Hai. Config. Debian Stretch, samba 4.7.7. member server AD backend. Network setup like in the howtos here. : https://github.com/thctlo/samba4/tree/master/howtos Today i discovered that somehow a disabled user was able to login after a few retries. I run a SSH/SFTP server for data exchange with the customer of the company here. The SSH/SFTP server is restricted by groups, this includes a windows (AD) group and linux groups, with an GID assigned. Other important settings are these these from sshd_config UsePAM yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes GSSAPIStoreCredentialsOnRekey yes /etc/pam.d had the following. ( all settings are done with pam-auth-update ) samba @include common-auth @include common-account @include common-session-noninteractive common-auth auth [success=5 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=4 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=3 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass auth [default=ignore] pam_ccreds.so minimum_uid=1000 action=update auth requisite pam_deny.so auth required pam_permit.so auth optional pam_ccreds.so minimum_uid=1000 action=store auth optional pam_cap.so common-account account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account required pam_permit.so account required pam_krb5.so minimum_uid=1000 common-session-noninteractive session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so session optional pam_winbind.so common-password password [success=3 default=ignore] pam_krb5.so minimum_uid=1000 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so On Begin feb 2018, i disabled an account in the AD. Just checked again and yes its still set to "Account disabled" Today i noticed the following. From my SFTP server log. and this should not be possible. 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start download file '/folder1/file1.csv' 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]End download file '/folder1/file1.csv' (82 bytes) : 100% 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start download file '/folder1/file1.csv' 2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]End download file '/folder1/file1.csv' (82 bytes) : 100% 2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]Try to remove file '/folder1/file1.csv' : success Now the strange thing is the follow from my auth logs. Apr 25 07:00:02 hostname1 sshd[27413]: reverse mapping checking getaddrinfo for unknown.domain.tld [1.2.3.4] failed. Apr 25 07:00:02 hostname1 sshd[27413]: pam_krb5(sshd:auth): authentication failure; logname=username uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 Apr 25 07:00:02 hostname1 sshd[27413]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=username Apr 25 07:00:02 hostname1 sshd[27413]: pam_winbind(sshd:auth): getting password (0x00000388) Apr 25 07:00:02 hostname1 sshd[27413]: pam_winbind(sshd:auth): pam_get_item returned a password Apr 25 07:00:02 hostname1 sshd[27413]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. Apr 25 07:00:02 hostname1 sshd[27413]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'username') Apr 25 07:00:02 hostname1 sshd[27413]: Accepted password for username from 1.2.3.4 port 10400 ssh2 Apr 25 07:00:02 hostname1 sshd[27413]: pam_unix(sshd:session): session opened for user username by (uid=0) Apr 25 07:00:02 hostname1 systemd-logind[25400]: New session 4871 of user username. Apr 25 07:00:02 hostname1 systemd: pam_unix(systemd-user:session): session opened for user username by (uid=0) Apr 25 07:00:02 hostname1 CRON[27410]: pam_unix(cron:session): session closed for user nobody Apr 25 07:00:03 hostname1 sshd[27413]: pam_unix(sshd:session): session closed for user username Apr 25 07:00:03 hostname1 sshd[27413]: pam_winbind(sshd:setcred): user 'username' OK Apr 25 07:00:03 hostname1 systemd-logind[25400]: Removed session 4871. Apr 25 07:00:04 hostname1 sshd[27490]: reverse mapping checking getaddrinfo for unknown.domain.tld [1.2.3.4] failed. Apr 25 07:00:04 hostname1 sshd[27490]: pam_krb5(sshd:auth): authentication failure; logname=username uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=username Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): getting password (0x00000388) Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): pam_get_item returned a password Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'username') Apr 25 07:00:04 hostname1 sshd[27490]: Accepted password for username from 1.2.3.4 port 10500 ssh2 Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:session): session opened for user username by (uid=0) Apr 25 07:00:04 hostname1 systemd-logind[25400]: New session 4873 of user username. Apr 25 07:00:04 hostname1 systemd: pam_unix(systemd-user:session): session opened for user username by (uid=0) Apr 25 07:00:07 hostname1 sshd[27490]: pam_unix(sshd:session): session closed for user username Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred): user 'username' OK Apr 25 07:00:07 hostname1 systemd-logind[25400]: Removed session 4873. Apr 25 07:00:07 hostname1 systemd: pam_unix(systemd-user:session): session closed for user username Apr 25 07:00:10 hostname1 sshd[27625]: reverse mapping checking getaddrinfo for unknown.domain.tld [1.2.3.4] failed. Apr 25 07:00:10 hostname1 sshd[27625]: pam_krb5(sshd:auth): authentication failure; logname=username uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 Apr 25 07:00:10 hostname1 sshd[27625]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=username Apr 25 07:00:10 hostname1 sshd[27625]: pam_winbind(sshd:auth): getting password (0x00000388) Apr 25 07:00:10 hostname1 sshd[27625]: pam_winbind(sshd:auth): pam_get_item returned a password Apr 25 07:00:10 hostname1 sshd[27625]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. Apr 25 07:00:10 hostname1 sshd[27625]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'username') Apr 25 07:00:10 hostname1 sshd[27625]: Accepted password for username from 1.2.3.4 port 10600 ssh2 Apr 25 07:00:10 hostname1 sshd[27625]: pam_unix(sshd:session): session opened for user username by (uid=0) Apr 25 07:00:10 hostname1 systemd-logind[25400]: New session 4875 of user username. Apr 25 07:00:10 hostname1 systemd: pam_unix(systemd-user:session): session opened for user username by (uid=0) Apr 25 07:00:10 hostname1 sshd[27625]: pam_unix(sshd:session): session closed for user username Apr 25 07:00:10 hostname1 sshd[27625]: pam_winbind(sshd:setcred): user 'username' OK Apr 25 07:00:10 hostname1 systemd-logind[25400]: Removed session 4875. Apr 25 07:00:10 hostname1 systemd: pam_unix(systemd-user:session): session closed for user username I suspect that : Ccreds credential caching - password saving part in pam is the cause or did i misconfigure something here, can happen, nobody is perfect.. :-( I cannot disabled ccreds right now, i use the caching also for my logins from lan. So if anyone has ideas please tell me. Greetz, Louis
On Thu, 26 Apr 2018 09:53:33 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai. > > Config. > Debian Stretch, samba 4.7.7. member server AD backend. > Network setup like in the howtos here. : > https://github.com/thctlo/samba4/tree/master/howtos > > Today i discovered that somehow a disabled user was able to login > after a few retries. > I run a SSH/SFTP server for data exchange with the customer of the > company here. > The SSH/SFTP server is restricted by groups, this includes a windows > (AD) group and linux groups, with an GID assigned.Hi Louis, I think you are going to have to put the sshd server into debug mode to sort this. I have examined your logs, sorted and shortened them to what I believe are the relevant parts: Apr 25 07:00:04 hostname1 sshd[27490]: reverse mapping checking getaddrinfo for unknown.domain.tld [1.2.3.4] failed. Apr 25 07:00:04 hostname1 sshd[27490]: pam_krb5(sshd:auth): authentication failure; logname=username uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=username Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): getting password (0x00000388) Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): pam_get_item returned a password Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'username') The above seems to show that pam_krb5, pam_unix and pam_winbind are rejecting the user Apr 25 07:00:04 hostname1 sshd[27490]: Accepted password for username from 1.2.3.4 port 10500 ssh2 Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:session): session opened for user username by (uid=0) Apr 25 07:00:04 hostname1 systemd-logind[25400]: New session 4873 of user username. Apr 25 07:00:04 hostname1 systemd: pam_unix(systemd-user:session): session opened for user username by (uid=0) Something in the above 4 lines is allowing access. From my SFTP server log. and this should not be possible. 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start download file '/folder1/file1.csv' 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]End download file '/folder1/file1.csv' (82 bytes) : 100% 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start download file '/folder1/file1.csv' 2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]End download file '/folder1/file1.csv' (82 bytes) : 100% 2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]Try to remove file '/folder1/file1.csv' : success Apr 25 07:00:07 hostname1 sshd[27490]: pam_unix(sshd:session): session closed for user username Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred): user 'username' OK Apr 25 07:00:07 hostname1 systemd-logind[25400]: Removed session 4873. Apr 25 07:00:07 hostname1 systemd: pam_unix(systemd-user:session): session closed for user username I believe this is all coming from /etc/pam.d/sshd Rowland
Hai Rowland, Thanks for the reply. Ok so we suspect and buggie pam module The pam.d/ssh is the default @include common-auth account required pam_nologin.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke @include common-session session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session required pam_limits.so session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password But what i dont understand is this line:> Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred): user 'username' OKpam_winbind(sshd:setcred) I'll go search for this a bit, and start with the build of 4.8.1 while doing that. I forgot the pam winbind config, this one is used also. /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass Password-Initial: [success=end default=ignore] pam_winbind.so Session-Type: Additional Session: optional pam_winbind.so If anyone has ideas or suggestion where to look, please add them. Because this should never happen.. To be able to login with an locked account. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: donderdag 26 april 2018 11:03 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] account locks not working ssh/winbind? > > On Thu, 26 Apr 2018 09:53:33 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai. > > > > Config. > > Debian Stretch, samba 4.7.7. member server AD backend. > > Network setup like in the howtos here. : > > https://github.com/thctlo/samba4/tree/master/howtos > > > > Today i discovered that somehow a disabled user was able to login > > after a few retries. > > I run a SSH/SFTP server for data exchange with the customer of the > > company here. > > The SSH/SFTP server is restricted by groups, this includes a windows > > (AD) group and linux groups, with an GID assigned. > > Hi Louis, I think you are going to have to put the sshd server into > debug mode to sort this. > > I have examined your logs, sorted and shortened them to what I believe > are the relevant parts: > > Apr 25 07:00:04 hostname1 sshd[27490]: reverse mapping > checking getaddrinfo for unknown.domain.tld [1.2.3.4] failed. > Apr 25 07:00:04 hostname1 sshd[27490]: pam_krb5(sshd:auth): > authentication failure; logname=username uid=0 euid=0 tty=ssh > ruser= rhost=1.2.3.4 > Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=1.2.3.4 user=username > Apr 25 07:00:04 hostname1 sshd[27490]: > pam_winbind(sshd:auth): getting password (0x00000388) > Apr 25 07:00:04 hostname1 sshd[27490]: > pam_winbind(sshd:auth): pam_get_item returned a password > Apr 25 07:00:04 hostname1 sshd[27490]: > pam_winbind(sshd:auth): request wbcLogonUser failed: > WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: > NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user > account has been automatically locked because too many > invalid logon attempts or password change attempts have been > requested. > Apr 25 07:00:04 hostname1 sshd[27490]: > pam_winbind(sshd:auth): internal module error (retval = > PAM_MAXTRIES(11), user = 'username') > > The above seems to show that pam_krb5, pam_unix and > pam_winbind are rejecting the user > > Apr 25 07:00:04 hostname1 sshd[27490]: Accepted password for > username from 1.2.3.4 port 10500 ssh2 > Apr 25 07:00:04 hostname1 sshd[27490]: > pam_unix(sshd:session): session opened for user username by (uid=0) > Apr 25 07:00:04 hostname1 systemd-logind[25400]: New session > 4873 of user username. > Apr 25 07:00:04 hostname1 systemd: > pam_unix(systemd-user:session): session opened for user > username by (uid=0) > > Something in the above 4 lines is allowing access. > > From my SFTP server log. and this should not be possible. > 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start > download file '/folder1/file1.csv' > 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]End > download file '/folder1/file1.csv' (82 bytes) : 100% > 2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start > download file '/folder1/file1.csv' > 2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]End > download file '/folder1/file1.csv' (82 bytes) : 100% > 2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]Try to > remove file '/folder1/file1.csv' : success > > > Apr 25 07:00:07 hostname1 sshd[27490]: > pam_unix(sshd:session): session closed for user username > Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred): user 'username' OK > Apr 25 07:00:07 hostname1 systemd-logind[25400]: Removed session 4873. > Apr 25 07:00:07 hostname1 systemd: pam_unix(systemd-user:session): > session closed for user username > > I believe this is all coming from /etc/pam.d/sshd > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Thu, 26 Apr 2018 11:18:10 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Rowland, > > Thanks for the reply. Ok so we suspect and buggie pam module > > The pam.d/ssh is the default > > @include common-auth > account required pam_nologin.so > @include common-account > session [success=ok ignore=ignore module_unknown=ignore > default=bad] pam_selinux.so close session required > pam_loginuid.so session optional pam_keyinit.so force revoke > @include common-session > session optional pam_motd.so motd=/run/motd.dynamic > session optional pam_motd.so noupdate > session required pam_limits.so > session required pam_env.so user_readenv=1 > envfile=/etc/default/locale session [success=ok ignore=ignore > module_unknown=ignore default=bad] pam_selinux.so open > @include common-password > > But what i dont understand is this line: > > Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred): > > user 'username' OK > > pam_winbind(sshd:setcred)Yes, but it is AFTER the user is allowed access and 'setcred' means (to me at least) 'set the credential for next time', but I am not an expert here ;-)> I'll go search for this a bit, and start with the build of 4.8.1 > while doing that.I would hang on with that, Denis has just asked if the 'don't upgrade to 4.8.0 bug' has been fixed, it isn't mentioned in the release notes. It seems to have gone in, just not mentioned in the release notes (at least I hope that is the case)> > I forgot the pam winbind config, this one is used also. > > If anyone has ideas or suggestion where to look, please add them. > Because this should never happen.. To be able to login with an locked > account.Thing is, how do you tell ssh that an account is locked ? Rowland
Hai,> > > > > Thing is, how do you tell ssh that an account is locked ? >I did find someing about that but for that i need to set UsePam to No. Im investigating this deeper atm. Thank for all the replies sofar. Greetz, Louis
Reasonably Related Threads
- account locks not working ssh/winbind?
- [Bug 3736] New: sshd falls back to password prompt after PAM module returns a PAM_MAXTRIES.
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- op-version for reset-brick (Was: Re: [ovirt-users] Upgrading HC from 4.0 to 4.1)
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab