Georg Vorlaufer
2014-Jan-02 11:45 UTC
[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers
Dear list members, I am running a small active directory domain for my home network. Everything is working as expected, except for the authentication of active directory users on my machines running debian wheezy. Here is my setup: 1) Active Directory Domain Controller is running on a raspberrypi (raspbian) with samba compiled from source (v4-1-stable from git repository) 2) WIndows 7 machines can join the domain, domain users can log in 3) OpenSuSE 13.1 machines can join the domain, domain users can log in -- I am using the samba packages provided with the distribution and winbind for nss/pam 4a) A (virtual) machine running Debian Wheezy (x86_64) using the samba4.1.3 packages from sernet and 4b) A (qnap nas) machine running Debian Wheezy (armel kirkwood) using samba compiled from source (v4-1-stable from git repository) For both machines I have configured nss and pam to use winbind Both machines can successfully join the domain as a domain member. 'wbinfo -u' lists all domain users 'getent passwd user1' and 'id user1' works Obtaining kerberos tickets works However, when I try to login via ssh to either of the two machines using my domain account (georg), I get rejected by the pam_winbind module. However, the kerberos ticket cache is created during the ssh authentication process (i.e. the file /tmp/krb5cc_10001, where 10001 is the numeric uid of user georg, is created and contains a valid ticket) Here is the relevant portion of /var/log/auth.log Jan 2 12:23:55 websrv sshd[3541]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.107 user=georg Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] ENTER: pam_sm_authenticate (flags: 0x0001) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f1d54caa2e0) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_USER) = "georg" (0x7f1d54ca9f00) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_TTY) = "ssh" (0x7f1d54cb21d0) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_RHOST) = "192.168.0.107" (0x7f1d54cb21b0) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_AUTHTOK) = 0x7f1d54ca83e0 Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_CONV) = 0x7f1d54cb2210 Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): getting password (0x00001189) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): pam_get_item returned a password Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): Verify user 'georg' Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE' Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): enabling krb5 login flag Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: NT_STATUS_CONNECTION_DISCONNECTED Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'georg') Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] LEAVE: pam_sm_authenticate returning 4 (PAM_SYSTEM_ERR) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f1d54caa2e0) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_USER) = "georg" (0x7f1d54ca9f00) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_TTY) = "ssh" (0x7f1d54cb21d0) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_RHOST) = "192.168.0.107" (0x7f1d54cb21b0) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_AUTHTOK) = 0x7f1d54ca83e0 Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_CONV) = 0x7f1d54cb2210 Jan 2 12:23:56 websrv sshd[3541]: Failed password for georg from 192.168.0.107 port 49619 ssh2 And here is the pam config (/etc/pam.d/common-auth) # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config My question is, if this is a known behaviour (of pam_winbind) or if I am doing something fundamentally wrong here? With kind regards, Georg
Rowland Penny
2014-Jan-02 12:54 UTC
[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers
On 02/01/14 11:45, Georg Vorlaufer wrote:> Dear list members, > > I am running a small active directory domain for my home network. > Everything is working as expected, except for the authentication of active > directory users on my machines running debian wheezy. > > Here is my setup: > > 1) Active Directory Domain Controller is running on a raspberrypi > (raspbian) with samba compiled from source (v4-1-stable from git repository) > 2) WIndows 7 machines can join the domain, domain users can log in > 3) OpenSuSE 13.1 machines can join the domain, domain users can log in -- I > am using the samba packages provided with the distribution and winbind for > nss/pam > > 4a) A (virtual) machine running Debian Wheezy (x86_64) using the samba4.1.3 > packages from sernet and > 4b) A (qnap nas) machine running Debian Wheezy (armel kirkwood) using samba > compiled from source (v4-1-stable from git repository) > > For both machines I have configured nss and pam to use winbind > > Both machines can successfully join the domain as a domain member. > 'wbinfo -u' lists all domain users > 'getent passwd user1' and 'id user1' works > Obtaining kerberos tickets works > > However, when I try to login via ssh to either of the two machines using my > domain account (georg), I get rejected by the pam_winbind module. However, > the kerberos ticket cache is created during the ssh authentication process > (i.e. the file /tmp/krb5cc_10001, where 10001 is the numeric uid of user > georg, is created and contains a valid ticket) > > Here is the relevant portion of /var/log/auth.log > > Jan 2 12:23:55 websrv sshd[3541]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.107 > user=georg > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] ENTER: pam_sm_authenticate (flags: 0x0001) > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f1d54caa2e0) > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] STATE: ITEM(PAM_USER) = "georg" (0x7f1d54ca9f00) > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] STATE: ITEM(PAM_TTY) = "ssh" (0x7f1d54cb21d0) > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] STATE: ITEM(PAM_RHOST) = "192.168.0.107" (0x7f1d54cb21b0) > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] STATE: ITEM(PAM_AUTHTOK) = 0x7f1d54ca83e0 > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] STATE: ITEM(PAM_CONV) = 0x7f1d54cb2210 > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): getting password > (0x00001189) > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): pam_get_item > returned a password > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): Verify user > 'georg' > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): PAM config: > krb5_ccache_type 'FILE' > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): enabling krb5 > login flag > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): enabling request > for a FILE krb5 ccache > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): request > wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), > NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: > NT_STATUS_CONNECTION_DISCONNECTED > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): internal module > error (retval = PAM_SYSTEM_ERR(4), user = 'georg') > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] LEAVE: pam_sm_authenticate returning 4 (PAM_SYSTEM_ERR) > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f1d54caa2e0) > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] STATE: ITEM(PAM_USER) = "georg" (0x7f1d54ca9f00) > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] STATE: ITEM(PAM_TTY) = "ssh" (0x7f1d54cb21d0) > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] STATE: ITEM(PAM_RHOST) = "192.168.0.107" (0x7f1d54cb21b0) > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] STATE: ITEM(PAM_AUTHTOK) = 0x7f1d54ca83e0 > Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: > 0x7f1d54cb2030] STATE: ITEM(PAM_CONV) = 0x7f1d54cb2210 > Jan 2 12:23:56 websrv sshd[3541]: Failed password for georg from > 192.168.0.107 port 49619 ssh2 > > And here is the pam config (/etc/pam.d/common-auth) > > # > # /etc/pam.d/common-auth - authentication settings common to all services > # > # This file is included from other service-specific PAM config files, > # and should contain a list of the authentication modules that define > # the central authentication scheme for use on the system > # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the > # traditional Unix authentication mechanisms. > # > # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. > # To take advantage of this, it is recommended that you configure any > # local modules either before or after the default block, and use > # pam-auth-update to manage selection of other modules. See > # pam-auth-update(8) for details. > > # here are the per-package modules (the "Primary" block) > auth [success=2 default=ignore] pam_unix.so nullok_secure > auth [success=1 default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE try_first_pass > # here's the fallback if no module succeeds > auth requisite pam_deny.so > # prime the stack with a positive return value if there isn't one already; > # this avoids us returning an error just because nothing sets a success code > # since the modules above will each just jump around > auth required pam_permit.so > # and here are more per-package modules (the "Additional" block) > # end of pam-auth-update config > > > My question is, if this is a known behaviour (of pam_winbind) or if I am > doing something fundamentally wrong here? > > With kind regards, > > GeorgHi, ssh works for me, I can log into a Ubuntu 12.04 samba4 server as a user from a Linux Mint 15 client. My common-auth on the server is very similar to yours, just a couple of differences: Yours: auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE try_first_pass Mine: auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass I also have this at the bottom: # and here are more per-package modules (the "Additional" block) auth optional pam_cap.so # end of pam-auth-update config I do not think that the differences are that great, so the problem is probably somewhere else, I have this in /etc/pam.d/sshd: # PAM configuration for the Secure Shell service # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. session required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. session required pam_env.so user_readenv=1 envfile=/etc/default/locale # Standard Un*x password updating. @include common-password I also have this line (in common-session): session required pam_mkhomedir.so skel=/etc/skel/ Check the above, you could also check if apparmor is getting involved in someway, if this doesn't help, I'll have another think. Rowland
Bruno La Torre
2014-Jan-03 00:11 UTC
[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers
look at https://wiki.samba.org/index.php/Samba4/Winbind for winbind + pam 2014/1/2 Georg Vorlaufer <georg.vorlaufer at gmail.com>> > [SNIP] > However, when I try to login via ssh to either of the two machines using my > domain account (georg), I get rejected by the pam_winbind module. However, > the kerberos ticket cache is created during the ssh authentication process > (i.e. the file /tmp/krb5cc_10001, where 10001 is the numeric uid of user > georg, is created and contains a valid ticket) > > And here is the pam config (/etc/pam.d/common-auth) > > # > # /etc/pam.d/common-auth - authentication settings common to all services > # > > # here are the per-package modules (the "Primary" block) > auth [success=2 default=ignore] pam_unix.so nullok_secure > auth [success=1 default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE try_first_pass > # here's the fallback if no module succeeds > auth requisite pam_deny.so > # prime the stack with a positive return value if there isn't one already; > # this avoids us returning an error just because nothing sets a success > code > # since the modules above will each just jump around > auth required pam_permit.so > # and here are more per-package modules (the "Additional" block) > # end of pam-auth-update config > > >you must write pam_winbind.so line before pam_unix.so line. bruno
Maybe Matching Threads
- kerberos ticket on login problem
- pam_winbind with trusted domain
- pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
- PAM_WINBIND problem with sambaPwdMustChange
- Winbind fails to refresh Kerberos tickets (3.0.25b - Fedora Core 5) - 2nd Try