[Pkg-samba-maint] Bug#739768: winbind: Non-kerberos logins fails on winbind 4.X when krb5_auth is configured in PAM (default)
hkbakke at gmail.com
hkbakke at gmail.com
Sat Feb 22 11:18:59 UTC 2014
Package: winbind
Version: 2:4.1.4+dfsg-3
Severity: important
Dear Maintainer,
After testing winbind 4.x in both wheezy-backports and jessie I have discovered that I just can't login to the system if _not_ using kerberos. This breaks both sudo and non-GSSAPI logins. If I remove krb5_auth from /usr/share/pam-configs/winbind everything works.
Test scenario:
- Clean minimal netinstall of Jessie
- Install winbind with necessary dependencies and configuration identical to what is working with winbind 3.x, except for defining server role in smb.conf
- Verify that everything works (getent passwd/group, wbinfo etc)
- Login via SSH (without GSSAPI)
- Login fails with the following error
=== /var/log/auth ===
Feb 22 09:57:16 test sshd[2696]: debug1: userauth-request for user hk service ssh-connection method password [preauth]
Feb 22 09:57:16 test sshd[2696]: debug1: attempt 2 failures 1 [preauth]
Feb 22 09:57:16 test sshd[2696]: debug2: input_userauth_request: try method password [preauth]
Feb 22 09:57:16 test sshd[2696]: debug3: mm_auth_password entering [preauth]
Feb 22 09:57:16 test sshd[2696]: debug3: mm_request_send entering: type 12 [preauth]
Feb 22 09:57:16 test sshd[2696]: debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
Feb 22 09:57:16 test sshd[2696]: debug3: mm_request_receive_expect entering: type 13 [preauth]
Feb 22 09:57:16 test sshd[2696]: debug3: mm_request_receive entering [preauth]
Feb 22 09:57:16 test sshd[2696]: debug3: mm_request_receive entering
Feb 22 09:57:16 test sshd[2696]: debug3: monitor_read: checking request 12
Feb 22 09:57:16 test sshd[2696]: debug3: PAM: sshpam_passwd_conv called with 1 messages
Feb 22 09:57:16 test sshd[2696]: pam_winbind(sshd:auth): getting password (0x00000388)
Feb 22 09:57:16 test sshd[2696]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 22 09:57:16 test sshd[2696]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: NT_STATUS_CONNECTION_DISCONNECTED
Feb 22 09:57:16 test sshd[2696]: pam_winbind(sshd:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'hk')
Feb 22 09:57:18 test sshd[2696]: debug1: PAM: password authentication failed for hk: Authentication failure
Feb 22 09:57:18 test sshd[2696]: debug3: mm_answer_authpassword: sending result 0
Feb 22 09:57:18 test sshd[2696]: debug3: mm_request_send entering: type 13
Feb 22 09:57:18 test sshd[2696]: Failed password for hk from 10.0.0.104 port 52934 ssh2
Feb 22 09:57:18 test sshd[2696]: debug3: mm_auth_password: user not authenticated [preauth]
Feb 22 09:57:18 test sshd[2696]: debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
Feb 22 09:57:18 test sshd[2696]: debug3: Received SSH2_MSG_IGNORE [preauth]
===
- Activate GSSAPI for SSH
- SSO login from domain client is successful, but sudo fails with 'authentication failure'
Expected result:
- Both SSO and non-kerberos logins work like in winbind 3.x
Fix:
1. Edit the Auth: section in /usr/share/pam-configs/winbind and remove krb5_auth from pam_winbind.so
===
Auth:
[success=end default=ignore] pam_winbind.so krb5_ccache_type=FILE cached_login try_first_pass
===
2. run pam-auth-update
With this everything works like excpected both with or without kerberos SSO logins
=== Log output from successfull SSH non-GSSAPI login for comparison ===
Feb 22 10:00:57 test sshd[3167]: debug1: userauth-request for user hk service ssh-connection method password [preauth]
Feb 22 10:00:57 test sshd[3167]: debug1: attempt 1 failures 0 [preauth]
Feb 22 10:00:57 test sshd[3167]: debug2: input_userauth_request: try method password [preauth]
Feb 22 10:00:57 test sshd[3167]: debug3: mm_auth_password entering [preauth]
Feb 22 10:00:57 test sshd[3167]: debug3: mm_request_send entering: type 12 [preauth]
Feb 22 10:00:57 test sshd[3167]: debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
Feb 22 10:00:57 test sshd[3167]: debug3: mm_request_receive_expect entering: type 13 [preauth]
Feb 22 10:00:57 test sshd[3167]: debug3: mm_request_receive entering [preauth]
Feb 22 10:00:57 test sshd[3167]: debug3: mm_request_receive entering
Feb 22 10:00:57 test sshd[3167]: debug3: monitor_read: checking request 12
Feb 22 10:00:57 test sshd[3167]: debug3: PAM: sshpam_passwd_conv called with 1 messages
Feb 22 10:00:57 test sshd[3167]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=lan-104.proikt.com user=hk
Feb 22 10:00:57 test sshd[3167]: pam_winbind(sshd:auth): getting password (0x00000308)
Feb 22 10:00:57 test sshd[3167]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 22 10:00:57 test sshd[3167]: pam_winbind(sshd:auth): user 'hk' granted access
Feb 22 10:00:57 test sshd[3167]: debug1: PAM: password authentication accepted for hk
Feb 22 10:00:57 test sshd[3167]: debug3: mm_answer_authpassword: sending result 1
Feb 22 10:00:57 test sshd[3167]: debug3: mm_request_send entering: type 13
Feb 22 10:00:57 test sshd[3167]: debug3: mm_request_receive_expect entering: type 102
Feb 22 10:00:57 test sshd[3167]: debug3: mm_request_receive entering
Feb 22 10:00:57 test sshd[3167]: debug1: do_pam_account: called
Feb 22 10:00:57 test sshd[3167]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
Feb 22 10:00:57 test sshd[3167]: debug3: mm_request_send entering: type 103
Feb 22 10:00:57 test sshd[3167]: Accepted password for hk from 10.0.0.104 port 52943 ssh2
===
Conclusions:
I do not know if this is the correct fix, if it breaks security, or if it merely removes symptoms of something else that is wrong, but the expected functionality level is restored
-- /etc/samba/smb.conf --
[global]
server string = %h server
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
disable netbios = yes
# Allow symbolic links
follow symlinks = yes
wide links = yes
unix extensions = no
# Active directory integration
workgroup = MYDOMAIN
server role = member server
security = ads
realm = ad.proikt.com
client ldap sasl wrapping = seal
kerberos method = secrets and keytab
winbind cache time = 300
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 5
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
template shell = /bin/bash
template homedir = /home/%U@%D
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 300000-499999
--
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.12-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages winbind depends on:
ii libbsd0 0.6.0-1
ii libc6 2.17-97
ii libcomerr2 1.42.9-3
ii libkrb5-26-heimdal 1.6~git20131207+dfsg-1
ii libldap-2.4-2 2.4.31-1+nmu2+b1
ii libpopt0 1.16-8
ii libtalloc2 2.1.0-1
ii libtdb1 1.2.12-1
ii libtevent0 0.9.19-1
ii libwbclient0 2:4.1.4+dfsg-3
ii multiarch-support 2.17-97
ii samba 2:4.1.4+dfsg-3
ii samba-libs 2:4.1.4+dfsg-3
winbind recommends no packages.
Versions of packages winbind suggests:
ii libnss-winbind 2:4.1.4+dfsg-3
ii libpam-winbind 2:4.1.4+dfsg-3
-- no debconf information
More information about the Pkg-samba-maint
mailing list