jan 2014 - pam_winbind fails to authenticate domain users on my debian wheezy domain member servers

Dear list members,

I am running a small active directory domain for my home network.
Everything is working as expected, except for the authentication of active
directory users on my machines running debian wheezy.

Here is my setup:

1) Active Directory Domain Controller is running on a raspberrypi
(raspbian) with samba compiled from source (v4-1-stable from git repository)
2) WIndows 7 machines can join the domain, domain users can log in
3) OpenSuSE 13.1 machines can join the domain, domain users can log in -- I
am using the samba packages provided with the distribution and winbind for
nss/pam

4a) A (virtual) machine running Debian Wheezy (x86_64) using the samba4.1.3
packages from sernet and
4b) A (qnap nas) machine running Debian Wheezy (armel kirkwood) using samba
compiled from source (v4-1-stable from git repository)

For both machines I have configured nss and pam to use winbind

Both machines can successfully join the domain as a domain member.
'wbinfo -u' lists all domain users
'getent passwd user1' and 'id user1' works
Obtaining kerberos tickets works

However, when I try to login via ssh to either of the two machines using my
domain account (georg), I get rejected by the pam_winbind module. However,
the kerberos ticket cache is created during the ssh authentication process
(i.e. the file /tmp/krb5cc_10001, where 10001 is the numeric uid of user
georg, is created and contains a valid ticket)

Here is the relevant portion of /var/log/auth.log

Jan  2 12:23:55 websrv sshd[3541]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.107
user=georg
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] ENTER: pam_sm_authenticate (flags: 0x0001)
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f1d54caa2e0)
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] STATE: ITEM(PAM_USER) = "georg" (0x7f1d54ca9f00)
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] STATE: ITEM(PAM_TTY) = "ssh" (0x7f1d54cb21d0)
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] STATE: ITEM(PAM_RHOST) = "192.168.0.107"
(0x7f1d54cb21b0)
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] STATE: ITEM(PAM_AUTHTOK) = 0x7f1d54ca83e0
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] STATE: ITEM(PAM_CONV) = 0x7f1d54cb2210
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): getting password
(0x00001189)
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): pam_get_item
returned a password
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): Verify user
'georg'
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): PAM config:
krb5_ccache_type 'FILE'
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): enabling krb5
login flag
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): enabling request
for a FILE krb5 ccache
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4),
NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
NT_STATUS_CONNECTION_DISCONNECTED
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): internal module
error (retval = PAM_SYSTEM_ERR(4), user = 'georg')
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] LEAVE: pam_sm_authenticate returning 4 (PAM_SYSTEM_ERR)
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f1d54caa2e0)
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] STATE: ITEM(PAM_USER) = "georg" (0x7f1d54ca9f00)
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] STATE: ITEM(PAM_TTY) = "ssh" (0x7f1d54cb21d0)
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] STATE: ITEM(PAM_RHOST) = "192.168.0.107"
(0x7f1d54cb21b0)
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] STATE: ITEM(PAM_AUTHTOK) = 0x7f1d54ca83e0
Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
0x7f1d54cb2030] STATE: ITEM(PAM_CONV) = 0x7f1d54cb2210
Jan  2 12:23:56 websrv sshd[3541]: Failed password for georg from
192.168.0.107 port 49619 ssh2

And here is the pam config (/etc/pam.d/common-auth)

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]    pam_unix.so nullok_secure
auth    [success=1 default=ignore]    pam_winbind.so krb5_auth
krb5_ccache_type=FILE try_first_pass
# here's the fallback if no module succeeds
auth    requisite            pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config


My question is, if this is a known behaviour (of pam_winbind) or if I am
doing something fundamentally wrong here?

With kind regards,

Georg

On 02/01/14 11:45, Georg Vorlaufer wrote:
> Dear list members,
>
> I am running a small active directory domain for my home network.
> Everything is working as expected, except for the authentication of active
> directory users on my machines running debian wheezy.
>
> Here is my setup:
>
> 1) Active Directory Domain Controller is running on a raspberrypi
> (raspbian) with samba compiled from source (v4-1-stable from git
repository)
> 2) WIndows 7 machines can join the domain, domain users can log in
> 3) OpenSuSE 13.1 machines can join the domain, domain users can log in -- I
> am using the samba packages provided with the distribution and winbind for
> nss/pam
>
> 4a) A (virtual) machine running Debian Wheezy (x86_64) using the samba4.1.3
> packages from sernet and
> 4b) A (qnap nas) machine running Debian Wheezy (armel kirkwood) using samba
> compiled from source (v4-1-stable from git repository)
>
> For both machines I have configured nss and pam to use winbind
>
> Both machines can successfully join the domain as a domain member.
> 'wbinfo -u' lists all domain users
> 'getent passwd user1' and 'id user1' works
> Obtaining kerberos tickets works
>
> However, when I try to login via ssh to either of the two machines using my
> domain account (georg), I get rejected by the pam_winbind module. However,
> the kerberos ticket cache is created during the ssh authentication process
> (i.e. the file /tmp/krb5cc_10001, where 10001 is the numeric uid of user
> georg, is created and contains a valid ticket)
>
> Here is the relevant portion of /var/log/auth.log
>
> Jan  2 12:23:55 websrv sshd[3541]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.107
> user=georg
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] ENTER: pam_sm_authenticate (flags: 0x0001)
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] STATE: ITEM(PAM_SERVICE) = "sshd"
(0x7f1d54caa2e0)
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] STATE: ITEM(PAM_USER) = "georg" (0x7f1d54ca9f00)
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] STATE: ITEM(PAM_TTY) = "ssh" (0x7f1d54cb21d0)
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] STATE: ITEM(PAM_RHOST) = "192.168.0.107"
(0x7f1d54cb21b0)
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] STATE: ITEM(PAM_AUTHTOK) = 0x7f1d54ca83e0
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] STATE: ITEM(PAM_CONV) = 0x7f1d54cb2210
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): getting password
> (0x00001189)
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): pam_get_item
> returned a password
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): Verify user
> 'georg'
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): PAM config:
> krb5_ccache_type 'FILE'
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): enabling krb5
> login flag
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): enabling request
> for a FILE krb5 ccache
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): request
> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4),
> NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
> NT_STATUS_CONNECTION_DISCONNECTED
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): internal module
> error (retval = PAM_SYSTEM_ERR(4), user = 'georg')
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] LEAVE: pam_sm_authenticate returning 4 (PAM_SYSTEM_ERR)
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] STATE: ITEM(PAM_SERVICE) = "sshd"
(0x7f1d54caa2e0)
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] STATE: ITEM(PAM_USER) = "georg" (0x7f1d54ca9f00)
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] STATE: ITEM(PAM_TTY) = "ssh" (0x7f1d54cb21d0)
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] STATE: ITEM(PAM_RHOST) = "192.168.0.107"
(0x7f1d54cb21b0)
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] STATE: ITEM(PAM_AUTHTOK) = 0x7f1d54ca83e0
> Jan  2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh:
> 0x7f1d54cb2030] STATE: ITEM(PAM_CONV) = 0x7f1d54cb2210
> Jan  2 12:23:56 websrv sshd[3541]: Failed password for georg from
> 192.168.0.107 port 49619 ssh2
>
> And here is the pam config (/etc/pam.d/common-auth)
>
> #
> # /etc/pam.d/common-auth - authentication settings common to all services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authentication modules that define
> # the central authentication scheme for use on the system
> # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
> # traditional Unix authentication mechanisms.
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
> # To take advantage of this, it is recommended that you configure any
> # local modules either before or after the default block, and use
> # pam-auth-update to manage selection of other modules.  See
> # pam-auth-update(8) for details.
>
> # here are the per-package modules (the "Primary" block)
> auth    [success=2 default=ignore]    pam_unix.so nullok_secure
> auth    [success=1 default=ignore]    pam_winbind.so krb5_auth
> krb5_ccache_type=FILE try_first_pass
> # here's the fallback if no module succeeds
> auth    requisite            pam_deny.so
> # prime the stack with a positive return value if there isn't one
already;
> # this avoids us returning an error just because nothing sets a success
code
> # since the modules above will each just jump around
> auth    required            pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
>
>
> My question is, if this is a known behaviour (of pam_winbind) or if I am
> doing something fundamentally wrong here?
>
> With kind regards,
>
> Georg
Hi, ssh works for me, I can log into a Ubuntu 12.04 samba4 server as a 
user from a Linux Mint 15 client. My common-auth on the server is very 
similar to yours, just a couple of differences:

Yours:
auth    [success=1 default=ignore]    pam_winbind.so krb5_auth 
krb5_ccache_type=FILE try_first_pass

Mine:
auth    [success=1 default=ignore]    pam_winbind.so krb5_auth 
krb5_ccache_type=FILE cached_login try_first_pass

I also have this at the bottom:

# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config

I do not think that the differences are that great, so the problem is 
probably somewhere else, I have this in /etc/pam.d/sshd:

# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=1 
envfile=/etc/default/locale

# Standard Un*x password updating.
@include common-password

I also have this line (in common-session):

session    required     pam_mkhomedir.so skel=/etc/skel/

Check the above, you could also check if apparmor is getting involved in 
someway, if this doesn't help, I'll have another think.

Rowland

look at
https://wiki.samba.org/index.php/Samba4/Winbind
for winbind + pam


2014/1/2 Georg Vorlaufer <georg.vorlaufer at gmail.com>
>
> [SNIP]
> However, when I try to login via ssh to either of the two machines using my
> domain account (georg), I get rejected by the pam_winbind module. However,
> the kerberos ticket cache is created during the ssh authentication process
> (i.e. the file /tmp/krb5cc_10001, where 10001 is the numeric uid of user
> georg, is created and contains a valid ticket)
>
> And here is the pam config (/etc/pam.d/common-auth)
>
> #
> # /etc/pam.d/common-auth - authentication settings common to all services
> #
>
> # here are the per-package modules (the "Primary" block)
> auth    [success=2 default=ignore]    pam_unix.so nullok_secure
> auth    [success=1 default=ignore]    pam_winbind.so krb5_auth
> krb5_ccache_type=FILE try_first_pass
> # here's the fallback if no module succeeds
> auth    requisite            pam_deny.so
> # prime the stack with a positive return value if there isn't one
already;
> # this avoids us returning an error just because nothing sets a success
> code
> # since the modules above will each just jump around
> auth    required            pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
>
>
>
you must write pam_winbind.so line before pam_unix.so line.

bruno