PAM_USER_UNKNOWN

J

JohnFLi

Contributor
Joined
Sep 26, 2016
Messages
139
Hello, I recently started getting the following 'alerts'
Code:
New alerts:
* 1 SSH login failures:
Aug 11 06:41:52 G1PPFreeNas01 1 2023-08-11T06:41:52.764847-07:00 machinename.domainname.local sshd 36649 - - pam_winbind(sshd): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (13), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: The specified account does not exist.


ANyway to find out what user is trying to sign in, or at least the ip?
 
A

albrecd

Dabbler
Joined
Jul 3, 2023
Messages
13
You may be able to find more information in /var/log/auth.log.

Does this server have SSH exposed external to your network or are you attempting to identify internal activity? If external you may want to implement an access control list at your network firewall (block SSH from all external by default, then allow a few expected IPs or subnets).
 
J

JohnFLi

Contributor
Joined
Sep 26, 2016
Messages
139
albrecd said:
You may be able to find more information in /var/log/auth.log.

Does this server have SSH exposed external to your network or are you attempting to identify internal activity? If external you may want to implement an access control list at your network firewall (block SSH from all external by default, then allow a few expected IPs or subnets).
Click to expand...
sorry for the delay...
this is only accessable locally.

I looked at the log file (thank you) at that time, and (this is odd)
it says

pam_winbind(sshd): user 'root' not found Accepted password for root from <ip of my workstation> port 61624 ssh2 pam_winbind(sshd): PAM_ESTABLISH_CRED not implemented pam_winbind(sshd): PAM_REINITIALIZE_CRED not implemented <3 min. later> pam_winbind(sshd): user 'root' OK
 
A

albrecd

Dabbler
Joined
Jul 3, 2023
Messages
13
I found a topic mentioning similar behavior that may be relevant - it seems like in this case it was due to AD services: Topic 96246.

If your server is domain joined this might explain the logs.
 
J

JohnFLi

Contributor
Joined
Sep 26, 2016
Messages
139
albrecd said:
I found a topic mentioning similar behavior that may be relevant - it seems like in this case it was due to AD services: Topic 96246.

If your server is domain joined this might explain the logs.
Click to expand...
Thank you...i did see that, but wasn't sure if my issue is the same.... even if is....I don't think i would want to risk modifying said file. I have issues with rebooting as it is. WHenever i tell it to reboot.....it hangs partway through the startup process....then i have to power off the machine...power on, then it comes up as normal....but takes about 10 to 15 min. to come up.
 
A

albrecd

Dabbler
Joined
Jul 3, 2023
Messages
13
Yeah I definitely wouldn't be in a hurry to modify the PAM config, but it may be worth disabling verbose logging on the AD side (even temporarily) to validate whether that is the source.
 
J

JohnFLi

Contributor
Joined
Sep 26, 2016
Messages
139
albrecd said:
Yeah I definitely wouldn't be in a hurry to modify the PAM config, but it may be worth disabling verbose logging on the AD side (even temporarily) to validate whether that is the source.
Click to expand...
True....now to find where in the heck that is. lol (been one heck of a month)
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "PAM_USER_UNKNOWN"

Similar threads

E
SOLVED Pam errors for SSH logins
Replies
4
Views
4K
flahiker76
flahiker76
S
Alert - Yesterday's SSH Login Failures
2
Replies
24
Views
4K
NameAgain
N
S
4 SSH login failures
Replies
4
Views
3K
troonas
T
M
Mount.nfs: access denied by Server / RPC: server requires stronger authentication errors
Replies
0
Views
2K
mediis
M
Richardszu
SOLVED I just received this alert:
Replies
5
Views
3K
Richardszu
Richardszu
Top