Web lists-archives.com

Re: [Samba] account locks not working ssh/winbind?




On Thu, 26 Apr 2018 09:53:33 +0200
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> Hai. 
>  
> Config. 
> Debian Stretch, samba 4.7.7. member server AD backend. 
> Network setup like in the howtos here. :
> https://github.com/thctlo/samba4/tree/master/howtos 
>  
> Today i discovered that somehow a disabled user was able to login
> after a few retries. 
> I run a SSH/SFTP server for data exchange with the customer of the
> company here. 
> The SSH/SFTP server is restricted by groups, this includes a windows
> (AD) group and linux groups, with an GID assigned. 

Hi Louis, I think you are going to have to put the sshd server into
debug mode to sort this.

I have examined your logs, sorted and shortened them to what I believe
are the relevant parts:

Apr 25 07:00:04 hostname1 sshd[27490]: reverse mapping checking getaddrinfo for unknown.domain.tld [1.2.3.4] failed.
Apr 25 07:00:04 hostname1 sshd[27490]: pam_krb5(sshd:auth): authentication failure; logname=username uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4  user=username
Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): getting password (0x00000388)
Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): pam_get_item returned a password
Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
Apr 25 07:00:04 hostname1 sshd[27490]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'username')

The above seems to show that pam_krb5, pam_unix and pam_winbind are rejecting the user

Apr 25 07:00:04 hostname1 sshd[27490]: Accepted password for username from 1.2.3.4 port 10500 ssh2
Apr 25 07:00:04 hostname1 sshd[27490]: pam_unix(sshd:session): session opened for user username by (uid=0)
Apr 25 07:00:04 hostname1 systemd-logind[25400]: New session 4873 of user username.
Apr 25 07:00:04 hostname1 systemd: pam_unix(systemd-user:session): session opened for user username by (uid=0)

Something in the above 4 lines is allowing access.

>From my SFTP server log.  and this should not be possible. 
2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start download file '/folder1/file1.csv'
2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]End download file '/folder1/file1.csv' (82 bytes) : 100%
2018-04-25 07:00:05 [27504][username][1.2.3.4][10500]Start download file '/folder1/file1.csv'
2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]End download file '/folder1/file1.csv' (82 bytes) : 100%
2018-04-25 07:00:06 [27504][username][1.2.3.4][10500]Try to remove file '/folder1/file1.csv' : success


Apr 25 07:00:07 hostname1 sshd[27490]: pam_unix(sshd:session): session closed for user username
Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred): user 'username' OK
Apr 25 07:00:07 hostname1 systemd-logind[25400]: Removed session 4873.
Apr 25 07:00:07 hostname1 systemd: pam_unix(systemd-user:session):
session closed for user username

I believe this is all coming from /etc/pam.d/sshd

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba