Univention Bugzilla – Attachment 4510 Details for
Bug 25244
Authentisierung von Vertrauensstellung-Benutzern an UCS-Memberservern defekt
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Testprotokoll UCS 3.0-1
log.ucs3 (text/plain), 13.34 KB, created by
Arvid Requate
on 2012-07-06 00:29:53 CEST
(
hide
)
Description:
Testprotokoll UCS 3.0-1
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2012-07-06 00:29:53 CEST
Size:
13.34 KB
patch
obsolete
>###### Master ##################################################################### >root@master:~# univention-install winbind >root@master:~# net rpc testjoin >Join to 'ARUCS301I9' is OK >root@member:~# wbinfo -p >Ping to winbindd succeeded >root@master:~# wbinfo --ping-dc >checking the NETLOGON dc connection succeeded > >###### Memberserver ############################################################### > >root@member:~# net rpc testjoin >Join to 'ARUCS301I9' is OK >root@member:~# wbinfo -p >Ping to winbindd succeeded >root@member:~# wbinfo --ping-dc >checking the NETLOGON dc connection succeeded > >### establish the trust, e.g. on the Memberserver >root@member:~# net rpc trustdom establish ARW2K3R2U30 >Enter ARUCS301I9$'s password: >Could not connect to server W2K3R2-35 >Trust to domain ARW2K3R2U30 established >root@member:~# net rpc trustdom list -UAdministrator%univention >Trusted domains list: > >ARW2K3R2U30 S-1-5-21-215963510-1792852931-2165353431 > >Trusting domains list: > >none > > >###### Master ##################################################################### >root@master:~# net rpc trustdom list -UAdministrator%univention >Trusted domains list: > >ARW2K3R2U30 S-1-5-21-215963510-1792852931-2165353431 > >Trusting domains list: > >none > >### Lookup fails: >root@master:~# wbinfo -n ARW2K3R2U30+Administrator >Could not lookup name ARW2K3R2U30+Administrator >### Auth succeeds: >root@master:~# wbinfo -a ARW2K3R2U30+Administrator%Univention123 >plaintext password authentication succeeded >challenge/response password authentication succeeded > >###### Memberserver ############################################################### > >### Lookup succeeds: >root@member:~# wbinfo -n ARW2K3R2U30+Administrator >S-1-5-21-3914512823-4150051258-224171578-500 SID_USER (1) >### Auth fails: >root@member:~# wbinfo -a ARW2K3R2U30+Administrator%Univention123 >plaintext password authentication failed >Could not authenticate user ARW2K3R2U30+Administrator%Univention123 with plaintext password >challenge/response password authentication failed >error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) >error messsage was: No logon servers >Could not authenticate user ARW2K3R2U30+Administrator with challenge/response > >###### Master ##################################################################### > >root@master:~# echo -e "[global]\n\twinbind rpc only = yes" >> /etc/samba/local.conf >root@master:~# /etc/init.d/winbind restart >Stopping the Winbind daemon: winbind. >Starting the Winbind daemon: winbind. >root@master:~# wbinfo -n ARW2K3R2U30+Administrator >S-1-5-21-215963510-1792852931-2165353431-500 SID_USER (1) > >###### Memberserver ############################################################### > >### Auth succeeds: >root@member:~# wbinfo -a ARW2K3R2U30+Administrator%Univention123 >plaintext password authentication succeeded >challenge/response password authentication succeeded > > > >##################### IDmap test >###### Master ########## >root@master:~# wbinfo -S S-1-5-21-215963510-1792852931-2165353431-500 >55000 >## OK >###### Memberserver #### >root@member:~# wbinfo -n ARW2K3R2U30+aduser1 >S-1-5-21-215963510-1792852931-2165353431-1107 SID_USER (1) >root@member:~# wbinfo -S S-1-5-21-215963510-1792852931-2165353431-1107 >55001 >## OK > >##################### User enumeration test >### Weird stuff: ####### >###### Master ########## >root@master:~# wbinfo -u >administrator >join-backup >join-slave >## Ok, try with explicit auth user, instead of anon or machine connection: >root@master:~# net setauthuser -UAdministrator%univention >## univention is the password of ARUCS301I9+Administrator >root@master:~# net getauthuser >ARUCS301I9+Administrator%univention >root@master:~# /etc/init.d/winbind restart >Stopping the Winbind daemon: winbind. >Starting the Winbind daemon: winbind. >root@master:~# wbinfo -u >administrator >join-backup >join-slave >## Now magic happens: >root@master:~# net setauthuser -UAdministrator%Univention123 >## Univention123 is the password of ARW2K3R2U30+Administrator >root@master:~# net getauthuser >ARUCS301I9+Administrator%Univention123 >## OOPS, this is weird. But it works: >root@master:~# /etc/init.d/winbind restart >Stopping the Winbind daemon: winbind. >Starting the Winbind daemon: winbind. >root@master:~# wbinfo -u >administrator >join-backup >join-slave >ARW2K3R2U30+administrator >ARW2K3R2U30+aduser1 >ARW2K3R2U30+gast >ARW2K3R2U30+krbtgt >ARW2K3R2U30+support_388945a0 >## OK by magic > >###### Memberserver #### >root@member:~# wbinfo -u >MEMBER+nobody >ARUCS301I9+administrator >ARUCS301I9+join-backup >ARUCS301I9+join-slave >root@member:~# net getauthuser >No authorised user configured >root@member:~# net setauthuser -UAdministrator%univention >root@member:~# net getauthuser >ARUCS301I9+Administrator%univention >root@member:~# /etc/init.d/winbind restart >Stopping the Winbind daemon: winbind. >Starting the Winbind daemon: winbind. >root@member:~# wbinfo -u >MEMBER+nobody >ARUCS301I9+administrator >ARUCS301I9+join-backup >ARUCS301I9+join-slave >root@member:~# net setauthuser -UAdministrator%Univention123 >root@member:~# net getauthuser >ARUCS301I9+Administrator%Univention123 >root@member:~# /etc/init.d/winbind restart >Stopping the Winbind daemon: winbind. >Starting the Winbind daemon: winbind. >root@member:~# wbinfo -u >MEMBER+nobody >ARUCS301I9+administrator >ARUCS301I9+join-backup >ARUCS301I9+join-slave >## FAIL > >###################### NSS test >###### Master ########## >root@master:~# getent passwd ARW2K3R2U30+aduser1 || echo unknown >unknown >root@master:~# ucr set auth/methods="krb5 ldap unix winbind" >Setting auth/methods >File: /etc/pam.d/common-auth-nowrite >File: /etc/nsswitch.conf >File: /etc/pam.d/common-password >File: /etc/ssh/ssh_config >File: /etc/pam.d/common-account >Multifile: /etc/pam.d/common-auth >Multifile: /etc/pam.d/common-session >File: /etc/pam.d/univention-management-console >root@master:~# /etc/init.d/nscd restart >Restarting NSCD:. >root@master:~# getent passwd ARW2K3R2U30+aduser1 || echo unknown >ARW2K3R2U30+aduser1:*:55001:55003:aduser1 univention:/home/ARW2K3R2U30-aduser1:/bin/bash >## OK > >###### Memberserver #### >root@member:~# getent passwd ARW2K3R2U30+aduser1 || echo unknown >unknown >root@member:~# ucr set auth/methods="krb5 ldap unix winbind" >Setting auth/methods >File: /etc/pam.d/common-auth-nowrite >File: /etc/nsswitch.conf >File: /etc/pam.d/common-password >File: /etc/ssh/ssh_config >File: /etc/pam.d/common-account >Multifile: /etc/pam.d/common-auth >Multifile: /etc/pam.d/common-session >File: /etc/pam.d/univention-management-console >root@member:~# /etc/init.d/nscd restart >Restarting NSCD:. >root@member:~# getent passwd ARW2K3R2U30+aduser1 || echo unknown >unknown >## FAIL > > >###################### First check-winbind-user test >###### Master ########## >root@master:~# wget 'https://forge.univention.org/bugzilla/attachment.cgi?id=3986' -O check-winbind-user >root@master:~# chmod 755 check-winbind-user >root@master:~# ./check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' >sid: S-1-5-21-215963510-1792852931-2165353431-1107 >username: ARW2K3R2U30+aduser1 >uid: 55001 >GIDs: 55003 >groupsid: S-1-5-21-215963510-1792852931-2165353431-513 >groupname: ARW2K3R2U30+Domänen-Benutzer >getent passwd: ARW2K3R2U30+aduser1:*:55001:55003:aduser1 univention:/home/ARW2K3R2U30-aduser1:/bin/bash >plaintext password authentication succeeded >challenge/response password authentication succeeded >dcname: w2k3r2-35.arw2k3r2u30.qa >Could not lookup WINS by name w2k3r2-35.arw2k3r2u30.qa >trying DNS: Host w2k3r2-35.arw2k3r2u30.qa not found: 3(NXDOMAIN) >enum users for domain ARW2K3R2U30 successfull >enum groups for domain ARW2K3R2U30 successfull > >###### Memberserver #### >root@member:~# wget 'https://forge.univention.org/bugzilla/attachment.cgi?id=3986' -O check-winbind-user >root@member:~# chmod 755 check-winbind-user >root@member:~# /check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' >-bash: /check-winbind-user: No such file or directory >root@member:~# ./check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' >sid: S-1-5-21-215963510-1792852931-2165353431-1107 >username: ARW2K3R2U30+aduser1 >uid: 55001 >Could not get groups for user ARW2K3R2U30+aduser1 >ERROR: lookup of GIDs for user failed >Could not get group SIDs for user SID S-1-5-21-215963510-1792852931-2165353431-1107 >ERROR: getent passwd: no entry >plaintext password authentication succeeded >challenge/response password authentication succeeded >dcname: W2K3R2-35 >WARNING: enum users failed for domain ARW2K3R2U30 >WARNING: enum groups failed for domain ARW2K3R2U30 > >## details of group resolution problems: >root@member:~# wbinfo --user-groups=ARW2K3R2U30+aduser1 >Could not get groups for user ARW2K3R2U30+aduser1 >root@member:~# wbinfo --user-sids=S-1-5-21-215963510-1792852931-2165353431-1107 >Could not get group SIDs for user SID S-1-5-21-215963510-1792852931-2165353431-1107 >root@member:~# wbinfo -Y S-1-5-21-215963510-1792852931-2165353431-513 >55003 >root@member:~# wbinfo -G 55003 >S-1-5-21-215963510-1792852931-2165353431-513 >root@member:~# wbinfo -s S-1-5-21-215963510-1792852931-2165353431-513 >ARW2K3R2U30+Domänen-Benutzer 2 >root@member:~# wbinfo -u --domain=ARW2K3R2U30 >root@member:~# wbinfo -g --domain=ARW2K3R2U30 > > > >###################### More group resolution weirdness: >###### Master ########## >root@master:~# wbinfo -r 'ARW2K3R2U30\aduser1' >Could not get groups for user ARW2K3R2U30\aduser1 > > >###################### Some resolution: Firewall >###### Master ########## >root@master:~# echo "iptables -I INPUT 1 -p udp --sport 137 -j ACCEPT" \ > >> /etc/security/packetfilter.d/50_local.sh >root@master:~# /etc/init.d/univention-firewall restart >root@master:~# net setauthuser delete >root@master:~# /etc/init.d/winbind restart >Stopping the Winbind daemon: winbind. >Starting the Winbind daemon: winbind. > >root@master:~# wbinfo -a ARW2K3R2U30+aduser1%'Test1234;.' >plaintext password authentication succeeded >challenge/response password authentication succeeded >### Auth works >root@master:~# ./check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' >sid: S-1-5-21-215963510-1792852931-2165353431-1107 >username: ARW2K3R2U30+aduser1 >uid: 55001 >GIDs: 55003 >groupsid: S-1-5-21-215963510-1792852931-2165353431-513 >groupname: ARW2K3R2U30+Domänen-Benutzer >getent passwd: ARW2K3R2U30+aduser1:*:55001:55003::/home/ARW2K3R2U30-aduser1:/bin/bash >plaintext password authentication succeeded >challenge/response password authentication succeeded >dcname: w2k3r2-35.arw2k3r2u30.qa >Could not lookup WINS by name w2k3r2-35.arw2k3r2u30.qa >trying DNS: Host w2k3r2-35.arw2k3r2u30.qa not found: 3(NXDOMAIN) >WARNING: enum users failed for domain ARW2K3R2U30 >WARNING: enum groups failed for domain ARW2K3R2U30 > >###### Memberserver #### >root@member:~# net setauthuser delete >root@member:~# /etc/init.d/winbind restart >Stopping the Winbind daemon: winbind. >Starting the Winbind daemon: winbind. > >root@member:~# wbinfo -a ARW2K3R2U30+aduser1%'Test1234;.' >plaintext password authentication succeeded >challenge/response password authentication succeeded >### Auth works !! > >root@member:~# ./check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' >sid: S-1-5-21-215963510-1792852931-2165353431-1107 >username: ARW2K3R2U30+aduser1 >uid: 55001 >GIDs: 55003 >groupsid: S-1-5-21-215963510-1792852931-2165353431-513 >groupname: ARW2K3R2U30+Domänen-Benutzer >getent passwd: ARW2K3R2U30+aduser1:*:55001:55003::/home/ARW2K3R2U30-aduser1:/bin/bash >plaintext password authentication succeeded >challenge/response password authentication succeeded >dcname: W2K3R2-35 >WARNING: enum users failed for domain ARW2K3R2U30 >WARNING: enum groups failed for domain ARW2K3R2U30 > > >###################### Finally reenable enumeration: >###### Master ########## >root@master:~# net setauthuser -UAdministrator%Univention123 >root@master:~# net getauthuser >ARUCS301I9+Administrator%Univention123 >root@master:~# /etc/init.d/winbind restart >Stopping the Winbind daemon: winbind. >Starting the Winbind daemon: winbind. >root@master:~# ./check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' >sid: S-1-5-21-215963510-1792852931-2165353431-1107 >username: ARW2K3R2U30+aduser1 >uid: 55001 >GIDs: 55003 >groupsid: S-1-5-21-215963510-1792852931-2165353431-513 >groupname: ARW2K3R2U30+Domänen-Benutzer >getent passwd: ARW2K3R2U30+aduser1:*:55001:55003::/home/ARW2K3R2U30-aduser1:/bin/bash >plaintext password authentication succeeded >challenge/response password authentication succeeded >dcname: w2k3r2-35.arw2k3r2u30.qa >Could not lookup WINS by name w2k3r2-35.arw2k3r2u30.qa >trying DNS: Host w2k3r2-35.arw2k3r2u30.qa not found: 3(NXDOMAIN) >enum users for domain ARW2K3R2U30 successfull >enum groups for domain ARW2K3R2U30 successfull > >###### Memberserver #### >oot@member:~# net setauthuser -UAdministrator%Univention123 >root@member:~# net getauthuser >ARUCS301I9+Administrator%Univention123 >root@member:~# /etc/init.d/winbind restart >Stopping the Winbind daemon: winbind. >Starting the Winbind daemon: winbind. >root@member:~# ./check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' >sid: S-1-5-21-215963510-1792852931-2165353431-1107 >username: ARW2K3R2U30+aduser1 >uid: 55001 >GIDs: 55003 >groupsid: S-1-5-21-215963510-1792852931-2165353431-513 >groupname: ARW2K3R2U30+Domänen-Benutzer >getent passwd: ARW2K3R2U30+aduser1:*:55001:55003::/home/ARW2K3R2U30-aduser1:/bin/bash >plaintext password authentication succeeded >challenge/response password authentication succeeded >dcname: W2K3R2-35 >WARNING: enum users failed for domain ARW2K3R2U30 >WARNING: enum groups failed for domain ARW2K3R2U30
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=4510">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 25244
:
3986
| 4510 |
4511
|
4640
|
4641