Web lists-archives.com

Re: [Samba] account locks not working ssh/winbind?




On Thu, 26 Apr 2018 11:18:10 +0200
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> Hai Rowland, 
> 
> Thanks for the reply. Ok so we suspect and buggie pam module
> 
> The pam.d/ssh is the default
> 
> @include common-auth
> account    required     pam_nologin.so
> @include common-account
> session [success=ok ignore=ignore module_unknown=ignore
> default=bad]        pam_selinux.so close session    required
> pam_loginuid.so session    optional     pam_keyinit.so force revoke
> @include common-session
> session    optional     pam_motd.so  motd=/run/motd.dynamic
> session    optional     pam_motd.so noupdate
> session    required     pam_limits.so
> session    required     pam_env.so user_readenv=1
> envfile=/etc/default/locale session [success=ok ignore=ignore
> module_unknown=ignore default=bad]        pam_selinux.so open
> @include common-password
> 
> But what i dont understand is this line:
> > Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred):
> > user 'username' OK
> 
> pam_winbind(sshd:setcred) 

Yes, but it is AFTER the user is allowed access and 'setcred' means (to
me at least) 'set the credential for next time', but I am not an expert
here ;-)

> I'll go search for this a bit, and start with the build of 4.8.1
> while doing that.

I would hang on with that, Denis has just asked if the 'don't upgrade
to 4.8.0 bug' has been fixed, it isn't mentioned in the release notes.
It seems to have gone in, just not mentioned in the release notes (at
least I hope that is the case)

> 
> I forgot the pam winbind config, this one is used also. 
> 
> If anyone has ideas or suggestion where to look, please add them.
> Because this should never happen.. To be able to login with an locked
> account. 

Thing is, how do you tell ssh that an account is locked ?

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba