samba - Jan 2018 - SSH with User in Member Domain

Uhum, i tested with ssh:

  ssh XXX at FILESERVER

  journalctl -f

Jan 16 18:28:42 HOSTNAME  sshd[2250]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=IP-SOURCE  user=XXXXX
Jan 16 18:28:43 HOSTNAME  sshd[2250]: Failed password for XXXX from 
IP-SOURCE  port 39896 ssh2

Regards;



On 16-01-2018 18:25, Rowland Penny via samba wrote:
> On Tue, 16 Jan 2018 18:10:00 -0200
> Carlos via samba <samba at lists.samba.org> wrote:
>
>> Yes and the permissions are ok too.
>>
>> getent passwd XXXX
>> XXXX:*:11109:10513::/home/<DOMAIN>/XXXXX:/bin/bash
>>
> Good, just checking that the users are know and winbind & nsswitch is
> working.
>
>> I exected comand(simulated ssh):
>>
>> login XXXX
> That is not how I would use ssh (in fact you don't seem to be using
ssh)
>
> rowland at devstation:~$ ssh rowland at dc3
> rowland at dc3's password:
> Linux dc3 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u1 (2017-06-18) x86_64
>
> The programs included with the Devuan GNU/Linux system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> Last login: Tue Jan 16 20:16:04 2018 from devstation.samdom.example.com
>
> The programs included with the Devuan GNU/Linux system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> SAMDOM\rowland at dc3:~$
>
> Rowland
>

On Tue, 16 Jan 2018 18:31:31 -0200
Carlos via samba <samba at lists.samba.org> wrote:
> Uhum, i tested with ssh:
> 
>   ssh XXX at FILESERVER
> 
>   journalctl -f
> 
> Jan 16 18:28:42 HOSTNAME  sshd[2250]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=IP-SOURCE  user=XXXXX
> Jan 16 18:28:43 HOSTNAME  sshd[2250]: Failed password for XXXX from 
> IP-SOURCE  port 39896 ssh2
> 
Try 'apt-get install libpam-krb5' on the fileserver.

If I look in /var/log/auth.log, I find this:

Jan 16 20:37:25 devstation sshd[13213]: pam_krb5(sshd:auth): user rowland
authenticated as rowland at SAMDOM.EXAMPLE.COM
Jan 16 20:37:25 devstation sshd[13213]: Accepted password for rowland from
192.168.0.7 port 57903 ssh2
Jan 16 20:37:25 devstation sshd[13213]: pam_unix(sshd:session): session opened
for user rowland by (uid=0)

Rowland

Am 16.01.2018 um 21:31 schrieb Carlos via samba:
> Uhum, i tested with ssh:
> 
>  ssh XXX at FILESERVER
> 
>  journalctl -f
> 
> Jan 16 18:28:42 HOSTNAME  sshd[2250]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser>
rhost=IP-SOURCE  user=XXXXX
> Jan 16 18:28:43 HOSTNAME  sshd[2250]: Failed password for XXXX from
> IP-SOURCE  port 39896 ssh2
> 
> Regards;
I see no attempt here that pam_winbind is asked for the password:

My log on a failed login:
--------------
Jan 16 22:05:24 files sshd[9978]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
user=some_user
Jan 16 22:05:24 files sshd[9978]: pam_winbind(sshd:auth): getting
password (0x00000048)
Jan 16 22:05:24 files sshd[9978]: pam_winbind(sshd:auth): pam_get_item
returned a password
Jan 16 22:05:24 files sshd[9978]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7),
NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: When trying to
update a password, this return status indicates that the value provided
as the current password is not correct.
--------------

my logs on a successful attempt:
--------------
Jan 16 21:49:51 files sshd[9923]: Connection closed by 172.16.0.2 [preauth]
Jan 16 21:50:34 files sshd[9925]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
user=some_user
Jan 16 21:50:34 files sshd[9925]: pam_winbind(sshd:auth): getting
password (0x00000048)
Jan 16 21:50:34 files sshd[9925]: pam_winbind(sshd:auth): pam_get_item
returned a password
Jan 16 21:50:34 files sshd[9925]: pam_winbind(sshd:auth): user
'some_user' granted access
Jan 16 21:50:34 files sshd[9925]: Accepted password for some_user from
172.16.0.1 port 43499 ssh2
Jan 16 21:50:34 files sshd[9925]: pam_unix(sshd:session): session opened
for user some_user by (uid=0)



On my system (debian) the configurations looks like this:

--------------
cat /etc/pam.d/common-account
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
...
--------------
--------------
cat /etc/pam.d/common-auth
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_unix.so nullok_secure
auth [success=2 default=ignore] pam_winbind.so try_first_pass
[require_membership_of=File Server SSH Access Control Group]
auth [success=1 default=ignore] pam_winbind.so try_first_pass
[require_membership_of=File Server SFTP Access Control Group]
...
--------------
--------------
cat /etc/pam.d/common-password
# here are the per-package modules (the "Primary" block)
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so use_authtok
try_first_pass
...
--------------
--------------
cat /etc/pam.d/common-session
...
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session required pam_mkhomedir.so umask=0077 skel=/etc/skel/
session optional pam_winbind.so
...
--------------
--------------
cat
# Global parameters
[global]
    security = ADS
    realm = XXX.XXX.XXX

    disable netbios = yes

    username map = /etc/samba/user.map

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    idmap config * : backend = tdb
    idmap config * : range = 1000000-2000000

    # idmap config for the SAMDOM domain
    idmap config XXX:backend = rid
    idmap config XXX:range = 3000000-4000000
    idmap config XXX:unix_nss_info = no

    # Template settings for login shell and home directory
    template shell = /bin/bash
    template homedir = /home/profiles_linux/%U

    winbind use default domain = yes
    winbind refresh tickets = yes

    vfs objects = dfs_samba4,acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # network
    interfaces = lo eth0
    bind interfaces only = yes
    smb ports = 445

    # Logging
    log level = 1
    max log size = 512000
    log file = /var/log/samba/samba.log

    # Auditing
    full_audit:prefix = %u|%I|%S
    full_audit:facility = local5
    full_audit:priority = notice
    full_audit:success = mkdir rename unlink rmdir pwrite
    full_audit:failure = none
...
--------------
--------------
cat /etc/ssh/sshd_config

Port 22
ListenAddress 172.16.0.3
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

KexAlgorithms
curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256
Ciphers
chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at
openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-ripemd160-etm at openssh.com,umac-128-etm at
openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128 at openssh.com

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

Match Group "file server sftp access"
    ChrootDirectory /var/cache/virtual_home
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Thanks Rowland, it is worked now.

:-D


Regards;


On 16-01-2018 18:42, Rowland Penny via samba wrote:
> On Tue, 16 Jan 2018 18:31:31 -0200
> Carlos via samba <samba at lists.samba.org> wrote:
>
>> Uhum, i tested with ssh:
>>
>>    ssh XXX at FILESERVER
>>
>>    journalctl -f
>>
>> Jan 16 18:28:42 HOSTNAME  sshd[2250]: pam_unix(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser>>
rhost=IP-SOURCE  user=XXXXX
>> Jan 16 18:28:43 HOSTNAME  sshd[2250]: Failed password for XXXX from
>> IP-SOURCE  port 39896 ssh2
>>
> Try 'apt-get install libpam-krb5' on the fileserver.
>
> If I look in /var/log/auth.log, I find this:
>
> Jan 16 20:37:25 devstation sshd[13213]: pam_krb5(sshd:auth): user rowland
authenticated as rowland at SAMDOM.EXAMPLE.COM
> Jan 16 20:37:25 devstation sshd[13213]: Accepted password for rowland from
192.168.0.7 port 57903 ssh2
> Jan 16 20:37:25 devstation sshd[13213]: pam_unix(sshd:session): session
opened for user rowland by (uid=0)
>
> Rowland
>