Tim Miller
2021-Feb-25 13:22 UTC
[Samba] pam_winbind stops working when use_krb5 is enabled
I have a puzzling problem that I've been beating my head against for a couple of days with no luck. I have a test domain with a Windows Server 2019 DC and a RHEL 8 system that has been properly joined to it. I am trying to authenticate with pam_winbind on the RHEL system, and everything works just fine until I add krb5_auth to the list of arguments for pam_winbind (or equivalently turn krb5_auth on in /etc/security/pam_winbind.conf. Whenever krb5_auth is turned on, I get the following log messages: Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): CONFIG file: krb5_ccache_type 'FILE:/tmp/krb5cc_%u' Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): enabling krb5 login flag Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): enabling request for a FILE:/tmp/krb5cc_%u krb5 ccache Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: The attempted logon is invalid. This is either due to a bad username or authentication information. Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): user 'btmiller' denied access (incorrect password or invalid membership) Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): [pamh: 0x5590d75b79c0] LEAVE: pam_sm_authenticate returning 7 (PAM_AUTH_ERR) As soon as I turn off krb5_auth, everything works fine again. I'm pretty sure my Kerberos config is correct, because when I log in without auth_krb5, I can use kinit to get a TGT from the DC correctly. I've spent a lot of time on Google trying to figure out why pam_winbind would work correctly in my setup without krb5 but fails when it is turned on. Any help or pointers would be welcome, as I'm a relative newbie to this. I've pasted my smb.conf below. Thanks, Tim === /etc/samba/smb.conf [global] workgroup = MYDOM security = ADS realm = MYDOM.LOCAL server role = member server winbind refresh tickets = Yes winbind use default domain = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab ## remove when done testing winbind enum users = yes winbind enum groups = yes ## kill printing load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes ## id mapping idmap config *: backend = tdb idmap config *: range = 90000-99999 idmap config MYDOM: backend = ad idmap config MYDOM: range = 100000-499999 idmap config MYDOM: unix_nss_info = yes idmap config MYDOM: unix_primary_gid = yes ##template shell = /bin/bash ## logging log level = 2 winbind:5 === /etc/security/pam_winbind.conf
Rowland penny
2021-Feb-25 13:35 UTC
[Samba] pam_winbind stops working when use_krb5 is enabled
On 25/02/2021 13:22, Tim Miller via samba wrote:> I have a puzzling problem that I've been beating my head against for a > couple of days with no luck. I have a test domain with a Windows Server > 2019 DC and a RHEL 8 system that has been properly joined to it. I am > trying to authenticate with pam_winbind on the RHEL system, and everything > works just fine until I add krb5_auth to the list of arguments for > pam_winbind (or equivalently turn krb5_auth on in > /etc/security/pam_winbind.conf. > > Whenever krb5_auth is turned on, I get the following log messages: > > Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): CONFIG file: > krb5_ccache_type 'FILE:/tmp/krb5cc_%u' > Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): enabling krb5 > login flag > Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): enabling > request for a FILE:/tmp/krb5cc_%u krb5 ccache > Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): request > wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), > NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: The attempted logon > is invalid. This is either due to a bad username or authentication > information. > Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): user 'btmiller' > denied access (incorrect password or invalid membership) > Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): [pamh: > 0x5590d75b79c0] LEAVE: pam_sm_authenticate returning 7 (PAM_AUTH_ERR) > > As soon as I turn off krb5_auth, everything works fine again. > > I'm pretty sure my Kerberos config is correct, because when I log in > without auth_krb5, I can use kinit to get a TGT from the DC correctly. > > I've spent a lot of time on Google trying to figure out why pam_winbind > would work correctly in my setup without krb5 but fails when it is turned > on. Any help or pointers would be welcome, as I'm a relative newbie to > this. I've pasted my smb.conf below. > > Thanks, > Tim > > === /etc/samba/smb.conf > [global] > workgroup = MYDOM > security = ADS > realm = MYDOM.LOCAL > server role = member server > > winbind refresh tickets = Yes > winbind use default domain = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > ## remove when done testing > winbind enum users = yes > winbind enum groups = yes > > ## kill printing > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > ## id mapping > idmap config *: backend = tdb > idmap config *: range = 90000-99999 > > idmap config MYDOM: backend = ad > idmap config MYDOM: range = 100000-499999 > idmap config MYDOM: unix_nss_info = yes > idmap config MYDOM: unix_primary_gid = yes > > ##template shell = /bin/bash > > ## logging > log level = 2 winbind:5 > > === /etc/security/pam_winbind.confYou need pam-krb5, which I believe Red-hat has removed in RHEL 8 When I tested a Unix domain member on Centos 8, I had to build the Centos 7 pam-krb5 package to get it to work. Rowland