Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Authenticating domain users via PAM [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
szaszka
n00b
n00b


Joined: 07 Sep 2016
Posts: 5

PostPosted: Wed Sep 07, 2016 5:33 pm    Post subject: Authenticating domain users via PAM [SOLVED] Reply with quote

Dear Gentoo Users,

I have a Gentoo server running Samba 4 on it as active directory domain controller.

And I have a Gentoo workstation running Samba 4 on it as active directory domain member. I joined the domain following the instructions in this howto: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Unfortunatelly, the last step in the above howto (Verify domain user login) doesn't work. Taking a look in the journal the following can be read:

Quote:
szept 07 19:03:44 porta.irodaihalozat.kkik.hu login[895]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost= user=IRODAIHALOZAT\porta
szept 07 19:03:44 porta.irodaihalozat.kkik.hu login[895]: pam_winbind(login:auth): getting password (0x00000010)
szept 07 19:03:44 porta.irodaihalozat.kkik.hu login[895]: pam_winbind(login:auth): pam_get_item returned a password
szept 07 19:03:44 porta.irodaihalozat.kkik.hu login[895]: pam_winbind(login:auth): user 'IRODAIHALOZAT\porta' granted access
szept 07 19:03:47 porta.irodaihalozat.kkik.hu login[895]: FAILED LOGIN (1) on '/dev/tty3' FOR 'IRODAIHALOZAT\porta', Authentication failure


Anyone has any idea what I should try in order to get working the login on the local console (or remotely, via sshd) with a domain user account?

Thank You in advance!

Sincerely,
Endre István Szász


Last edited by szaszka on Fri Sep 09, 2016 5:59 am; edited 1 time in total
Back to top
View user's profile Send private message
szaszka
n00b
n00b


Joined: 07 Sep 2016
Posts: 5

PostPosted: Wed Sep 07, 2016 5:51 pm    Post subject: Additional informations Reply with quote

The original content of the /etc/pam.d/system-auth was:
Quote:
auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_permit.so
account required pam_unix.so
account optional pam_permit.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
-session optional pam_systemd.so

Based on the above mentioned howto, I modified it in the following way:
Quote:
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_winbind.so use_first_pass
auth optional pam_permit.so
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account optional pam_permit.so
password requisite pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password sufficient pam_winbind.so use_authtok
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
-session optional pam_systemd.so
Back to top
View user's profile Send private message
szaszka
n00b
n00b


Joined: 07 Sep 2016
Posts: 5

PostPosted: Wed Sep 07, 2016 8:08 pm    Post subject: A little bit closer to the solution Reply with quote

I had to add the following settings to the workstations smb.conf:
Quote:
winbind nss info = rfc2307
winbind enum users = Yes
winbind enum groups = Yes
template shell = /bin/bash
idmap uid = 10000-20000
idmap gid = 10000-20000

After that, it started to work, but still not in the way, as should, because it doesn't create's the domain users home directory automatically (even if I created manually a directory in the /home with the name of the workgroup), and it permits for the user to log in, even if provided a wrong password:
Quote:

endre@tarolo ~ $ ssh -p 2206 -l "IRODAIHALOZAT\porta" 192.168.100.200
Password:
Wrong Password
Could not chdir to home directory /home/IRODAIHALOZAT/porta: No such file or directory
IRODAIHALOZAT\porta@porta / $


Most probably the problem is, that I misconfigured the /etc/pam.d/system-auth. Can someone help me doing the right modifications on the files in /etc/pam.d, please?

The log of the current behavior is the following:

Quote:
szept 07 21:50:10 porta.irodaihalozat.kkik.hu login[1513]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost= user=IRODAIHALOZAT\porta
szept 07 21:50:10 porta.irodaihalozat.kkik.hu login[1513]: pam_winbind(login:auth): getting password (0x00000010)
szept 07 21:50:10 porta.irodaihalozat.kkik.hu login[1513]: pam_winbind(login:auth): pam_get_item returned a password
szept 07 21:50:10 porta.irodaihalozat.kkik.hu login[1513]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
szept 07 21:50:10 porta.irodaihalozat.kkik.hu login[1513]: pam_winbind(login:auth): user 'IRODAIHALOZAT\porta' denied access (incorrect password or invalid membership)
szept 07 21:50:10 porta.irodaihalozat.kkik.hu login[1513]: pam_winbind(login:account): user 'IRODAIHALOZAT\porta' granted access
szept 07 21:50:10 porta.irodaihalozat.kkik.hu login[1513]: pam_unix(login:session): session opened for user IRODAIHALOZAT\porta by LOGIN(uid=0)
szept 07 21:50:10 porta.irodaihalozat.kkik.hu login[1513]: pam_systemd(login:session): Failed to create session: No such file or directory


The current /etc/pam.d/system-auth is:
Quote:

auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so use_first_pass
auth optional pam_permit.so
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password sufficient pam_winbind.so use_authtok
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
-session optional pam_systemd.so
Back to top
View user's profile Send private message
szaszka
n00b
n00b


Joined: 07 Sep 2016
Posts: 5

PostPosted: Wed Sep 07, 2016 8:43 pm    Post subject: Automatically create the home directory at first login Reply with quote

In the /etc/pam.d/system-auth, after the "session required pam_unix.so" line I added:
Quote:
session sufficient pam_winbind.so mkhomedir

After that, during the next login, the home directory was created.

The problem, that doesn't deny the login, if I type incorrect password in, still have to be resolved. Please help me, if someone knows, what's wrong with my config.
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 564
Location: France

PostPosted: Thu Sep 08, 2016 12:07 pm    Post subject: Reply with quote

I think the problem is there isn't a final "deny" directive in the PAM auth configuration. pam_unix and pam_winbind are "sufficient", not "required|requisite" and the optional pam_permit directive confirms the opening. You should replace the pam_permit directive by this one :
Code:
auth   required   pam_deny.so

Keep at least one root session open when doing such change. If PAM is misconfigured, it could deny every connexion attempt, even if it should be legit. And root doesn't necessarily have more privileges than another account for PAM.
Back to top
View user's profile Send private message
szaszka
n00b
n00b


Joined: 07 Sep 2016
Posts: 5

PostPosted: Fri Sep 09, 2016 5:58 am    Post subject: Now it works Reply with quote

Many thanks for the suggestion, after replacing the line "auth optional pam_permit.so" with "auth required pam_deny.so" everything works, as should.

Thank You again!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum