[Comm] winbind, pam, login
Andrew Borodin
borodin на zarya-k.ru
Вт Июн 24 10:51:14 MSK 2014
Здравствуйте!
Пытаюсь ввести свою машину в домен Виндоус. Самбу настроил,
доменных пользователей вижу. Упёрся в настройку авторизации.
Настраивать PAM раньше не приходилось, так как всё работало из
коробки. Чтение всякой инфы по настройке авторизации через
winbind только всё запутало. Поэтому прошу помощи здесь.
Сделал, как написано в
http://www.altlinux.org/Ввод_в_домен_на_базе_Windows_2003
В результате получается, что и локально (при логине в консоли и
при "su -l"), и удалённо (при логине по ssh) пользователей
пускают и с пустым паролем (ssh не пускает), и с неправильным
паролем.
Вот что у меня получилось:
Файл system-auth-winbind:
#%PAM-1.0
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
auth sufficient pam_winbind.so use_first_pass
auth include system-auth-use_first_pass
auth required pam_nologin.so
account sufficient pam_tcb.so shadow fork
account sufficient pam_winbind.so use_first_pass
password sufficient pam_winbind.so
password required pam_passwdqc.so config=/etc/passwdqc.conf
password sufficient pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 nullok write_to=tcb
password include system-auth-use_first_pass
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_mktemp.so
session required pam_limits.so
session sufficient pam_tcb.so
session sufficient pam_winbind.so
Файл system-auth-use_first_pass-winbind:
#%PAM-1.0
auth sufficient pam_winbind.so use_first_pass
auth sufficient pam_tcb.so shadow fork prefix=$2y$ count=8 nullok use_first_pass
password sufficient pam_winbind.so use_authtok
password sufficient pam_tcb.so use_authtok shadow fork prefix=$2y$ count=8 nullok write_to=tcb
# control system-auth winbind
Ссылки преключились:
/etc/pam.d/system-auth -> /etc/pam.d/system-auth-winbind
/etc/pam.d/system-auth-use_first_pass -> /etc/pam.d/system-auth-use_first_pass-winbind
Логи:
при логине локального пользователя на второй консоли с
неправильным паролем:
Jun 24 10:41:26 borodin login[10540]: pam_tcb(login:auth): Authentication failed for borodin from LOGIN(uid=0)
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): getting password (0x00004290)
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): pam_get_item returned a password
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): user 'borodin' denied access (incorrect password or invalid membership)
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): getting password (0x00004290)
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): pam_get_item returned a password
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): user 'borodin' denied access (incorrect password or invalid membership)
Jun 24 10:41:26 borodin login[10540]: pam_tcb(login:auth): Authentication failed for borodin from LOGIN(uid=0)
Jun 24 10:41:26 borodin login[10540]: pam_tcb(login:session): Session opened for borodin by LOGIN(uid=0)
при логине доменного пользователя на второй консоли с
неправильным паролем:
Jun 24 10:44:38 borodin login[10638]: pam_tcb(login:auth): Credentials for user foufaev unknown
Jun 24 10:44:38 borodin login[10636]: pam_tcb(login:auth): Authentication failed for UNKNOWN USER from LOGIN(uid=0)
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): getting password (0x00004290)
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): pam_get_item returned a password
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): user 'foufaev' denied access (incorrect password or invalid membership)
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): getting password (0x00004290)
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): pam_get_item returned a password
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): user 'foufaev' denied access (incorrect password or invalid membership)
Jun 24 10:44:38 borodin login[10640]: pam_tcb(login:auth): Credentials for user foufaev unknown
Jun 24 10:44:38 borodin login[10636]: pam_tcb(login:auth): Authentication failed for UNKNOWN USER from LOGIN(uid=0)
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:account): user 'foufaev' granted access
Jun 24 10:44:38 borodin login[10636]: pam_tcb(login:session): Session opened for foufaev by LOGIN(uid=0)
--
С уважением
А. Бородин.
Подробная информация о списке рассылки community