FS#41358 - [samba] Authentication failure using winbindd in 4.1.9
Attached to Project:
Arch Linux
Opened by Andreas Turriff (aturriff) - Sunday, 27 July 2014, 05:39 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 29 August 2016, 06:29 GMT
Opened by Andreas Turriff (aturriff) - Sunday, 27 July 2014, 05:39 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 29 August 2016, 06:29 GMT
|
Details
Description:
Samba version 4.1.9 winbindd fails to authenticate users with permissions on the system keytab set to 600. Setting permissions to 644 resolves the problem, but does not seem secure. Note that wbinfo and getent do not seem to be affected, but user logins are. Possibly relatedly, pam_winbind.so does not pick up the settings in /etc/security/pam_winbind.conf. Sanitized configuration files: smb.conf: [global] workgroup = REDACTED realm = REDACTED.REALM security = ADS encrypt passwords = yes log level = 2 log file = /var/log/samba/%m client ldap sasl wrapping = seal client use spnego = yes kerberos method = system keytab access based share enum = yes acl group control = yes map acl inherit = yes map archive = no map hidden = no name resolve order = host bcast wins support = no unix charset = utf-8 idmap config * : backend = tdb idmap config * : range = 50000-60000 idmap config HOME : backend = ad idmap config HOME : range = 10000-20000 idmap config HOME : schema_mode = rfc2307 winbind cache time = 600 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind expand groups = 5 winbind use default domain = yes winbind refresh tickets = yes winbind separator = _ winbind nss info = rfc2307 template homedir = /home/%U template shell = /usr/bin/zsh system-auth: #%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so use_authtok nullok auth sufficient pam_winbind.so use_authtok krb5_auth mkhomedir krb5_ccache_type=FILE auth required pam_deny.so auth optional pam_permit.so account required pam_time.so account sufficient pam_winbind.so account sufficient pam_unix.so account required pam_deny.so account optional pam_permit.so password sufficient pam_unix.so use_authtok nullok sha512 shadow password sufficient pam_winbind.so use_authtok krb5_auth mkhomedir krb5_ccache_type=FILE password required pam_deny.so password optional pam_permit.so session required pam_limits.so session sufficient pam_unix.so session sufficient pam_winbind.so session required pam_deny.so session optional pam_permit.so |
This task depends upon
Closed by Tobias Powalowski (tpowa)
Monday, 29 August 2016, 06:29 GMT
Reason for closing: No response
Monday, 29 August 2016, 06:29 GMT
Reason for closing: No response
Comment by Darth Vader (DVader) -
Wednesday, 10 September 2014, 14:14 GMT
Comment by Darth Vader (DVader) -
Wednesday, 10 September 2014, 14:23 GMT
Any news about this bug ?
Any news about this ?