Marco Gaiarin
2019-Feb-28 08:35 UTC
[Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?
A bit more then a curiosity.
Mobing from Samba/NT to Samba/AD i'm now switching some
'one-purpose'
(mostly containers) from libpam-ldaps to libpam-krb5.
In these box normally i don't need user access, so i create
'manually'
(eg, in /etc/passwd) only the admin users, and i add only the PAM layer
to do external auth.
Still i use ssh keys for direct root access, but as an alternative ssh
access i keep the ability to enter with domain password (and sudo).
Some of these box are internet-facing. So looking at logs with previous
setup, for non-existant user i get:
Feb 3 04:45:47 tank sshd[18545]: Invalid user admin from 216.127.174.116
Feb 3 04:45:47 tank sshd[18545]: input_userauth_request: invalid user admin
[preauth]
Feb 3 04:45:49 tank sshd[18545]: Failed password for invalid user admin from
216.127.174.116 port 2333 ssh2
while now i get:
Feb 28 07:23:16 tank sshd[28440]: Invalid user admin from 123.21.91.111
Feb 28 07:23:16 tank sshd[28440]: input_userauth_request: invalid user admin
[preauth]
Feb 28 07:23:16 tank sshd[28440]: pam_krb5(sshd:auth): authentication failure;
logname=admin uid=0 euid=0 tty=ssh ruser= rhost=123.21.91.111
Feb 28 07:23:18 tank sshd[28440]: Failed password for invalid user admin from
123.21.91.111 port 51911 ssh2
(clearly 'admin' is not in /etc/passwd).
So seems to me that libpam-ldaps dopn't even try to do a login if user
does not exist, while libpam-krb5 do.
There's something to fear about? Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2019-Feb-28 09:17 UTC
[Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?
Hmm, marco, logname=admin uid=0 euid=0 << no no.. Uid=0 ? Thats not good, root = uid 0 User setup example. Linux: Root uid 0 LinuxAdmin uid doest not matter as long within range of (see /etc/adduser.conf) FIRST_UID=1000 LAST_UID=59999 Administrator is mapped through /etc/samba/smb.conf ( usermapping) And that Admin of you, is probley migrated of ldap to AD, execpt now its not allowed to have uid 0. Remove it and re-recreated it or setup new UID/GID, something like that, and search for other "double" users and/or UID's. This depends also on what you needs. About this : In these box normally i don't need user access. Why creating users when you already have them? Just simplify you maintainance. For example i use : AllowGroups group1 group2-users group2-admins in /etc/ssh/sshd_config group1 is a linux group, needed for my linux admin user. ( more a backup user/group if ad breaks, only has 2 users in my case. ) Group2-users is a windows group in AD, with GID assigned, containing AD users that are allowed to login the linux servers. Group2-admins is a windows group in AD, with GID assigned, containing admin users that are allowed to login the linux servers. Do note, ssh users must have UID and your are disallowing root(uid=)0) so you example admin(uid=0) can't login also. Optional, but imo a must for internet connected servers. Read : https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04 And the debian instructions. https://www.vultr.com/docs/how-to-setup-two-factor-authentication-2fa-for-ssh-on-debian-9-using-google-authenticator ;-) Works great. More questions, ask. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: donderdag 28 februari 2019 9:36 > Aan: samba at lists.samba.org > Onderwerp: [Samba] [OT?] Kerberos, PAM, NSS: if user does not > exist, pam_krb5 try login? > > > A bit more then a curiosity. > > Mobing from Samba/NT to Samba/AD i'm now switching some 'one-purpose' > (mostly containers) from libpam-ldaps to libpam-krb5. > In these box normally i don't need user access, so i create 'manually' > (eg, in /etc/passwd) only the admin users, and i add only the > PAM layer > to do external auth. > Still i use ssh keys for direct root access, but as an alternative ssh > access i keep the ability to enter with domain password (and sudo). > > > Some of these box are internet-facing. So looking at logs > with previous > setup, for non-existant user i get: > > Feb 3 04:45:47 tank sshd[18545]: Invalid user admin > from 216.127.174.116 > Feb 3 04:45:47 tank sshd[18545]: > input_userauth_request: invalid user admin [preauth] > Feb 3 04:45:49 tank sshd[18545]: Failed password for > invalid user admin from 216.127.174.116 port 2333 ssh2 > > while now i get: > > Feb 28 07:23:16 tank sshd[28440]: Invalid user admin > from 123.21.91.111 > Feb 28 07:23:16 tank sshd[28440]: > input_userauth_request: invalid user admin [preauth] > Feb 28 07:23:16 tank sshd[28440]: pam_krb5(sshd:auth): > authentication failure; logname=admin uid=0 euid=0 tty=ssh > ruser= rhost=123.21.91.111 > Feb 28 07:23:18 tank sshd[28440]: Failed password for > invalid user admin from 123.21.91.111 port 51911 ssh2 > > (clearly 'admin' is not in /etc/passwd). > > > So seems to me that libpam-ldaps dopn't even try to do a login if user > does not exist, while libpam-krb5 do. > > > There's something to fear about? Thanks. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Marco Gaiarin
2019-Feb-28 10:33 UTC
[Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> logname=admin uid=0 euid=0 << no no.. Uid=0 ? Thats not good, root = uid 0It is the standard log of pam susbsystem, also for ldap.> Administrator is mapped through /etc/samba/smb.conf ( usermapping)No, louis; i'm speaking about machine where samba is even not installed; i've simply created some users (in /etc/passwd) and added pam_krb5 to (also) authenticate against. No samba (so the 'OT' ;-). I'm simply curious why pam_ldapd seems that never try to login agains LDAP server, if user does not exist, while pam_krb5 seems yes. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2019-Feb-28 11:05 UTC
[Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?
Hai,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: donderdag 28 februari 2019 11:33 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] [OT?] Kerberos, PAM, NSS: if user does > not exist, pam_krb5 try login? > > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > logname=admin uid=0 euid=0 << no no.. Uid=0 ? Thats not > good, root = uid 0 > > It is the standard log of pam susbsystem, also for ldap.> > > > Administrator is mapped through /etc/samba/smb.conf ( usermapping) > > No, louis; i'm speaking about machine where samba is even not > installed; i've simply created some users (in /etc/passwd) and added > pam_krb5 to (also) authenticate against. No samba (so the 'OT' ;-).Ok, wrong list ;-) :-P No, here you go, read this, this explains it. https://wiki.debian.org/LDAP/PAM The second alinea tels what you want to know. And i noticed also this on that site. /snap Hint: Offline caching of LDAP credentials is only useful if LDAP information about users and groups is also available offline through NSS. This can be accomplished through the use of NSCD. See LDAP/NSS for more information. /snapoff Often not seen, the last lines on the site. If using OpenSSH, you may need to add "UsePAM yes" to sshd_config or it will not use PAM by default. While reading more, for the offline logins or you exim, read. http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html Shows some good info, bit older but still ok with minor adjustments. Greetz, Louis
Rowland Penny
2019-Feb-28 16:45 UTC
[Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?
On Thu, 28 Feb 2019 09:35:31 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > A bit more then a curiosity. > > Mobing from Samba/NT to Samba/AD i'm now switching some 'one-purpose' > (mostly containers) from libpam-ldaps to libpam-krb5. > In these box normally i don't need user access, so i create 'manually' > (eg, in /etc/passwd) only the admin users, and i add only the PAM > layer to do external auth. > Still i use ssh keys for direct root access, but as an alternative ssh > access i keep the ability to enter with domain password (and sudo). > > > Some of these box are internet-facing. So looking at logs with > previous setup, for non-existant user i get: > > Feb 3 04:45:47 tank sshd[18545]: Invalid user admin from > 216.127.174.116 Feb 3 04:45:47 tank sshd[18545]: > input_userauth_request: invalid user admin [preauth] Feb 3 04:45:49 > tank sshd[18545]: Failed password for invalid user admin from > 216.127.174.116 port 2333 ssh2 > > while now i get: > > Feb 28 07:23:16 tank sshd[28440]: Invalid user admin from > 123.21.91.111 Feb 28 07:23:16 tank sshd[28440]: > input_userauth_request: invalid user admin [preauth] Feb 28 07:23:16 > tank sshd[28440]: pam_krb5(sshd:auth): authentication failure; > logname=admin uid=0 euid=0 tty=ssh ruser= rhost=123.21.91.111 Feb 28 > 07:23:18 tank sshd[28440]: Failed password for invalid user admin > from 123.21.91.111 port 51911 ssh2 > > (clearly 'admin' is not in /etc/passwd). > > > So seems to me that libpam-ldaps dopn't even try to do a login if user > does not exist, while libpam-krb5 do. > > > There's something to fear about? Thanks. >So you want to turn this: Feb 28 16:19:36 testkar sshd[3003]: pam_krb5(sshd:auth): authentication failure; logname=adminuser uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.88 Feb 28 16:19:36 testkar sshd[3003]: Accepted password for adminuser from 192.168.0.88 port 39297 ssh2 Feb 28 16:19:36 testkar sshd[3003]: pam_unix(sshd:session): session opened for user adminuser by (uid=0) into this: Feb 28 16:32:56 testkar sshd[3459]: Accepted password for adminuser from 192.168.0.88 port 39399 ssh2 Feb 28 16:32:56 testkar sshd[3459]: pam_unix(sshd:session): session opened for user adminuser by (uid=0) for non domain users ? Open /etc/pam.c/common-auth and find this line: auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 Change the number '1000' to the lower range number you set in smb.conf. Example: You have 'idmap config SAMDOM : range = 10000-99999999' in smb.conf Change the line to this: auth [success=2 default=ignore] pam_krb5.so minimum_uid=10000 Rowland