samba - Nov 2024 - Working through the PAM Offline Authentication Wiki page, but...

...the tests for initial online login to my newly joined Linux domain 
member the machine through ssh are failing. I ran:

 ??? terra ~ # ssh HOME\\jgraham at localhost
 ??? (HOME\jgraham at localhost) Password:
 ??? (HOME\jgraham at localhost) Password:
 ??? (HOME\jgraham at localhost) Password:
 ??? HOME\jgraham at localhost's password:
 ??? Permission denied, please try again.
 ??? HOME\jgraham at localhost's password:
 ??? Received disconnect from ::1 port 22:2: Too many authentication 
failures
 ??? Disconnected from ::1 port 22

(Password was entered each time it was prompted for.) Log excerpts:

/var/log/messages:

 ??? Nov 19 11:18:29 terra samba-dcerpcd[25488]: [2024/11/19 
11:18:29.613623,? 0] ../../source3/rpc_server/rpc_host.c:2843(main)
 ??? Nov 19 11:18:29 terra samba-dcerpcd[25488]:?? samba-dcerpcd version 
4.19.7 started.
 ??? Nov 19 11:18:29 terra samba-dcerpcd[25488]:?? Copyright Andrew 
Tridgell and the Samba Team 1992-2023
 ??? Nov 19 11:18:29 terra rpcd_lsad[25499]: [2024/11/19 
11:18:29.696642,? 0] 
../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
 ??? Nov 19 11:18:29 terra rpcd_lsad[25499]:?? rpcd_lsad version 4.19.7 
started.
 ??? Nov 19 11:18:29 terra rpcd_lsad[25499]:?? Copyright Andrew Tridgell 
and the Samba Team 1992-2023
 ??? Nov 19 11:18:29 terra rpcd_lsad[25501]: [2024/11/19 
11:18:29.739755,? 0] 
../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
 ??? Nov 19 11:18:29 terra rpcd_lsad[25501]:?? rpcd_lsad version 4.19.7 
started.
 ??? Nov 19 11:18:29 terra rpcd_lsad[25501]:?? Copyright Andrew Tridgell 
and the Samba Team 1992-2023
 ??? Nov 19 11:18:29 terra rpcd_lsad[25504]: [2024/11/19 
11:18:29.790433,? 0] 
../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
 ??? Nov 19 11:18:29 terra rpcd_lsad[25504]:?? rpcd_lsad version 4.19.7 
started.
 ??? Nov 19 11:18:29 terra rpcd_lsad[25504]:?? Copyright Andrew Tridgell 
and the Samba Team 1992-2023
 ??? Nov 19 11:18:29 terra rpcd_lsad[25507]: [2024/11/19 
11:18:29.822732,? 0] 
../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
 ??? Nov 19 11:18:29 terra rpcd_lsad[25507]:?? rpcd_lsad version 4.19.7 
started.
 ??? Nov 19 11:18:29 terra rpcd_lsad[25507]:?? Copyright Andrew Tridgell 
and the Samba Team 1992-2023
 ??? Nov 19 11:18:34 terra sshd-session[25516]: pam_unix(sshd:auth): 
authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser= 
rhost=::1? user=HOME\jgraham
 ??? Nov 19 11:18:36 terra sshd-session[25479]: error: PAM: 
Authentication failure for HOME\\jgraham from ::1
 ??? Nov 19 11:18:40 terra sshd-session[25683]: pam_unix(sshd:auth): 
authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser= 
rhost=::1? user=HOME\jgraham
 ??? Nov 19 11:18:42 terra sshd-session[25479]: error: PAM: 
Authentication failure for HOME\\jgraham from ::1
 ??? Nov 19 11:18:42 terra sshd-session[25479]: Postponed 
keyboard-interactive for HOME\\\\jgraham from ::1 port 34982 ssh2 [preauth]
 ??? Nov 19 11:18:46 terra sshd-session[25859]: pam_unix(sshd:auth): 
authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser= 
rhost=::1? user=HOME\jgraham
 ??? Nov 19 11:18:46 terra sshd-session[25859]: pam_faillock(sshd:auth): 
Consecutive login failures for user HOME\jgraham account temporarily locked
 ??? Nov 19 11:18:48 terra sshd-session[25479]: error: PAM: 
Authentication failure for HOME\\jgraham from ::1
 ??? Nov 19 11:19:03 terra sshd-session[25479]: Failed password for 
HOME\\jgraham from ::1 port 34982 ssh2
 ??? Nov 19 11:19:37 terra sshd-session[25479]: Failed password for 
HOME\\jgraham from ::1 port 34982 ssh2
 ??? Nov 19 11:19:37 terra sshd-session[25479]: error: maximum 
authentication attempts exceeded for HOME\\\\jgraham from ::1 port 34982 
ssh2 [preauth]
 ??? Nov 19 11:19:37 terra sshd-session[25479]: Disconnecting 
authenticating user HOME\\\\jgraham ::1 port 34982: Too many 
authentication failures [preauth]

/var/log/samba/log.winbindd.idmap:
 ??? [2024/11/19 10:28:48.321163,? 1] 
../../source3/winbindd/idmap_ad.c:289(idmap_ad_tldap_debug)
 ????? idmap_ad_tldap: tldap_context_disconnect: TLDAP_SERVER_DOWN at 
../../source3/lib/tldap.c:762
 ??? [2024/11/19 10:28:48.326623,? 1] 
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
 ????? ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No 
such file or directory
 ??? [2024/11/19 10:28:48.326684,? 1] 
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
 ????? ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' 
with backend 'tdb': Unable to open tdb 
'/var/lib/samba/private/secrets.ldb': No such file or directory

and indeed that file doesn't exist. However, 
"/var/lib/samba/private/secrets.tdb" does exist.

Does any of this suggest what might be going wrong with the ssh session?

Incidentally, the "wbinfo -K" test succeeds:

 ??? terra ~ # wbinfo -K 'HOME\jgraham%redacted-password'
 ??? plaintext kerberos password authentication for [HOME\jgraham] 
succeeded (requesting cctype: FILE)
 ??? user_flgs: NETLOGON_CACHED_ACCOUNT
 ??? credentials were put in: FILE:/tmp/krb5cc_0

and, maybe less surprisingly, su'ing into the domain user also works:

 ??? terra ~ # sudo su HOME\\jgraham
 ??? HOME\jgraham at terra /root $

My current /etc/samba/smb.conf is:

 ??? [global]
 ?????? security = ADS
 ?????? workgroup = HOME
 ?????? realm = HOME.EXAMPLE.COM
 ?????? server string = "John's Terra Workstation"
 ?????? server role = member server

 ?????? log file = /var/log/samba/log.%m
 ?????? log level = 1
 ?????? max log size = 50

 ?????? dedicated keytab file = /etc/krb5.keytab
 ?????? kerberos method = secrets and keytab
 ?????? username map = /etc/samba/user.map

 ?????? winbind refresh tickets = yes
 ?????? winbind offline logon = yes
 ?????? winbind request timeout = 10
 ?????? idmap config * : backend = tdb
 ?????? idmap config * : range = 3000-7999
 ?????? idmap config HOME:backend = ad
 ?????? idmap config HOME:schema_mode = rfc2307
 ?????? idmap config HOME:range = 10000-9999999
 ?????? idmap config HOME:unix_nss_info = yes

 ?????? vfs objects = acl_xattr
 ?????? map acl inherit = yes
 ?????? store dos attributes = yes

 ?????? template shell = /bin/bash
 ?????? template homedir = /home/%U

- John

On Tue, 19 Nov 2024 11:33:07 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> ...the tests for initial online login to my newly joined Linux domain 
> member the machine through ssh are failing. I ran:
> 
>  ??? terra ~ # ssh HOME\\jgraham at localhost
>  ??? (HOME\jgraham at localhost) Password:
>  ??? (HOME\jgraham at localhost) Password:
>  ??? (HOME\jgraham at localhost) Password:
>  ??? HOME\jgraham at localhost's password:
>  ??? Permission denied, please try again.
>  ??? HOME\jgraham at localhost's password:
>  ??? Received disconnect from ::1 port 22:2: Too many authentication 
> failures
>  ??? Disconnected from ::1 port 22
> 
> (Password was entered each time it was prompted for.) Log excerpts:
> 
> /var/log/messages:
> 
>  ??? Nov 19 11:18:29 terra samba-dcerpcd[25488]: [2024/11/19 
> 11:18:29.613623,? 0] ../../source3/rpc_server/rpc_host.c:2843(main)
>  ??? Nov 19 11:18:29 terra samba-dcerpcd[25488]:?? samba-dcerpcd
> version 4.19.7 started.
>  ??? Nov 19 11:18:29 terra samba-dcerpcd[25488]:?? Copyright Andrew 
> Tridgell and the Samba Team 1992-2023
>  ??? Nov 19 11:18:29 terra rpcd_lsad[25499]: [2024/11/19 
> 11:18:29.696642,? 0] 
> ../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
>  ??? Nov 19 11:18:29 terra rpcd_lsad[25499]:?? rpcd_lsad version
> 4.19.7 started.
>  ??? Nov 19 11:18:29 terra rpcd_lsad[25499]:?? Copyright Andrew
> Tridgell and the Samba Team 1992-2023
>  ??? Nov 19 11:18:29 terra rpcd_lsad[25501]: [2024/11/19 
> 11:18:29.739755,? 0] 
> ../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
>  ??? Nov 19 11:18:29 terra rpcd_lsad[25501]:?? rpcd_lsad version
> 4.19.7 started.
>  ??? Nov 19 11:18:29 terra rpcd_lsad[25501]:?? Copyright Andrew
> Tridgell and the Samba Team 1992-2023
>  ??? Nov 19 11:18:29 terra rpcd_lsad[25504]: [2024/11/19 
> 11:18:29.790433,? 0] 
> ../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
>  ??? Nov 19 11:18:29 terra rpcd_lsad[25504]:?? rpcd_lsad version
> 4.19.7 started.
>  ??? Nov 19 11:18:29 terra rpcd_lsad[25504]:?? Copyright Andrew
> Tridgell and the Samba Team 1992-2023
>  ??? Nov 19 11:18:29 terra rpcd_lsad[25507]: [2024/11/19 
> 11:18:29.822732,? 0] 
> ../../source3/rpc_server/rpc_worker.c:1127(rpc_worker_main)
>  ??? Nov 19 11:18:29 terra rpcd_lsad[25507]:?? rpcd_lsad version
> 4.19.7 started.
>  ??? Nov 19 11:18:29 terra rpcd_lsad[25507]:?? Copyright Andrew
> Tridgell and the Samba Team 1992-2023
>  ??? Nov 19 11:18:34 terra sshd-session[25516]: pam_unix(sshd:auth): 
> authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser= 
> rhost=::1? user=HOME\jgraham
>  ??? Nov 19 11:18:36 terra sshd-session[25479]: error: PAM: 
> Authentication failure for HOME\\jgraham from ::1
>  ??? Nov 19 11:18:40 terra sshd-session[25683]: pam_unix(sshd:auth): 
> authentication failure; logname=jgraham uid=0 euid=0 tty=ssh ruser= 
> rhost=::1? user=HOME\jgraham

At a guess, your PAM stack is incorrect, it doesn't seem to be using
winbind, I would expect to see lines like this:

2024-11-19T17:48:38.678440+00:00 devstation sshd[9437]: pam_winbind(sshd:auth):
getting password (0x00000388)

Rowland