password caching no longer works

If I then connect to a VPN which can reach the domain and restart lsassd and netlogond, I can once again log in as myself. Caching does work as long as lsassd continues running.

Can confirm. Caching does not work after a restart.

I get some delays when logging in by offline logons are confirmed to work in
the 5.4.0.42111-1~ppa2~lucid packages I'll be submitting for the first Beta.

nvm..the delays were caused by {pam,nss}_ldap on my system. Offline logons appears to be working
properly in the new packages.

This still isn’t working for me. I’ve purged and reinstalled the package, and rejoined the domain. Online logins work, but after a reboot they don’t work.

I need more information. Couple of questions:

* What likewise-open version are you running now? 5.4.0.42111-1 from main?

* After the reboot, what is the output from " ps --ppid `pidof lwsmd` "?

* What is the format of the name you are using to login when offline? e.g DOMAIN\user,user@domain, <email address hidden>, etc...

I am running 5.4.0.42111-1 from main, yes.

Assuming you need only the CMD list from that ps output:
lwregd, dcerpcd, netlogond, eventlogd, lwiod, lsassd

I am trying to login with DOMAIN\user, because if I try to use either of the other formats then the login: prompt is cleared when I type the @...

ok. tried against with a fresh Beta1 install this morning (after install the likewise-open deb from main). Still unable to repro the offline login failure. Is there anything unique about your setup?

Alex, would you look at Bug #510683 and see if anyof the network discussion applies to your environment? Thanks.

That bug seems to describe problems with lsassd starting before networking is up, but that once they've brought networking up everything is fine. This suggests that they're talking about live logins, i.e. not cached logins.

Am I reading that wrong?

When I refer to cached credentials here, I mean even across boots (and lsassd restarts). Not just disconnected-logins-as-long-as-lsassd-keeps-running, which works fine. I should be able to boot, login with an AD account, disconnect, reboot (or restart lsassd), and still be able to login with an AD account.

Note that I say "I should be able to" do this, because it works with the upstream likewise-open packages.

All of this works just fine for me. I'm just trying to figure out what the differentiating factor is in your environment. So you have no network cable plugged in at all right? Not just connected to a different network which does not have connectivity back to your DC? You said in comment #1

    "If I then connect to a VPN which can reach the domain
    and restart lsassd and netlogond, I can once again log in\
    as myself. Caching does work as long as lsassd
    continues running."

So I was wondering if lsassd was in fact working fine but due to a network start order was not fully initialized when you tried to log in.

And when you say it does work with "upstream" packages, specifically what version packages from www.likewise.com are you referring to? Thanks for the information and your patience.

Initially, I have no network cable plugged in at all. AD logins don’t work. I then log in as a local user, connect to a wireless network which cannot access the DC. AD logins still don’t work. I then connect to a VPN which can access the DC, and restart lsassd and netlogond. AD logins begin working.

The upstream packages are from LikewiseIdentityServiceOpen-5.4.0.7948-linux-i386-deb.sh They showed up on the system as version 5.4.0-1.

running lsassd as root, while offline, with loglevel debug:

20100323183710:VERBOSE:0xb7839940:[lsassd_main() libmain.c:132] Logging started
20100323183710:INFO:0xb7839940:[LsaSrvVerifyNetLogonStatus() libmain.c:364] LsaSrvVerifyNetLogonStatus call to LWNet API returned 0
20100323183710:INFO:0xb7839940:[LsaSrvStartupPreCheck() libmain.c:297] LSA Process start up check for NetLogon complete
20100323183710:INFO:0xb7839940:[LsaSrvVerifyLwIoStatus() libmain.c:396] LsaSrvVerifyLwIoStatus call to LwIo API returned 0
20100323183710:INFO:0xb7839940:[LsaSrvVerifyLwIoStatus() libmain.c:402] LsaSrvVerifyLwIoStatus call to LwIo API returned 0
20100323183710:INFO:0xb7839940:[LsaSrvStartupPreCheck() libmain.c:322] LSA Process start up check for LwIo complete
20100323183710:INFO:0xb7839940:[LsaStartRpcSrv() rpc_server.c:268] lsarpc rpc server successfully started
20100323183710:DEBUG:0xb1ebfb70:[LsaDmpMustFindDomain() lsadm_p.c:1299] Do not know about domain 'AD.DOMAIN.COM'
20100323183710:DEBUG:0xb1ebfb70:[LsaDmpIsDomainOffline() lsadm_p.c:2410] Error code: 40044 (symbol: LW_ERROR_NO_SUCH_DOMAIN)
20100323183710:VERBOSE:0xafcfcb70:[LsaDmpThreadRoutine() lsadm_p.c:427] Started domain manager online detection thread
20100323183710:DEBUG:0xb1ebfb70:[LsaDmConnectDomain() lsadm.c:887] Error code: 9502 (symbol: DNS_ERROR_BAD_PACKET)
20100323183710:DEBUG:0xb1ebfb70:[LsaDmpMustFindDomain() lsadm_p.c:1299] Do not know about domain 'AD.DOMAIN.COM'
20100323183710:DEBUG:0xb1ebfb70:[LsaDmpModifyDomainFlagsByName() lsadm_p.c:2267] Error code: 40044 (symbol: LW_ERROR_NO_SUCH_DOMAIN)
20100323183710:DEBUG:0xb1ebfb70:[LsaDmConnectDomain() lsadm.c:944] Error 40044 transitioning AD.DOMAIN.COM offline
20100323183710:INFO:0xb7839940:[LsaStartRpcSrv() rpc_server.c:268] samr rpc server successfully started
20100323183710:INFO:0xb7839940:[LsaStartRpcSrv() rpc_server.c:268] dssetup rpc server successfully started
20100323183710:INFO:[IPC] Listening on endpoint /var/lib/likewise-open/.lsassd
20100323183710:INFO:[IPC] Listener started
20100323183710:INFO:[IPC] Listening on endpoint /var/lib/likewise-open/.ntlmd
20100323183710:INFO:[IPC] Listener started
20100323183710:DEBUG:0xb1ebfb70:[LsaDmpAddTrustedDomain() lsadm_p.c:1449] Cannot add non-primary trust trusted.otherdomain.com w/o first adding primary domain.
20100323183710:DEBUG:0xb1ebfb70:[LsaDmpAddTrustedDomain() lsadm_p.c:1456] Error code: 40016 (symbol: LW_ERROR_INTERNAL)
20100323183710:DEBUG:0xb1ebfb70:[AD_OfflineInitializeOperatingMode() offline.c:473] Error code: 40016 (symbol: LW_ERROR_INTERNAL)
20100323183710:DEBUG:0xb1ebfb70:[AD_InitializeOperatingMode() provider-main.c:3895] Error code: 40016 (symbol: LW_ERROR_INTERNAL)
20100323183710:DEBUG:0xb1ebfb70:[AD_Activate() provider-main.c:434] Error code: 40016 (symbol: LW_ERROR_INTERNAL)
20100323183710:VERBOSE:0xafcfcb70:[LsaDmpThreadRoutine() lsadm_p.c:496] Stopped domain manager online detection thread

Is the line “20100323183710:DEBUG:0xb1ebfb70:[LsaDmConnectDomain() lsadm.c:944] Error 40044 transitioning AD.DOMAIN.COM offline” relevant, perhaps?

I have the same problem.
machine connected to network.
boot.
log in as DOMAIN\first.last.
shut down computer.
unplug network cable.
boot.
log in as DOMAIN\first.last.
 "authentication failure"

I can only log in with local Linux accounts at this point.

I believe if I then plug network cable in, and `sudo /etc/init.d/lsass stop` then `sudo /etc/init.d/start`, that I can
then switch user, `su - DOMAIN\first.user` , successfully.
(FYI: `sudo /etc/init.d/lsass restart` does not work.)

I am on 64-bit LucidLynx with all updates, and likewise-open 5.4.0.42111-1.
(Dell Optiplex 745 or Dell Latitude E6400)

I think that this is an issue with the lsassd active-directory-provider failing to load due to trusted domain detection failures. Please test the 5.4.0.42111-2~ppa1~lucid packages at https://launchpad.net/~likewise-open/+archive/likewise-open-ppa

Those packages work for me.

1.) with the new version 5.4.0.42111-2~ppa2~lucid uploaded to
https://launchpad.net/~likewise-open/+archive/likewise-open-ppa
i was able to unplug network cable, power on machine and log in
with a DOMAIN\first.last.

Thank you very much for fixing this (without reproducing it)
and making it available.

2.)
I also noticed that a message, that I was used to seeing on HardyHeron,
no longer appears on LucidLynx when there was no network connection.
The message was something like:
“Domain Controller is unreachable, will be using cached credentials”

That message was non-fatal, as it would use cached credentials
to log you in, but it was a nice warning, to let you know that
something may not be quite right, network-wise on the machine.
In most cases, it was mostly that you logged in immdediately
after booting up, and the network apps weren’t quite all started up.

Does it make sense to get that same warning behaviour back in LucidLynx?

likewise-open (5.4.0.42111-2) lucid; urgency=low

  * LP BUG #509934, #510683 - Don't fail to load the lsassd
    ad-provider when we fail to add a domain to the trust list
  * LP BUG #543730 - Add likewise-open5-gui transition package
  * Fix the likewise-open-gui Gnome Administration menu item

 -- Gerald Carter <email address hidden> Wed, 07 Apr 2010 17:37:29 -0500

I installed Ubuntu 10.04 RTM on an Acer Aspire Revo 3610 over the weekend for testing. Likewise installation and domain joining went smoothly. However, subsequent reboots and authentication attempts often result in failure. I searched and found that bug #509934 and #510683 are very similar to what I encountered. I am only able to repro the issue when using a wireless connection. The wired connection functions properly but this is not ideal for my environment.

Please let me know if you require more information. In the meantime, I have executed the /etc/rc.local workaround outlined in bug #510683.

I am experiencing this same problem in 10.04. I made the mistake of upgrading from 9.10 when I was still joined to the domain. I think this messed a few things up. I then had to completely uninstall LWO from synaptic. After reinstalling LWO 5.4 from synaptic and rejoining the domain I can join and my credentials do cache for a while (4ish hours) but then they stop working (authentication error). I'm running update manager right now so maybe I'll get a magic cure.

Paul, the cache issue is LP BUG 572271

Thanks Jerry -
I'll follow that other discussion. It looks like the solutions there are way over my head at this point. I'll hold out for an easier bug fix. Thanks for your work on this. I love the concept of Likewise and it could be a powerful tool to bring Linux into my Windows-only school district. Can't go there until it can be counted on for less geeky people than me. :)