SOLVED Pam errors for SSH logins

[emiguy]

Hi.

We are getting a ton of errors that look like this:

Code:

sshd 30617 - - pam_winbind(sshd): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (13), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: 

They show up in the corner of the web interface, at the bell icon.

Our truenas is up to date, as of today. We have Lansweeper on our network, and it logs in via ssh as a particular user, looks around (executes a couple inquiries), and logs out. We never had these issues before with our other truenas box... but this one is bound to AD -- the other one was not. It does this every hour or so -- so we get a lot of warnings. Of course, I get the same sort of output in /var/log/messages whenever anyone logs into this system via ssh -- but they do not show on my warning bell like the lansweeper logins because they are few and far between.

The user that lansweeper uses exists on this new truenas system as a unix account, and I can log in just fine via ssh with it. I tried to disable winbind in my /etc/pam.d/sshd file -- but every time I restart ssh, it just over-writes the file. I tried to look where the source might be... the closest thing I found was /conf/base/etc/pam.d/sshd... but this file makes no mention of winbind at all... so there is nothing to edit. I likewise couldn't find any options in the web interface to disable winbind lookups for ssh logins.

How do I get pam to STOP trying to check with winbind for SSH logins? We will never, ever have a windows user login via ssh using AD credentials... so turning this off completely is an acceptable option.

Thank you.

 

[anodos]

That would require manual modifications to the PAM config, which isn't supported (i.e. will be overwritten next time pam is generated). If this is TN 12, then you can edit:

Code:

/usr/local/lib/python3.9/site-packages/middlewared/etc_files/pam.d/sshd

And remove the following lines:

Code:

% if dsp.enabled() and dsp.name() != 'NIS' and not twofactor_enabled:
${dsp.pam_auth()}
% endif

Then restart middlewared service (might be a good idea to snapshot your boot environment first). At some point I'll see about adding ability to prevent SSH access from directory services users via checkbox.

If you have `verbose_logging` enabled in the AD form, then that setting can cause undue PAM spam.

 

[emiguy]

Thank you anodos. I will give that a try, let it run a couple days and report back.

 

[emiguy]

Thank you, anodos. That worked.

 

[flahiker76]

Thanks for the writeup. I have the same exact problem and scenario that was mentioned above. I am disabling Verbose logging as I do not want to manipulate the middleware code to clear the error.