pam_winbind offline logon does not work in 12.04

Bug #1165461 reported by Ulf on 2013-04-06
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Medium
Unassigned

Bug Description

The pam_winbind offline login does not work in 12.04 LTS with latest updates.
My configuration.
Client joined to domain with uidNumber set in AD.
smb.conf with winbind offline logon = yes
/etc/security/pam_winbind.conf with cached_login = yes
PAM configuration is the "default" pam-auth-update configuration with winbind.

If I am online everything works as expected. I can login with my AD account tstusr2.
But if my notebook has no connection to the domain controller the offline login does not work anymore.
The problem seems to be somehwere in PAM as PAM identifies the user as "unkown". See attachment auth.log.

If I manually add my user to /etc/passwd the offline login works.
tstusr2:*:50001:70005::/home:/bin/bash

It can't be solution to add domain users to /etc/passwd. pam_winbind has to deal with it.

Ulf (mopp) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1165461/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Javier López (javier-lopez) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.. I've assigned this report to the libpam-winbind package, hope this can bring the attention to the interested parties.

tags: added: precise
affects: ubuntu → samba (Ubuntu)
Changed in samba (Ubuntu):
status: New → Incomplete
Giuseppe Paterno' (gpaterno) wrote :

I'm not in charge of the bug, but if your problem is missing passwd information, then the behavior of PAM might be correct.
PAM is supposed to handle authentication only, NSS is the responsible part of getting user's info.
You might have a closer look to:
a) nscd, to cache users' info
b) SSSD (System Security Services Daemon), that is included in Ubuntu, to allow NSS information to be propagated and locally cached.
My eur 0.01

Ulf (mopp) wrote :

nscd and SSSD are not installed / configured.
From my understanding winbind should handle the NSS caching.
/etc/nsswitch.conf:
passwd: compat winbind

On other Linux distribution it works, so in my eyes something seems to be wrong with Ubuntu and winbind.

Robie Basak (racb) wrote :

Thanks for the report - this looks reasonably like bug if someone else can confirm this behaviour.

To progress this bug we need a developer with some interest in winbind with AD working well in samba.

Changed in samba (Ubuntu):
status: Incomplete → New
importance: Undecided → Medium
JeanLucLocutus (florian-bieber) wrote :

We try to integrate Ubuntu 12.04.02 in our AD with build in winbind and configured the /etc/samba/smb.conf and /etc/security/pam_winbind.conf as decribted below.

An offline login with active directory credentials also only works with a manual entry to /etc/passwd is created for the user.

Winbind seems not to be able to access its cached nss information.

JeanLucLocutus (florian-bieber) wrote :

A colleague compiled the "winbind_krb5_locator.so" via
             dpkg-buildpackage -us -uc -nc
from the winbind3 sources package (using "deb-src http://archive.ubuntu.com/ubuntu precise main universe restricted multiverse
" in the sources.list and "apt-get sources winbind3") and we copied the "winbind_krb5_locator.so" to /usr/lib/x86_64-linux-gnu/krb5/plugins/krb5 and join a new installed system to active directory wothout /etc/krb5.conf

Jakob (28-launch) wrote :

Hi everyone,

the bug only occurs if you use the idmap ad backend. With backend tdb everything works fine.

I tracked this down to the file /var/run/samba/gencache.tdb. The file lies in a tmpfs and is cleared on every reboot. Winbind uses it to store the sid2uid and sid2gid mapping information in it.

An easy fix is to tell samba to store the file in an other directory. This can be done with "lock directory = /var/cache/samba/" in smb.conf.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Martin Bark (martin-bark) wrote :

I'm using idmap backend ad and offline logins failed after rebooting Ubuntu 12.04. I can confirm the change to set "lock directory = /var/cache/samba/" in smb.conf fixed the issue for me.

Thanks Jakob

JokerGermany.tk (jokergermany) wrote :

Changing the lock directory don't works for me with ubuntu 14.04.2 :(

napnap (napnap) wrote :

Hi,

same bug here with Ubuntu 14.04 interated to a domain NT4 style.
Offline logon works if I close the session and disconnet LAN wire, but not work if I reboot, this is auth.log :

Sep 21 08:46:42 PC-UPS846 lightdm: pam_unix(lightdm:auth): check pass; user unknown
Sep 21 08:46:42 PC-UPS846 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Sep 21 08:46:42 PC-UPS846 lightdm: pam_winbind(lightdm:auth): getting password (0x00000208)
Sep 21 08:46:42 PC-UPS846 lightdm: pam_winbind(lightdm:auth): pam_get_item returned a password
Sep 21 08:46:45 PC-UPS846 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Sep 21 08:46:45 PC-UPS846 lightdm: PAM adding faulty module: pam_kwallet.so

"user unknow", it seems winbind can't handle the NSS caching. ( I see an error with pam_kwallet.so but not seems to be relevant)

The file gencache.tdb is already in /var/cache/samba/ .

cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files myhostname mdns4_minimal [NOTFOUND=return] dns mdns4 wins
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers