thr3ads.net - samba - [Samba] pam_winbind with trusted domain [Mar 2017]

If this information is useful, please help other people find it:
Share via:

James Dingwall

2017-Mar-13 09:54 UTC

[Samba] pam_winbind with trusted domain

Hi,

I am having problems using pam_winbind to log in as a user in a trusted domain. 
The arrangement is that Samba is joined to a local domain DOMLOCAL which has a
trust setup with DOMREMOTE.  getent passwd/group correctly enumerates users and
groups from DOMLOCAL.
If I try getent passwd for the DOMREMOTE account no result is returned. 
pam_winbind has a requirement that the user is a member of a group in DOMREMOTE
configured in /etc/security/pam_winbind.conf:

require_membership_of=DOMREMOTE\linux-admin

DOMREMOTE is mapped using the idmap rid module:

  idmap config DOMREMOTE : backend = rid
  idmap config DOMREMOTE : range = 4000000001-4010000000

winbind options in smb.conf are:

  winbind cache time = 10
  winbind enum groups = yes
  winbind enum users = yes
  winbind nested groups = yes
  winbind refresh tickets = yes
  winbind rpc only = yes

kinit for the testuser at DOMREMOTE.LOCAL works correctly.

This is on Ubuntu 14.04 with winbind 4.3.11+dfsg-0ubuntu0.14.04.4.

Enabling debug debug_state for pam_winbind auth configuration results in these
log messages for an ssh login attempt, I get a similar trace if I try a local
logon.

sshd[9567]: Invalid user DOMREMOTE\\testuser from 192.168.1.1
sshd[9567]: input_userauth_request: invalid user DOMREMOTE\\\\testuser [preauth]
sshd[9567]: Postponed keyboard-interactive for invalid user
DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
sshd[9569]: pam_unix(sshd:auth): check pass; user unknown
sshd[9569]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.1.1
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] ENTER:
pam_sm_authenticate (flags: 0x0001)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER)
= "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY)
= "ssh" (0x7fc74c2e15f0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV)
= 0x7fc74c2e0cf0
sshd[9569]: pam_winbind(sshd:auth): getting password (0x00001389)
sshd[9569]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[9569]: pam_winbind(sshd:auth): Verify user 'DOMREMOTE\testuser'
sshd[9569]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] LEAVE:
pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER)
= "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY)
= "ssh" (0x7fc74c2e15f0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV)
= 0x7fc74c2e0cf0
sshd[9567]: error: PAM: Authentication failure for illegal user
DOMREMOTE\\testuser from 192.168.1.1
sshd[9567]: Failed keyboard-interactive/pam for invalid user DOMREMOTE\\testuser
from 192.168.1.1 port 44848 ssh2
sshd[9567]: error: maximum authentication attempts exceeded for invalid user
DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
sshd[9567]: Disconnecting: Too many authentication failures for
DOMREMOTE\\\\testuser [preauth]

After I execute wbinfo -a testuser at DOMREMOTE.LOCAL%password this does
something which allows the ssh connection to start working but I would rather
pam_winbind does whatever needs to be done behind the scenes:)

Thanks,
James

James Dingwall

2017-Mar-17 12:25 UTC

head link

[Samba] pam_winbind with trusted domain

On Mon, Mar 13, 2017 at 09:54:40AM +0000, James Dingwall
wrote:> Hi,
> 
> I am having problems using pam_winbind to log in as a user in a trusted
domain.  The arrangement is that Samba is joined to a local domain DOMLOCAL
which has a trust setup with DOMREMOTE.  getent passwd/group correctly
enumerates users and groups from DOMLOCAL.
> If I try getent passwd for the DOMREMOTE account no result is returned. 
pam_winbind has a requirement that the user is a member of a group in DOMREMOTE
configured in /etc/security/pam_winbind.conf:
> 
> require_membership_of=DOMREMOTE\linux-admin
> 
> DOMREMOTE is mapped using the idmap rid module:
> 
>   idmap config DOMREMOTE : backend = rid
>   idmap config DOMREMOTE : range = 4000000001-4010000000
> 
> winbind options in smb.conf are:
> 
>   winbind cache time = 10
>   winbind enum groups = yes
>   winbind enum users = yes
>   winbind nested groups = yes
>   winbind refresh tickets = yes
>   winbind rpc only = yes
> 
> kinit for the testuser at DOMREMOTE.LOCAL works correctly.
> 
> This is on Ubuntu 14.04 with winbind 4.3.11+dfsg-0ubuntu0.14.04.4.
> 
> Enabling debug debug_state for pam_winbind auth configuration results in
these log messages for an ssh login attempt, I get a similar trace if I try a
local logon.
> 
> sshd[9567]: Invalid user DOMREMOTE\\testuser from 192.168.1.1
> sshd[9567]: input_userauth_request: invalid user DOMREMOTE\\\\testuser
[preauth]
> sshd[9567]: Postponed keyboard-interactive for invalid user
DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
> sshd[9569]: pam_unix(sshd:auth): check pass; user unknown
> sshd[9569]: pam_unix(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=192.168.1.1
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] ENTER:
pam_sm_authenticate (flags: 0x0001)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_CONV) = 0x7fc74c2e0cf0
> sshd[9569]: pam_winbind(sshd:auth): getting password (0x00001389)
> sshd[9569]: pam_winbind(sshd:auth): pam_get_item returned a password
> sshd[9569]: pam_winbind(sshd:auth): Verify user
'DOMREMOTE\testuser'
> sshd[9569]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type
'FILE'
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] LEAVE:
pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0)
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0
> sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE:
ITEM(PAM_CONV) = 0x7fc74c2e0cf0
> sshd[9567]: error: PAM: Authentication failure for illegal user
DOMREMOTE\\testuser from 192.168.1.1
> sshd[9567]: Failed keyboard-interactive/pam for invalid user
DOMREMOTE\\testuser from 192.168.1.1 port 44848 ssh2
> sshd[9567]: error: maximum authentication attempts exceeded for invalid
user DOMREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth]
> sshd[9567]: Disconnecting: Too many authentication failures for
DOMREMOTE\\\\testuser [preauth]
> 
> After I execute wbinfo -a testuser at DOMREMOTE.LOCAL%password this does
something which allows the ssh connection to start working but I would rather
pam_winbind does whatever needs to be done behind the scenes:)
> 
If I make the trust between forests two way then winbind will authenticate the
user in the remote forest but unfortunately this is not an acceptable solution. 
I have also tested winbind 4.4.5+dfsg-2ubuntu5.2 with the same behaviour. 
I'm running short of hair to
pull out now:)

Thanks,
James

Reasonably Related Threads

Search for more seemingly similar threads

samba - Mar 2017 - pam_winbind with trusted domain

[Samba] pam_winbind with trusted domain

[Samba] pam_winbind with trusted domain

Reasonably Related Threads