[Comm] winbind, pam, login

Andrew Borodin borodin на zarya-k.ru
Вт Июн 24 10:51:14 MSK 2014 

Здравствуйте!

Пытаюсь ввести свою машину в домен Виндоус. Самбу настроил, 
доменных пользователей вижу. Упёрся в настройку авторизации.

Настраивать PAM раньше не приходилось, так как всё работало из
коробки. Чтение всякой инфы по настройке авторизации через
winbind только всё запутало. Поэтому прошу помощи здесь.

Сделал, как написано в 
http://www.altlinux.org/Ввод_в_домен_на_базе_Windows_2003

В результате получается, что и локально (при логине в консоли и 
при "su -l"), и удалённо (при логине по ssh) пользователей 
пускают и с пустым паролем (ssh не пускает), и с неправильным 
паролем.

Вот что у меня получилось:

Файл system-auth-winbind:

#%PAM-1.0
auth            required        pam_securetty.so
auth            required        pam_nologin.so
auth            sufficient      pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
auth            sufficient      pam_winbind.so use_first_pass
auth            include         system-auth-use_first_pass
auth            required        pam_nologin.so

account         sufficient      pam_tcb.so shadow fork
account         sufficient      pam_winbind.so use_first_pass

password        sufficient      pam_winbind.so
password        required        pam_passwdqc.so config=/etc/passwdqc.conf
password        sufficient      pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 nullok write_to=tcb
password        include         system-auth-use_first_pass

session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
session         required        pam_mktemp.so
session         required        pam_limits.so
session         sufficient      pam_tcb.so
session         sufficient      pam_winbind.so


Файл system-auth-use_first_pass-winbind:

#%PAM-1.0
auth            sufficient      pam_winbind.so use_first_pass
auth            sufficient      pam_tcb.so shadow fork prefix=$2y$ count=8 nullok use_first_pass

password        sufficient      pam_winbind.so use_authtok
password        sufficient      pam_tcb.so use_authtok shadow fork prefix=$2y$ count=8 nullok write_to=tcb


# control system-auth winbind

Ссылки преключились:
/etc/pam.d/system-auth -> /etc/pam.d/system-auth-winbind
/etc/pam.d/system-auth-use_first_pass -> /etc/pam.d/system-auth-use_first_pass-winbind

Логи:

при логине локального пользователя на второй консоли с
неправильным паролем:

Jun 24 10:41:26 borodin login[10540]: pam_tcb(login:auth): Authentication failed for borodin from LOGIN(uid=0)
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): getting password (0x00004290)
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): pam_get_item returned a password
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): user 'borodin' denied access (incorrect password or invalid membership)
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): getting password (0x00004290)
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): pam_get_item returned a password
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Jun 24 10:41:26 borodin login[10540]: pam_winbind(login:auth): user 'borodin' denied access (incorrect password or invalid membership)
Jun 24 10:41:26 borodin login[10540]: pam_tcb(login:auth): Authentication failed for borodin from LOGIN(uid=0)
Jun 24 10:41:26 borodin login[10540]: pam_tcb(login:session): Session opened for borodin by LOGIN(uid=0)

при логине доменного пользователя на второй консоли с
неправильным паролем:

Jun 24 10:44:38 borodin login[10638]: pam_tcb(login:auth): Credentials for user foufaev unknown
Jun 24 10:44:38 borodin login[10636]: pam_tcb(login:auth): Authentication failed for UNKNOWN USER from LOGIN(uid=0)
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): getting password (0x00004290)
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): pam_get_item returned a password
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): user 'foufaev' denied access (incorrect password or invalid membership)
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): getting password (0x00004290)
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): pam_get_item returned a password
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:auth): user 'foufaev' denied access (incorrect password or invalid membership)
Jun 24 10:44:38 borodin login[10640]: pam_tcb(login:auth): Credentials for user foufaev unknown
Jun 24 10:44:38 borodin login[10636]: pam_tcb(login:auth): Authentication failed for UNKNOWN USER from LOGIN(uid=0)
Jun 24 10:44:38 borodin login[10636]: pam_winbind(login:account): user 'foufaev' granted access
Jun 24 10:44:38 borodin login[10636]: pam_tcb(login:session): Session opened for foufaev by LOGIN(uid=0)


-- 

С уважением
А. Бородин.

Подробная информация о списке рассылки community