Bug 14622 - pam_winbind does not allow account deny with ssh pub key authentication
Summary: pam_winbind does not allow account deny with ssh pub key authentication
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.13.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-28 13:26 UTC by Björn Jacke
Modified: 2021-05-03 18:39 UTC (History)
6 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2021-01-28 13:26:06 UTC
Having a system with nss_winbind and pam_winbind and ssh with public key authentication, a user can still log in with the pub key even if his account in AD is disabled, locked or expired.

There is no way to configure pam_winbind to do this right. PAM and openssh allow to to this.

SSSD can do this actually perfectly correct, simply with this pam config line in the ssh pam config file:

account [default=bad success=ok user_unknown=ignore]    pam_sss.so

pam_winbind doesn't offer any pam "account" feature currently, I found this branch from Andrew, which stated to add pam account support:

https://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=2c71a9cf1705e217ead8c903c0d31ca9e32df1fc
Comment 1 Björn Jacke 2021-01-28 14:52:07 UTC
logonHours should also be checked
Comment 2 Andrew Bartlett 2021-01-29 18:38:14 UTC
Wow, that is a blast from the past.  I remember that!

Assuming everything we need is in the PAC (logonHours?), ideally we would do a S4U2Self and then confirm the details from there, either by the fact that the request is denied or (if offline) that the info from the last saved PAC tells us.

That way any other KDC-side restrictions would also be honoured.
Comment 3 Björn Jacke 2021-01-29 18:59:56 UTC
it's not just logonHours that we need, we generally need the "account" pam feature first. That will allow us to evaluate if an account is disabled, expired, locked or if logonHours deny access.
Comment 4 Andrew Bartlett 2021-01-29 19:06:51 UTC
I totally agree.  I was just wondering out loud if the logonHours part could be done based on the PAC (it can't), so I think an online check or a different cache will be required for that.
Comment 5 Björn Jacke 2021-02-10 23:48:34 UTC
Andrew, can you have a look if you can get your patches working for current master again? It would be great if we could get the pam_winbind module support those account features that are actually quite importanat for people using pam_winbind actively.
Comment 6 Andrew Bartlett 2021-02-11 00:41:46 UTC
I'm sorry, I don't have any capacity or specific interest in taking this up.

Happy to advise, review etc, but I won't be the implementer here.

Sorry,

Andrew Bartlett