[Pkg-samba-maint] Bug#862580: Bug #862580: Winbind crashes on ssh login of a domain user.
Christian Meyer
c2h5oh at web.de
Sat Jun 10 21:53:32 UTC 2017
Hello Louis,
> 1) $ cat /etc/hosts
>> 127.0.0.1 localhost
>You did setup with DHCP, so you remove 127.0.1.1 sambawb, is possible,
>but better is.
This is because
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
tells: "On debian related systems you wil see 127.0.1.1 hostname also
in /etc/hosts remove it before you install samba."
>172.16.0.209 sambawb.work.company sambawb
I had it in /etc/hosts before and removed it following wiki.samba.org.
I will put it back.
> ( recommended turn of dhcp, use static ips for the servers )
I will think about it.
But just to be clear: what exactly do you mean with 'server'? My debian
machines are only 'domain members' and are not providing any shares or
printers to the network. I think 'server' is samba terminology meaning
that it is providing services e.g. to PAM on the local machine. Right?
> 2) Setup and enable the username map.
> username map = /etc/samba/samba_usermapping
> ( needs content : !root = WORK\Administrator WORK\administrator )
It's changed.
> # Now here its interresting, this tell me something.
>> Jun 07 21:33:18 sambawb sshd[502]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=172.16.0.1 user=domainuser
>> ^^ Guessing, also correctly rejected, if you did not give root a
password at install or your sshd_config has : PermitRootLogin no (or
without-password)
> Most interresting part.
>> Jun 07 21:33:18 sambawb sshd[502]: pam_winbind(sshd:auth): getting
password (0x00000388)
>> Jun 07 21:33:18 sambawb sshd[502]: pam_winbind(sshd:auth):
pam_get_item returned a password
>> Jun 07 21:33:19 sambawb sshd[502]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7),
NTSTATUS_LOGON_FAILURE, Error message was: Logon failure
>> Jun 07 21:33:19 sambawb sshd[502]: pam_winbind(sshd:auth): user
'domainuser' denied access (incorrect password or invalid membership)
>> Jun 07 21:33:20 sambawb sshd[502]: Failed password for invalid user
domainuser from 172.16.0.1 port 54474 ssh2
> Are you are loggin in as user "root" (id=0) or as "Administrator"
here?
> Or you created a users and assigned id 0, in all cases, this is in my
opinion wrong to do.
No, that's not the case. I see 'uid=0' but my username is just an
ordinary domain user. It's neither "root" nor "Administrator". The
domain user isn't a domain admin, too - it's a restricted domain
account. I have several domain accounts to test and whenever it fails I
see 'uid=0', too. Doesn't matter what (unprivilged) account I use.
I remove the homedir on logout and recreate it on logon with
pam_mkhomedir.
> I recommend not enabling root logins on ssh, but thats your choice.
> You can not, never ever, assign user Administrator an uid, especialy
user Adminsitrator.
> Uid 0 = root and only root, now this is why you need the username
mapping.
Okay, I think that is the point:
When it fails I see:
Jun 10 22:21:50 COMPUTERXY sshd[3207]: Invalid user domainuser from
172.16.0.235
Jun 10 22:21:50 COMPUTERXY sshd[3207]: input_userauth_request: invalid
user domainuser [preauth]
Jun 10 22:21:52 COMPUTERXY sshd[3207]: pam_krb5(sshd:auth):
authentication failure; logname=domainuser uid=0 euid=0 tty=ssh ruser=
rhost=computer.work.company
and on success it is (same machine, same user, just some time later,
e.g. after a local user logged in):
Jun 10 23:23:22 COMPUTERXY sshd[9459]: pam_krb5(sshd:auth): user
domainuser authenticated as domainuser at WORK.COMPANY
Jun 10 23:23:22 COMPUTERXY pam-script[9459]: can not
stat /usr/share/libpam-script/pam_script_acct
Jun 10 23:23:22 COMPUTERXY sshd[9459]: Accepted password for domainuser
from 172.16.0.1 port 43841 ssh2
I will have a look at it with changed username mapping.
> Now where did it go wrong. You have a few options to check.
> First, check the time sync on the DC's and the member servers.
> A common problem with login problems. Check this first.
# net ads info -P
LDAP server: 172.16.0.2
LDAP server name: ADDC.WORK.company
Realm: WORK.COMPANY
Bind Path: dc=WORK,dc=COMPANY
LDAP port: 389
Server time: Sa, 10 Jun 2017 23:37:11 CEST
KDC server: 172.16.0.2
Server time offset: 0
# grep server /etc/ntp.conf
server 172.16.0.2 iburst
# grep GSS /etc/ssh/sshd_config
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
I will change it to:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
> And if you use groups member checks in sshd_conf, test if all these
groups have GID.
# grep -i group /etc/ssh/sshd_config
<nothing>
>> I also noticed that in this cases 'wbinfo -u' or 'kinit
>> domainuser' succeeds, but 'getent passwd' only shows local users.
>> And yes, libpam-winbind and libnss-winbind are installed and
>> nsswitch.conf has 'passwd: compat winbind'
> Yes, this is confusing.. ;-)
> wbinfo -u shows all you users.
>getent passwd not, but `getent passwd username`, should show your
user.
No, it isn't. 'getent passwd' shows domainusers, too, but I tested
'getent passwd domainuser' as well:
I'm logged in as root and testing 'getent passwd' or 'getent passwd
domainuser'.
When 'getent passwd' (or 'getent passwd domainuser') shows 'domainuser'
then I can log in as domainuser, too.
When 'getent passwd' (or 'getent passwd domainuser') does not show
'domainuser' then I can't log in as domainuser.
Thank you for your help,
Christian
More information about the Pkg-samba-maint
mailing list