对AD的Linux身份验证导致单个故障时锁定

时间:2013-12-20 16:13:12

标签: linux authentication active-directory samba pam

我正在尝试设置一个Linux机器(特别是Centos 6)来通过我们的Windows AD对用户进行身份验证。身份验证工作正常。问题:我们的密码锁定策略是3次攻击而您已被锁定。如果登录Linux主机的用户只输入一次密码错误,他们的帐户就会被锁定。

这是我的/etc/pam.d/system-auth文件:

%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account [default=ignore success=1] pam_succeed_if.so uid < 16777216 quiet
# only allow login if user is in group serveradmins
account [default=bad success=ignore] pam_succeed_if.so user ingroup serveradmins quiet
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

以下是用户在第一次尝试登录并输入错误密码时在/ var / log / secure中捕获的日志条目。为简洁起见,我从日志条目的开头剥离了日期时间和主机名:

sshd[1589]: Connection from 22.33.44.55 port 49532
sshd[1589]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host0001.foo.bar  user=gumby
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby@FOO.BAR): Authentication failure (Preauthentication failed)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
sshd[1589]: pam_winbind(sshd:auth): user 'gumby' denied access (incorrect password or invalid membership)
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby@FOO.BAR): Authentication failure (Preauthentication failed)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
sshd[1589]: pam_winbind(sshd:auth): user 'gumby' denied access (incorrect password or invalid membership)
sshd[1589]: Failed password for gumby from 22.33.44.55 port 49532 ssh2
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby@FOO.BAR): User not known to the underlying authentication module (Clients credentials have been revoked)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out
sshd[1589]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'gumby')
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby@FOO.BAR): User not known to the underlying authentication module (Clients credentials have been revoked)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out
sshd[1589]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'gumby')
sshd[1589]: Failed password for gumby from 22.33.44.55 port 49532 ssh2

此配置中的内容是导致身份验证模块多次尝试,我们如何更改它以使其不执行此操作?

感谢。

2 个答案:

答案 0 :(得分:1)

因此,这是一篇过时的文章,但可能会节省一些人几天的故障排除时间。

尽管有时最简单的答案通常是正确的答案,但是在迁移的情况下,您应始终检查路由,防火墙和DNS条目是否相同并且ntp同步。

背景短: 当决定将旧的DC迁移到新版本(Windows Server 2008-> Windows Server 2016)时,问题就开始了。 我们的Linux环境由通过Samba,Winbind加入AD的Rhel 5、6和7系统组成。

默认情况下,Windows Server 2016禁用了SMBv1,这意味着所有Rhel 5和6系统均无法与新DC通信,以供参考:https://access.redhat.com/articles/3164551

这可以通过在DC上启用此角色来解决(并且您了解启用30年协议的后果):

SMBv1

如果图片不再可用(在DC上操作):添加角色和功能->功能-> SMB 1.0 / CIFS文件共享支持->检查。

注意:启用此功能后,您需要重新启动。

更改后,一切似乎都运行顺利。

我还从服务器(Rhel 5)日志中偶然发现了此特定错误:

Oct 27 09:06:58 dummy sshd[22520]: Failed password for some_user from x.x.x.x port 53207 ssh2
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): getting password (0x00000050)
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): pam_get_item returned a password
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): user 'some_user' denied access (incorrect password or invalid membership)
Oct 27 09:07:09 dummy sshd[22520]: Failed password for some_user from x.x.x.x port 53207 ssh2

我也无法使用自己的帐户进行身份验证,因此我迁移到了samba3x,参考(我未完成所有步骤):https://access.redhat.com/solutions/42635

对于那些可能没有账户的人,这些是我采取的步骤:

备份原始配置文件(您将需要smb.conf):

tar cf /root/backup_samba_migration.tar /etc/samba /var/cache/samba /var/lib/samba

停止服务:

service smb stop; service winbind stop

删除samba并安装samba3x:

yum remove samba samba-common -y
yum install samba3x* -y

这是您放置旧smb.conf的地方:

vim /etc/samba/smb.conf

您还应该复制pam_winbind.conf(例如,我们使用了required_membership参数):

\cp /etc/security/pam_winbind.conf.rpmsave /etc/security/pam_winbind.conf

就我而言,我需要重新加入域(您可能不需要使用createcomputer):

net ads join -U youradminaccount createcomputer="Linux system"

重新启动服务:

service smb restart; service winbind restart

测试(在此身份验证之前会给出直接失败的密码):

wbinfo -t
wbinfo -a youradminaccount

希望它能帮上忙,祝你好运!

答案 1 :(得分:0)

要准确确定发生了什么,你应该把'debug'标志放在那里 从日志中删除时间戳以了解性能问题也没有帮助。

我认为你首先执行pam_krb5 auth,然后是pam_winbind auth,然后是pam_krb5帐户然后你就被锁定了。

尝试仅使用krb5或winbind执行任务。不是两个。

相关问题
最新问题