FS#41358 - [samba] Authentication failure using winbindd in 4.1.9

Attached to Project: Arch Linux
Opened by Andreas Turriff (aturriff) - Sunday, 27 July 2014, 05:39 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 29 August 2016, 06:29 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Samba version 4.1.9 winbindd fails to authenticate users with permissions on the system keytab set to 600. Setting permissions to 644 resolves the problem, but does not seem secure. Note that wbinfo and getent do not seem to be affected, but user logins are. Possibly relatedly, pam_winbind.so does not pick up the settings in /etc/security/pam_winbind.conf.

Sanitized configuration files:

smb.conf:
[global]
workgroup = REDACTED
realm = REDACTED.REALM
security = ADS
encrypt passwords = yes
log level = 2
log file = /var/log/samba/%m
client ldap sasl wrapping = seal
client use spnego = yes
kerberos method = system keytab
access based share enum = yes
acl group control = yes
map acl inherit = yes
map archive = no
map hidden = no
name resolve order = host bcast
wins support = no
unix charset = utf-8
idmap config * : backend = tdb
idmap config * : range = 50000-60000
idmap config HOME : backend = ad
idmap config HOME : range = 10000-20000
idmap config HOME : schema_mode = rfc2307
winbind cache time = 600
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = 5
winbind use default domain = yes
winbind refresh tickets = yes
winbind separator = _
winbind nss info = rfc2307
template homedir = /home/%U
template shell = /usr/bin/zsh

system-auth:
#%PAM-1.0

auth required pam_env.so
auth sufficient pam_unix.so use_authtok nullok
auth sufficient pam_winbind.so use_authtok krb5_auth mkhomedir krb5_ccache_type=FILE
auth required pam_deny.so
auth optional pam_permit.so

account required pam_time.so
account sufficient pam_winbind.so
account sufficient pam_unix.so
account required pam_deny.so
account optional pam_permit.so

password sufficient pam_unix.so use_authtok nullok sha512 shadow
password sufficient pam_winbind.so use_authtok krb5_auth mkhomedir krb5_ccache_type=FILE
password required pam_deny.so
password optional pam_permit.so

session required pam_limits.so
session sufficient pam_unix.so
session sufficient pam_winbind.so
session required pam_deny.so
session optional pam_permit.so

This task depends upon

Closed by  Tobias Powalowski (tpowa)
Monday, 29 August 2016, 06:29 GMT
Reason for closing:  No response
Comment by Darth Vader (DVader) - Wednesday, 10 September 2014, 14:14 GMT
Any news about this bug ?
Comment by Darth Vader (DVader) - Wednesday, 10 September 2014, 14:23 GMT
Any news about this ?

Loading...