Ubuntu
samba package

offline logon with NT4 domains needs config change

Bug #1815019 reported by piviul
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Ubuntu)
Triaged
Low
Unassigned

Bug Description

I have configured pam_winbind to permit logon to domain samba3 users and all seems to works as expected. Then I have added the offline logon adding "winbind offline logon = yes" to smb.conf and adding "cached_login=yes" to /etc/security/pam_winbind.conf. Unfortunately logon doesn't seems to works if there is no connection to the domain controller lan...

When I am online in /etc/log/auth.log I can see a correct authentication:
Feb 7 09:50:24 103note0512 sudo: DOMAIN\user : TTY=pts/2 ; PWD=/home/DOMAIN/user ; USER=root ; COMMAND=/usr/bin/whoami
Feb 7 09:50:24 103note0512 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 7 09:50:24 103note0512 sudo: pam_unix(sudo:session): session closed for user root

but if I disconnect from the network in auth.log I find the following:
Feb 7 09:51:34 103note0512 sudo: pam_unix(sudo:auth): conversation failed
Feb 7 09:51:34 103note0512 sudo: pam_unix(sudo:auth): auth could not identify password for [DOMAIN\user]
Feb 7 09:51:34 103note0512 sudo: DOMAIN\user : 1 incorrect password attempt ; TTY=pts/2 ; PWD=/home/DOMAIN/USER ; USER=root ; COMMAND=/usr/bin/whoami
Feb 7 09:51:47 103note0512 sudo: pam_unix(sudo:auth): authentication failure; logname= uid=21046 euid=0 tty=/dev/pts/2 ruser=DOMAIN\user rhost= user=DOMAIN\user

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: libpam-winbind 2:4.7.6+dfsg~ubuntu-0ubuntu2.6
ProcVersionSignature: Ubuntu 4.15.0-45.48-generic 4.15.18
Uname: Linux 4.15.0-45-generic x86_64
NonfreeKernelModules: nvidia wl
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Thu Feb 7 09:25:55 2019
InstallationDate: Installed on 2018-08-24 (166 days ago)
InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=it_IT.UTF-8
 SHELL=/bin/bash
RelatedPackageVersions:
 nautilus 1:3.26.4-0~ubuntu18.04.3
 gvfs 1.36.1-0ubuntu1.2
SambaClientRegression: Yes
SourcePackage: samba
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
piviul (piviul) wrote :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi piviul,
I appreciate the bug report and your help to make Ubuntu better.

But I have to admit this is not my home turf, but I'm sure others looking at this bug would appreciate a bit more detail to be able to fully understand the case.

First of all how exactly do you connect/disconnect to as you refer have "connection to the domain controller lan" - I mean what commands exactly are you using and on which node (we talk about multiple systems here right, or is all on one box and you have a local login).

Furthermore many samba issues consume a lot of time not being on the same page, it would be very helpful if you could provide the config you use. There could be a zillion different configs that would achieve "I have configured pam_winbind to permit logon to domain samba3 users" and they all might slightly differ.
Obfuscate names if there is anything private in it, but other than that please provide the full config files here.

To increase chances even more that developers can help you I would recommend full steps from a clean VM. So start with a e.g. KVM guest (e.g. by [1] - or multiple of them) and then outline all commands/configs you needed to get into your case.

And finally projects move, if it is not too hard for you to give your config but with the samba version 2:4.9.4+dfsg-1ubuntu1 in the upcoming Ubuntu 19.04 (Disco) a try that would be really great.

[1]: https://blog.simos.info/multipass-management-of-virtual-machines-running-ubuntu/

Changed in samba (Ubuntu):
status: New → Incomplete
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

When you are offline, does "getent passwd <user>" still recognize your user? Both things need to work: the user must "exist", and the password must be correct, in the offline case.

Revision history for this message
piviul (piviul) wrote : Re: [Bug 1815019] Re: offline logon doesnt works in ubuntu 18.04

Il 11/02/19 14:41, Andreas Hasenack ha scritto:
> When you are offline, does "getent passwd <user>" still recognize your
> user? Both things need to work: the user must "exist", and the password
> must be correct, in the offline case.
 yes, when winbind is offline "getent passwd DOMAIN\\user" correctly
shows the user infos...

Piviul

Revision history for this message
Andreas Hasenack (ahasenack) wrote : Re: offline logon doesnt works in ubuntu 18.04

Can you set these two to "yes" in pam_winbind.conf (or in the pam_winbind.so command line in the pam config):

debug = yes
debug state = yes

Try again and let's see if it gives more information. Be sure to try first while online, so it can cache a valid set of credentials, and then in the disconnected state.

Thanks!

Revision history for this message
piviul (piviul) wrote :
Download full text (4.0 KiB)

I have enabled debugging in pam_winbind.conf but strange things happen... this is what I've done:

root@103note0512:~# smbcontrol winbind offline
root@103note0512:~# smbcontrol winbind onlinestatus
PID 1102: global:Offline BUILTIN:Online 103NOTE0512:Online MYDOMAIN:Offline
root@103note0512:~# ssh MYDOMAIN\\myuser@localhost
MYDOMAIN\myuser@localhost's password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-45-generic x86_64)
[...]
Last login: Tue Feb 12 14:45:36 2019 from 127.0.0.1
MYDOMAIN\myuser@103note0512:~$

and all seems to works but if I exit and I disconnect the PC from the local network and try again I can't connect:
root@103note0512:~# ssh MYDOMAIN\\myuser@localhost
MYDOMAIN\myuser@localhost's password:
Permission denied, please try again.

In /var/log/auth.log I can find the following debug info:
Feb 12 14:55:12 103note0512 sshd[4228]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=MYDOMAIN\myuser
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): [pamh: 0x56235e25be70] ENTER: pam_sm_authenticate (flags: 0x0001)
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): [pamh: 0x56235e25be70] STATE: ITEM(PAM_SERVICE) = "sshd" (0x56235e259740)
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): [pamh: 0x56235e25be70] STATE: ITEM(PAM_USER) = "MYDOMAIN\myuser" (0x56235e25a8e0)
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): [pamh: 0x56235e25be70] STATE: ITEM(PAM_TTY) = "ssh" (0x56235e269900)
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): [pamh: 0x56235e25be70] STATE: ITEM(PAM_RHOST) = "127.0.0.1" (0x56235e2698e0)
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): [pamh: 0x56235e25be70] STATE: ITEM(PAM_AUTHTOK) = 0x56235e269cb0
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): [pamh: 0x56235e25be70] STATE: ITEM(PAM_CONV) = 0x56235e269a50
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): getting password (0x00001389)
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): Verify user 'MYDOMAIN\myuser'
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): enabling krb5 login flag
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): enabling cached login flag
Feb 12 14:55:12 103note0512 sshd[4228]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache
Feb 12 14:55:33 103note0512 sshd[4228]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: An invalid parameter was passed to a service or function.
Feb 12 14:55:33 103note0512 sshd[4228]: pam_winbind(sshd:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'MYDOMAIN\myuser')
Feb 12 14:55:33 103note0512 sshd[4228]: pam_winbind(sshd:auth): [pamh: 0x56235e25be70] LEAVE: pam_sm_authenticate returning 4 (PAM_SYSTEM_ERR)
Feb 12 14:55:33 103note0512 sshd[4228]: pam_winbind(sshd:aut...

Read more...

Revision history for this message
piviul (piviul) wrote :
Download full text (3.6 KiB)

I write a new post because the behaviour has changed now... now if I run winbind offline the system goes really offline:
root@103note0512:~# smbcontrol winbind offline
root@103note0512:~# smbcontrol winbind onlinestatus
PID 1102: global:Offline BUILTIN:Online 103NOTE0512:Online MYDOMAIN:Offline

and as expected I can't login via ssh to localhost as domain user. This is what I found in auth.log when I try to logon using cached credentials:
Feb 12 15:23:35 103note0512 sshd[4904]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=MYDOMAIN\myuser
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): [pamh: 0x563056aa04e0] ENTER: pam_sm_authenticate (flags: 0x0001)
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): [pamh: 0x563056aa04e0] STATE: ITEM(PAM_SERVICE) = "sshd" (0x563056a9eb30)
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): [pamh: 0x563056aa04e0] STATE: ITEM(PAM_USER) = "MYDOMAIN\myuser" (0x563056a99e20)
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): [pamh: 0x563056aa04e0] STATE: ITEM(PAM_TTY) = "ssh" (0x563056aadf70)
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): [pamh: 0x563056aa04e0] STATE: ITEM(PAM_RHOST) = "127.0.0.1" (0x563056aadf50)
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): [pamh: 0x563056aa04e0] STATE: ITEM(PAM_AUTHTOK) = 0x563056aae320
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): [pamh: 0x563056aa04e0] STATE: ITEM(PAM_CONV) = 0x563056aae0c0
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): getting password (0x00001389)
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): Verify user 'MYDOMAIN\myuser'
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): enabling krb5 login flag
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): enabling cached login flag
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: An invalid parameter was passed to a service or function.
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'MYDOMAIN\myuser')
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): [pamh: 0x563056aa04e0] LEAVE: pam_sm_authenticate returning 4 (PAM_SYSTEM_ERR)
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): [pamh: 0x563056aa04e0] STATE: ITEM(PAM_SERVICE) = "sshd" (0x563056a9eb30)
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): [pamh: 0x563056aa04e0] STATE: ITEM(PAM_USER) = "MYDOMAIN\myuser" (0x563056a99e20)
Feb 12 15:23:35 103note0512 sshd[4904]: pam_winbind(sshd:auth): [pamh: 0x563056aa04e0] STATE: ITEM(PAM_TTY) = "ssh" (0x563056aadf70)
Feb 12 15:23:35 103note...

Read more...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Ok, can you please share your configuration files so I can give it a try?

- smb.conf
- pam_winbbind config
- relevant /etc/pam.d/ files for the service you are trying (ssh, common-* probably)

Also, have you run testparm on your config just to rule out syntax errors and other checks?

I found some bugs in debian and upstream, still open, but in a "needinfo" state.

Finally, I would suggest to really drop the network instead of running "winbind offline", as I think that is a more realistic test.

Revision history for this message
piviul (piviul) wrote :
Download full text (4.1 KiB)

Il 12/02/19 20:38, Andreas Hasenack ha scritto:
> Ok, can you please share your configuration files so I can give it a
> try?
 of course!

> - smb.conf
# Global parameters
[global]
    allow trusted domains = No
    client ipc signing = if_required
    dns proxy = No
    log file = /var/log/samba/log.%m
    map to guest = Bad User
    max log size = 1000
    obey pam restrictions = Yes
    pam password change = Yes
    panic action = /usr/share/samba/panic-action %d
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    passwd program = /usr/bin/passwd %u
    security = DOMAIN
    server signing = required
    server string = %h server (Samba, Ubuntu)
    template shell = /bin/bash
    unix password sync = Yes
    usershare allow guests = Yes
    winbind enum groups = Yes
    winbind enum users = Yes
    winbind expand groups = 1
    winbind offline logon = Yes
    workgroup = MYDOMAIN
    idmap config * : range = 25000-30000
    idmap config dominiocsa : range = 10000-24999
    idmap config dominiocsa : backend = rid
    idmap config * : backend = tdb

[printers]
    browseable = No
    comment = All Printers
    create mask = 0700
    path = /var/spool/samba
    printable = Yes

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers

> - pam_winbbind config
$ egrep -v "^(#|;|$)" /etc/security/pam_winbind.conf
[global]
debug = yes
debug_state = yes
cached_login = yes

> - relevant /etc/pam.d/ files for the service you are trying (ssh, common-* probably)
$ egrep -v "^(#|$)" /etc/pam.d/sshd
@include common-auth
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password

$ egrep -v "^(#|$)" /etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

$ egrep -v "^(#|$)" /etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so

$ egrep -v "^(#|$)" /etc/pam.d/common-password
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
password requisite p...

Read more...

Revision history for this message
piviul (piviul) wrote :

I have forgot common-session!!!

$ egrep -v "^(#|$)" /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_winbind.so
session optional pam_systemd.so
session optional pam_mkhomedir.so

Thank you very much

Piviul

Revision history for this message
piviul (piviul) wrote :

Il 12/02/19 20:38, Andreas Hasenack ha scritto:> [...]
> I found some bugs in debian and upstream, still open, but in a
> "needinfo" state.
 do you mean the bug https://bugzilla.samba.org/show_bug.cgi?id=10455?

I have forgot this bug and I'm the one that open it: AAARGH!

Any way changing /etc/pam.d/common-auth from
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
to
auth [success=1 default=ignore] pam_winbind.so cached_login try_first_pass

as suggested by David Pinheiro seems to solve the problem.

Thank you very much indeed. Now I try to resume the upstream bug I have
opened in samba.

Piviul

Robie Basak (racb)
tags: added: server-triage-discuss
Christian Ehrhardt  (paelzer)
tags: removed: server-triage-discuss
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The krb5 options you were using in the pam_winbind.so line are only meant to be used with active directory controllers. Your smb.conf file shows your security to be of the "domain" style, which is an NT style controller which does not support kerberos.

I may have lost this bit of information elsewhere in this bug, but did you add those krb5* parameters to the pam module config, or was that some tool?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I see, I just tried, and by default I get the krb5* options in /etc/pam.d/common-auth's pam_winbind.so line.

That comes from /usr/share/pam-configs/winbind.

It's a more modern default I believe (assuming the machine was joined to an AD domain, and not an NT one), and I'm not sure how configurable or smart it could be made. Maybe multiple profiles could be shipped, one for NT4 domains, one for AD domains (default)?

Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → Low
summary: - offline logon doesnt works in ubuntu 18.04
+ offline logon with NT4 domains needs config change in 18.04
summary: - offline logon with NT4 domains needs config change in 18.04
+ offline logon with NT4 domains needs config change
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.