SSH login AD user (samba+winbind)

Sicurezza del sistema: firewall, antispam, antivirus, ssh, patch, bug, ecc.

SSH login AD user (samba+winbind)

Messaggioda anorlondo » martedì 14 febbraio 2017, 15:18

Ciao a tutti,
ho il seguente problema e spero che possiate aiutarmi a risolverlo:

Ho 2 VMs Ubuntu 14.04 LTS configurate con Samba + Winbind come da documentazione ma il login in SSH di utenti di dominio non funziona. Posso interrogare il dominio AD e un domino trustato:

Query primary AD

id toba1@ad1.com
uid=10004(test) gid=10000(ad\domain users) gruppi=10004(test),10000(ad\domain users)...

Query trusted AD (AD2)

id toba2@ad2.com
uid=4294967295 gid=10059(ad2\domain users) gruppi=4294967295,10059(ad2\domain users)...

Primo problema,da un'altra macchina linux (ma RHEL) quando eseguo una query su uno user di un dominio trustato ( AD2) ci sono molti più gruppi ai quali l'utente appartiene.

In ogni caso, le due VM sono correttamente joinate su AD:


Codice: Seleziona tutto
net ads testjoin
Join is OK

wbinfo -g
ad\domain users
ecc

wbinfo -u

ad\toba1
ecc

klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: toba1@ad.com

Valid starting       Expires              Service principal
14/02/2017 11:18:35  14/02/2017 21:18:35  krbtgt/AD.COM@AD.COM
        renew until 21/02/2017 11:18:31



Codice: Seleziona tutto
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files





Codice: Seleziona tutto
cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication yes   (ssh login doesn't work even if uncommented)
#KerberosGetAFSToken yes      (ssh login doesn't work even if uncommented)
#KerberosOrLocalPasswd yes    (ssh login doesn't work even if uncommented)
#KerberosTicketCleanup yes    (ssh login doesn't work even if uncommented)

# GSSAPI options
#GSSAPIAuthentication yes     (ssh login doesn't work even if uncommented)
#GSSAPICleanupCredentials yes (ssh login doesn't work even if uncommented)

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
useDNS no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes




Codice: Seleziona tutto
cat /etc/samba/smb.conf
[global]
workgroup = AD
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = AD.COM
security = ads





Codice: Seleziona tutto
cat /etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient                      pam_localuser.so
account [default=bad success=ok user_unknown=ignore]    pam_sss.so
# end of pam-auth-update config





Codice: Seleziona tutto
cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#

auth    [success=3 default=ignore]      pam_unix.so nullok_secure
auth    [success=2 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    [success=1 default=ignore]      pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config



Non posso loggarmi ne con un utente sul dominio primario (AD1) ne con utenti del domino trustato (AD2)


Login test SSH

username:toba1 NOK
username:ad1+toba1 NOK
username:ad1\\toba1 NOK
username:ad1\toba1 - Sembra funzionare ma poi putty chiude immediatamente la sessione.

Codice: Seleziona tutto
tail -f /var/log/auth.log

Feb 14 12:34:15 vmubuntu sshd[7221]: rexec line 56: Unsupported option KerberosGetAFSToken
Feb 14 12:34:17 vmubuntu sshd[7221]: Invalid user tooah from 10.7.17.21
Feb 14 12:34:17 vmubuntu sshd[7221]: input_userauth_request: invalid user toba1 [preauth]
Feb 14 12:34:21 vmubuntu sshd[7221]: pam_unix(sshd:auth): check pass; user unknown
Feb 14 12:34:21 vmubuntu sshd[7221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.7.17.21
Feb 14 12:34:21 vmubuntu sshd[7221]: pam_winbind(sshd:auth): getting password (0x00000388)
Feb 14 12:34:21 vmubuntu sshd[7221]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 14 12:34:22 vmubuntu sshd[7221]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.7.17.21 user=toba1
Feb 14 12:34:22 vmubuntu sshd[7221]: pam_sss(sshd:auth): received for user toba1 : 13 (User account has expired)
Feb 14 12:34:24 vmubuntu sshd[7221]: Failed password for invalid user toba1 from 10.7.17.21 port 53148 ssh2

Feb 14 12:34:53 vmubuntu sshd[6959]: Invalid user ad1+toba1 from 10.7.17.21
Feb 14 12:34:53 vmubuntu sshd[6959]: input_userauth_request: invalid user ad1+toba1 [preauth]
Feb 14 12:34:59 vmubuntu sshd[6964]: rexec line 56: Unsupported option KerberosGetAFSToken
Feb 14 12:35:11 vmubuntu sshd[6964]: Invalid user ad1\\\\toba1 from 10.7.17.21
Feb 14 12:35:11 vmubuntu sshd[6964]: input_userauth_request: invalid user ad1\\\\\\\\toba1 [preauth]
Feb 14 12:35:15 vmubuntu sshd[6966]: rexec line 56: Unsupported option KerberosGetAFSToken
Feb 14 12:35:41 vmubuntu sshd[6966]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.7.17.21  user=ad1\toba1
Feb 14 12:35:41 vmubuntu sshd[6966]: pam_winbind(sshd:auth): getting password (0x00000388)
Feb 14 12:35:41 vmubuntu sshd[6966]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 14 12:35:41 vmubuntu sshd[6966]: pam_winbind(sshd:auth): user 'ivecoeurope\toba1 ' granted access
Feb 14 12:35:42 vmubuntu sshd[6966]: Accepted password for ivecoeurope\\toba1 from 10.7.17.21 port 52992 ssh2
Feb 14 12:35:42 vmubuntu sshd[6966]: pam_unix(sshd:session): session opened for user ad1\toba1 by (uid=0)
Feb 14 12:35:42 vmubuntu systemd-logind[936]: New session 57 of user test.
Feb 14 12:35:44 vmubuntu sshd[6966]: pam_unix(sshd:session): session closed for user ad1\toba1
Feb 14 12:35:44 vmubuntu sshd[6966]: pam_winbind(sshd:setcred): user 'ad1\toba1 ' OK
Feb 14 12:35:52 vmubuntu sshd[6964]: Connection closed by 10.7.17.21 [preauth]
Feb 14 12:35:54 vmubuntu sshd[6959]: Connection closed by 10.7.17.21 [preauth]
Feb 14 12:36:01 vmubuntu sshd[7107]: rexec line 56: Unsupported option KerberosGetAFSToken
Feb 14 12:36:12 vmubuntu sshd[7107]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.7.17.21  user=toba1 @ad1
Feb 14 12:36:12 vmubuntu sshd[7107]: pam_winbind(sshd:auth): getting password (0x00000388)
Feb 14 12:36:12 vmubuntu sshd[7107]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 14 12:36:13 vmubuntu sshd[7107]: pam_winbind(sshd:auth): user 'ad1\toba1 ' granted access
Feb 14 12:36:16 vmubuntu sshd[7107]: Accepted password for toba1 @ivecoeurope from 10.7.17.21 port 53011 ssh2
Feb 14 12:36:16 vmubuntu sshd[7107]: pam_unix(sshd:session): session opened for user ad1\toba1 by (uid=0)
Feb 14 12:36:16 vmubuntu systemd-logind[936]: Removed session 57.
Feb 14 12:36:16 vmubuntu systemd-logind[936]: New session 58 of user test.
Feb 14 12:36:17 vmubuntu sshd[7107]: pam_unix(sshd:session): session closed for user ad1\toba1
Feb 14 12:36:17 vmubuntu sshd[7107]: pam_winbind(sshd:setcred): user 'ad1\toba1 ' OK --> Putty si chiude!





LOG SAMBA


Codice: Seleziona tutto
[2017/02/14 15:22:48.018826,  0] ../source3/lib/util_tdb.c:494(tdb_chainlock_with_timeout_internal)
  tdb_chainlock_with_timeout_internal: alarm (40) timed out for key ad1.com in tdb /var/run/samba/mutex.tdb
[2017/02/14 15:22:48.019195,  0] ../source3/winbindd/winbindd_cm.c:1032(cm_prepare_connection)
  cm_prepare_connection: mutex grab failed for ad1.com
[2017/02/14 15:23:28.148922,  0] ../source3/lib/util_tdb.c:494(tdb_chainlock_with_timeout_internal)
  tdb_chainlock_with_timeout_internal: alarm (40) timed out for key ad1.com in tdb /var/run/samba/mutex.tdb
[2017/02/14 15:23:28.149209,  0] ../source3/winbindd/winbindd_cm.c:1032(cm_prepare_connection)
  cm_prepare_connection: mutex grab failed for ad1.com
[2017/02/14 15:24:31.634755,  0] ../source3/lib/util_tdb.c:494(tdb_chainlock_with_timeout_internal)
  tdb_chainlock_with_timeout_internal: alarm (40) timed out for key ad1.com in tdb /var/run/samba/mutex.tdb
[2017/02/14 15:24:31.635092,  0] ../source3/winbindd/winbindd_cm.c:1032(cm_prepare_connection)
  cm_prepare_connection: mutex grab failed for ad1.com
[2017/02/14 15:47:33.917742,  0] ../source3/winbindd/winbindd_dual.c:107(child_write_response)



Qualunque aiuto sarà molto apprezzato.
anorlondo
Prode Principiante
 
Messaggi: 1
Iscrizione: febbraio 2017

Torna a Sicurezza

Chi c’è in linea

Visualizzano questa sezione: 0 utenti registrati e 3 ospiti