Re: [Samba] require_membership_of is ignored
From: John P Arends Date: Thu, 24 Jan 2013 21:45:13 + > The problem is, I can log on as any AD user. > > require_membership_of is being ignored. I can put in a valid group with > no spaces in the name, a group by SID, and either way, everyone can log > in. As far as I examined Samba 3.5.6 shipped with Debian Squeeze, it worked. I added these lines into my smb.conf: - obey pam restrictions = yes template shell = /bin/bash - Also I added these lines into /etc/pam.d/common_auth: - ... pam_winbind.so require-membership-of=W2K8R2AD1\samba01g debug - samba01g is a global security group. I tried to login as an user who does not belong to samba01g from other box via ssh and cannnot login with these logs: - Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): request wbcLogon User failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): user 'W2K8R2AD1\samba01' denied access (incorrect password or invalid membership) Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): [pamh: 0x7f2a6c630f40] LEAVE: pam_sm_authenticate returning 7 (PAM_AUTH_ERR) - To join the user to samba01g, the user can login. --- TAKAHASHI Motonobu / @damemonyo facebook.com/takahashi.motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] require_membership_of is ignored
On Thu, Jan 24, 2013 at 5:24 PM, John P Arends wrote: > I want to make sure if someone also gets local console access somehow they > still can't get in. That's my concern with just making changes to how sshd > authenticates. One way I've dealt with this, and a pretty simple one, is not use LDAP account management at all. Use local user accounts, and allow those to *authenticate* against the Kerberos server. Look up the "authconfig" options to see how to do this: it allows local account management, including the use of restricted shells and locallized uid's and group membership, without having to manage anything but the passwords on the upstream Samba or AD servers. It even allows the shell to be "/sbin/nologin" or alternative access limited home directories for shared "scp" or even "rssh" based access. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] require_membership_of is ignored
John, When you say that you can log on as any AD user, do you mean using SSH? On our systems I use "pam_succeed_if.so user ingroup" in our /etc/pam.d/sshd files, see below: auth include system-auth accountrequired pam_nologin.so #accountinclude system-auth accountsufficient pam_succeed_if.so user ingroup local_admin_group accountsufficient pam_succeed_if.so user ingroup active_directory_group password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so Note that I comment out "account include system-auth " and add a local admin group so as not to lock out local users. Andrew -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of John P Arends Sent: Thursday, January 24, 2013 1:45 PM To: samba@lists.samba.org Subject: [Samba] require_membership_of is ignored I have a RHEL 6.3 machine successfully bound to AD using winbind, and commands like wbinfo -u and wbinfo -g output the users and groups. I can also log in as any AD user. The problem is, I can log on as any AD user. require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in. I've put this option in both /etc/pam.d/system-auth and /etc/security/pam_winbind.conf and any user can log in. Any suggestions, or advice on how I can better troubleshoot this? I'm not seeing anything in the logs that is helpful, but I may not be looking in the right place. I've asked a few other people who have told me "oh, that never works" but I can't imagine that is the case. Running 3.5.10-125.el6 by the way.. Thanks -John John Arends Senior Systems Engineer School of Communication Northwestern University 847-491-5789 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] require_membership_of is ignored
I want to make sure if someone also gets local console access somehow they still can't get in. That's my concern with just making changes to how sshd authenticates. (I know nearly nothing about PAM.) On Jan 24, 2013, at 4:21 PM, "Philipoff, Andrew" wrote: > John, > > When you say that you can log on as any AD user, do you mean using SSH? On > our systems I use "pam_succeed_if.so user ingroup" in our /etc/pam.d/sshd > files, see below: > > auth include system-auth > accountrequired pam_nologin.so > #accountinclude system-auth > accountsufficient pam_succeed_if.so user ingroup local_admin_group > accountsufficient pam_succeed_if.so user ingroup active_directory_group > password include system-auth > sessionoptional pam_keyinit.so force revoke > sessioninclude system-auth > sessionrequired pam_loginuid.so > > Note that I comment out "account include system-auth " and add a local admin > group so as not to lock out local users. > > Andrew > > -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On > Behalf Of John P Arends > Sent: Thursday, January 24, 2013 1:45 PM > To: samba@lists.samba.org > Subject: [Samba] require_membership_of is ignored > > I have a RHEL 6.3 machine successfully bound to AD using winbind, and > commands like wbinfo -u and wbinfo -g output the users and groups. I can also > log in as any AD user. > > The problem is, I can log on as any AD user. > > require_membership_of is being ignored. I can put in a valid group with no > spaces in the name, a group by SID, and either way, everyone can log in. > > I've put this option in both /etc/pam.d/system-auth and > /etc/security/pam_winbind.conf and any user can log in. > > Any suggestions, or advice on how I can better troubleshoot this? I'm not > seeing anything in the logs that is helpful, but I may not be looking in the > right place. > > I've asked a few other people who have told me "oh, that never works" but I > can't imagine that is the case. > > Running 3.5.10-125.el6 by the way.. > > Thanks > > -John > > John Arends > Senior Systems Engineer > School of Communication > Northwestern University > 847-491-5789 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
