Re: [Samba] require_membership_of is ignored
From: John P Arends jare...@northwestern.edu Date: Thu, 24 Jan 2013 21:45:13 + The problem is, I can log on as any AD user. require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in. As far as I examined Samba 3.5.6 shipped with Debian Squeeze, it worked. I added these lines into my smb.conf: - obey pam restrictions = yes template shell = /bin/bash - Also I added these lines into /etc/pam.d/common_auth: - ... pam_winbind.so require-membership-of=W2K8R2AD1\samba01g debug - samba01g is a global security group. I tried to login as an user who does not belong to samba01g from other box via ssh and cannnot login with these logs: - Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): request wbcLogon User failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): user 'W2K8R2AD1\samba01' denied access (incorrect password or invalid membership) Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): [pamh: 0x7f2a6c630f40] LEAVE: pam_sm_authenticate returning 7 (PAM_AUTH_ERR) - To join the user to samba01g, the user can login. --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo facebook.com/takahashi.motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] require_membership_of is ignored
I want to make sure if someone also gets local console access somehow they still can't get in. That's my concern with just making changes to how sshd authenticates. (I know nearly nothing about PAM.) On Jan 24, 2013, at 4:21 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: John, When you say that you can log on as any AD user, do you mean using SSH? On our systems I use pam_succeed_if.so user ingroup in our /etc/pam.d/sshd files, see below: auth include system-auth accountrequired pam_nologin.so #accountinclude system-auth accountsufficient pam_succeed_if.so user ingroup local_admin_group accountsufficient pam_succeed_if.so user ingroup active_directory_group password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so Note that I comment out account include system-auth and add a local admin group so as not to lock out local users. Andrew -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of John P Arends Sent: Thursday, January 24, 2013 1:45 PM To: samba@lists.samba.org Subject: [Samba] require_membership_of is ignored I have a RHEL 6.3 machine successfully bound to AD using winbind, and commands like wbinfo -u and wbinfo -g output the users and groups. I can also log in as any AD user. The problem is, I can log on as any AD user. require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in. I've put this option in both /etc/pam.d/system-auth and /etc/security/pam_winbind.conf and any user can log in. Any suggestions, or advice on how I can better troubleshoot this? I'm not seeing anything in the logs that is helpful, but I may not be looking in the right place. I've asked a few other people who have told me oh, that never works but I can't imagine that is the case. Running 3.5.10-125.el6 by the way.. Thanks -John John Arends Senior Systems Engineer School of Communication Northwestern University 847-491-5789 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] require_membership_of is ignored
John, When you say that you can log on as any AD user, do you mean using SSH? On our systems I use pam_succeed_if.so user ingroup in our /etc/pam.d/sshd files, see below: auth include system-auth accountrequired pam_nologin.so #accountinclude system-auth accountsufficient pam_succeed_if.so user ingroup local_admin_group accountsufficient pam_succeed_if.so user ingroup active_directory_group password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so Note that I comment out account include system-auth and add a local admin group so as not to lock out local users. Andrew -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of John P Arends Sent: Thursday, January 24, 2013 1:45 PM To: samba@lists.samba.org Subject: [Samba] require_membership_of is ignored I have a RHEL 6.3 machine successfully bound to AD using winbind, and commands like wbinfo -u and wbinfo -g output the users and groups. I can also log in as any AD user. The problem is, I can log on as any AD user. require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in. I've put this option in both /etc/pam.d/system-auth and /etc/security/pam_winbind.conf and any user can log in. Any suggestions, or advice on how I can better troubleshoot this? I'm not seeing anything in the logs that is helpful, but I may not be looking in the right place. I've asked a few other people who have told me oh, that never works but I can't imagine that is the case. Running 3.5.10-125.el6 by the way.. Thanks -John John Arends Senior Systems Engineer School of Communication Northwestern University 847-491-5789 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] require_membership_of is ignored
On Thu, Jan 24, 2013 at 5:24 PM, John P Arends jare...@northwestern.edu wrote: I want to make sure if someone also gets local console access somehow they still can't get in. That's my concern with just making changes to how sshd authenticates. One way I've dealt with this, and a pretty simple one, is not use LDAP account management at all. Use local user accounts, and allow those to *authenticate* against the Kerberos server. Look up the authconfig options to see how to do this: it allows local account management, including the use of restricted shells and locallized uid's and group membership, without having to manage anything but the passwords on the upstream Samba or AD servers. It even allows the shell to be /sbin/nologin or alternative access limited home directories for shared scp or even rssh based access. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] require_membership_of being ignored?
I'm running into the same issue that Mike posted about. I've got authentication working as well as the auto creation of home directories. The problem is anybody that has a valid domain account can come in regardless of group. I'm running SuSE The require_membership_of parameter supposed to be in the auth section right? The common-auth file I have is: authrequiredpam_env.so authsufficient pam_unix2.so authrequiredpam_winbind.so use_first_pass require_membership_of=DOMAINNAME\groupname I've tried with an account that is explicitly outside of the group and that users account is allowed in. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
