"Require_Membership_of" in pam_winbind.conf does nothing

freymish · 09-14-2017, 02:48 PM

I have 30 some servers that successfully authenticate against a Windows Domain. The problem isn't logging in. That works great. The problem is keeping all domain users from authenticating. I have created a number of AD groups to govern access to different groups of servers and am trying to implement the /etc/security/pam_winbind.conf file "require_membership_of = linux_users_group_name" operator to control access and it is not working. I have tried using names and using the GUID of the group and it's the same result.

I think this worked initially before I updated my Samba versions but I'm not 100% on that. Could be a wishful memory! Anyway, I've done a good bit of googling for a solution to this and I'm coming up with nothing. Any help would be greatly appreciated.

Thanks,

Freymish

A little background:
Running Oracle Linux 5
uname: 2.6.39-400.297.3.el5uek #1 SMP Fri Jun 30 10:12:39 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux

winbindd -V = Version 3.0.33-3.39.el5_8

smb.conf

Quote:

[global]
workgroup = DomainName
realm = InternalDNS.corp
security = ads
template shell = /bin/bash
server string = Samba Server Version %v
netbios name = {hostname}
domain master = no
local master = no
preferred master = no
passdb backend = tdbsam
template homedir = /home/DOMAINNAME/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind enum users = yes::q
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind offline logon = true
winbind separator = +
unix extensions = no
obey pam restrictions = Yes
smb passwd file = /etc/samba/secrets.tdb
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
restrict anonymous = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
wins support = no
load printers = no
cups options = raw
min protocol = SMB2
#_________________
idmap backend = tdb
idmap uid = 80000 - 99990
idmap gid = 80000 - 99990
passdb backend = tdbsam

krb5.conf

Quote:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = InternalDNS.corp
# dns_lookup_realm = false
# dns_lookup_kdc = false
# ticket_lifetime = 24h
forwardable = yes
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
InternalDNS.corp = {
InternalDNS.corp = 192.168.1.1:88
InternalDNS.corp = 192.168.1.4:88
kdc = WinDC1.InternalDNS.corp
kdc = WinDC2.InternalDNS.corp
kdc = 192.168.1.1
}

[domain_realm]
.InternalDNS.corp = InternalDNS.corp
InternalDNS.corp = InternalDNS.corp
InternalDNS.corp = InternalDNS.corp
.InternalDNS.corp = InternalDNS.corp

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

system-auth-ac

Quote:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so cached_login use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

relevant lines from NSSwitch

Quote:

passwd: files winbind
shadow: files winbind
group: files winbind

Quote:

#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#

[global]

# turn on debugging
;debug = yes

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = yes

# authenticate using kerberos
;krb5_auth = yes

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type = FILE

# make successful authentication dependend on membership of one SID
# (can also take a name)
require_membership_of = S-1-2-3-934785635639-123456789-987654321-19283

freymish · 09-27-2017, 11:14 AM

This is now working as it should. Near as I can figure, this issue coincided with the change of the password on the domain admin account I used to join these servers to the domain. It seems odd to me that it would matter. Maybe that's a coincidence?

I'll leave this open for a bit in hopes that someone can enlighten me on this.