pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

Bug #1310919 reported by styro on 2014-04-22
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
samba
Confirmed
Medium
samba (Ubuntu)
High
Canonical Server Team
Trusty
High
Unassigned
Utopic
High
Canonical Server Team

Bug Description

============================================
Impact: pam-winbind stops working, preventing AD logins
Regression potential: This patch is not accepted upstream so could for instance be introducing a memory leak in failure paths.
Test case: login using pam-winbind
============================================
Ubuntu version: 14.04 AMD64
samba, winbind, libpam-winbind version: 2:4.1.6+dfsg-1ubuntu2

After upgrading to 14.04 from 13.10 I couldn't log in with any Active Directory accounts.

After checking that Winbind itself worked (eg wbinfo and getent still worked properly) and plain old Kerberos kinit still worked fine, it seemed like it had to be a PAM problem.

This is from /var/log/auth.log after enabling debug and debug_state on pam_winbind and trying to log in via ssh (local logins had the same problem both via the console and lightdm)

Apr 22 16:21:23 ben sshd[10932]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=client.example.com user=anton
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] ENTER: pam_sm_authenticate (flags: 0x0001)
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f30e9cbf250)
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] STATE: ITEM(PAM_USER) = "anton" (0x7f30e9cc1f80)
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] STATE: ITEM(PAM_TTY) = "ssh" (0x7f30e9cdb0d0)
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] STATE: ITEM(PAM_RHOST) = "client.example.com" (0x7f30e9cdb0b0)
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] STATE: ITEM(PAM_AUTHTOK) = 0x7f30e9cd8ef0
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] STATE: ITEM(PAM_CONV) = 0x7f30e9cd8ed0
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): getting password (0x00001389)
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): pam_get_item returned a password
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): Verify user 'anton'
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): enabling krb5 login flag
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): enabling cached login flag
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_C
ONNECTION_DISCONNECTED, Error message was: NT_STATUS_CONNECTION_DISCONNECTED
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'anton')
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] LEAVE: pam_sm_authenticate returning 4 (PAM_SYSTEM_ERR)
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f30e9cbf250)
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] STATE: ITEM(PAM_USER) = "anton" (0x7f30e9cc1f80)
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] STATE: ITEM(PAM_TTY) = "ssh" (0x7f30e9cdb0d0)
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] STATE: ITEM(PAM_RHOST) = "client.example.com" (0x7f30e9cdb0b0)
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] STATE: ITEM(PAM_AUTHTOK) = 0x7f30e9cd8ef0
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): [pamh: 0x7f30e9cca190] STATE: ITEM(PAM_CONV) = 0x7f30e9cd8ed0
Apr 22 16:21:25 ben sshd[10932]: Failed password for anton from 192.168.20.100 port 58950 ssh2
Apr 22 16:21:27 ben sshd[10932]: Connection closed by 192.168.20.100 [preauth]

After seeing that the line before the first error was about request a FILE krb5 ccache, I successfully tried with a different credential cache type (krb5_ccache_type=KEYRING) for pam_winbind in /etc/pam.d/common-auth:

Apr 22 16:23:34 ben sshd[10946]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=client.example.com user=anton
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] ENTER: pam_sm_authenticate (flags: 0x0001)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7ff5b160e080)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_USER) = "anton" (0x7ff5b1610aa0)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_TTY) = "ssh" (0x7ff5b162a0f0)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_RHOST) = "client.example.com" (0x7ff5b162a0d0)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_AUTHTOK) = 0x7ff5b1627ed0
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_CONV) = 0x7ff5b1627eb0
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): getting password (0x00001389)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): pam_get_item returned a password
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): Verify user 'anton'
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'KEYRING'
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): enabling krb5 login flag
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): enabling cached login flag
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): enabling request for a KEYRING krb5 ccache
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): request wbcLogonUser succeeded
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): user 'anton' granted access
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): Returned user was 'anton'
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7ff5b160e080)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_USER) = "anton" (0x7ff5b162c7d0)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_TTY) = "ssh" (0x7ff5b162a0f0)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_RHOST) = "client.example.com" (0x7ff5b162a0d0)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_AUTHTOK) = 0x7ff5b1627ed0
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_CONV) = 0x7ff5b1627eb0
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:auth): [pamh: 0x7ff5b1619110] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "ADDC" (0x7ff5b162c410)
Apr 22 16:23:34 ben sshd[10946]: Accepted password for anton from 192.168.20.100 port 58955 ssh2
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] ENTER: pam_sm_setcred (flags: 0x0002)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7ff5b160e080)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_USER) = "anton" (0x7ff5b162c7d0)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_TTY) = "ssh" (0x7ff5b162a0f0)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_RHOST) = "client.example.com" (0x7ff5b162a0d0)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_CONV) = 0x7ff5b162cea0
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "ADDC" (0x7ff5b162c410)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7ff5b160e080)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_USER) = "anton" (0x7ff5b162c7d0)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_TTY) = "ssh" (0x7ff5b162a0f0)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_RHOST) = "client.example.com" (0x7ff5b162a0d0)
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_CONV) = 0x7ff5b162cea0
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "ADDC" (0x7ff5b162c410)
Apr 22 16:23:34 ben sshd[10946]: pam_unix(sshd:session): session opened for user anton by (uid=0)
Apr 22 16:23:34 ben systemd-logind[855]: Removed session 3.
Apr 22 16:23:34 ben systemd-logind[855]: New session 4 of user anton.
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] ENTER: pam_sm_setcred (flags: 0x0002)
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7ff5b160e080)
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_USER) = "anton" (0x7ff5b162c7d0)
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_TTY) = "ssh" (0x7ff5b162a0f0)
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_RHOST) = "client.example.com" (0x7ff5b162a0d0)
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_CONV) = 0x7ff5b160f040
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "ADDC" (0x7ff5b162c410)
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7ff5b160e080)
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_USER) = "anton" (0x7ff5b162c7d0)
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_TTY) = "ssh" (0x7ff5b162a0f0)
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_RHOST) = "client.example.com" (0x7ff5b162a0d0)
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: ITEM(PAM_CONV) = 0x7ff5b160f040
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(sshd:setcred): [pamh: 0x7ff5b1619110] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "ADDC" (0x7ff5b162c410)

It would fail again if changed back to krb5_ccache_type=FILE which is still the default setting as far as I can tell.

Also kinit could successfully create a FILE ccache. And (I don't know if this is relevant) even with a KEYRING ccache, klist would still show the standard FILE ccache path.

contents of /usr/share/pam-configs/winbind

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
        [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING cached_login try_first_pass
Auth-Initial:
        [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING cached_login
Account-Type: Primary
Account:
        [success=end new_authtok_reqd=done default=ignore] pam_winbind.so
Password-Type: Primary
Password:
        [success=end default=ignore] pam_winbind.so use_authtok try_first_pass
Password-Initial:
        [success=end default=ignore] pam_winbind.so
Session-Type: Additional
Session:
        optional pam_winbind.so

contents of /etc/pam.d/common-auth:

# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config

testparm service definition:

[global]
 workgroup = EXAMPLE
 realm = EXAMPLE.COM
 security = ADS
 kerberos method = secrets and keytab
 log file = /var/log/samba/%m
 max log size = 50
 printcap name = cups
 local master = No
 template homedir = /home/%U
 template shell = /bin/bash
 winbind enum users = Yes
 winbind enum groups = Yes
 winbind use default domain = Yes
 winbind nss info = rfc2307
 winbind refresh tickets = Yes
 winbind offline logon = Yes
 idmap config EXAMPLE:range = 10000 - 19999
 idmap config EXAMPLE:schema_mode = rfc2307
 idmap config EXAMPLE:default = yes
 idmap config EXAMPLE:readonly = yes
 idmap config EXAMPLE:backend = ad
 idmap config * : range = 50000 - 50999
 idmap config * : backend = tdb

styro (anton-list) wrote :

Another data point...

This problem also goes away with a world readable system keytab (/etc/krb5.keytab). So it isn't just the pam_winbind 'krb5_ccache_type=FILE' setting.

I'll do some more testing to find out whether or not changing the 'kerberos method = secrets and keytab' setting in smb.conf has any affect.

These keytab related areas have been ripe for winbind regressions in the past for us :)

styro (anton-list) wrote :

Some more testing of 'kerberos method' with 'krb5_ccache_type=FILE' and 600 perms on /etc/krb5.keytab

With 'kerberos method = secrets and keytab', winbind logins failed.

With 'kerberos method = system keytab', winbind logins failed.

With 'kerberos method = secrets only', winbind logins started working again.

msaxl (saxl) wrote :

I have looked at the source and found a potential problem. This patch should fix it, but of corse needs some testing.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed

The attachment "krb5_kt_start_seq.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
msaxl (saxl) wrote :

for those who are also affected by this bug: i've uploaded the a samba package with this patch on my ppa (ppa:saxl/ppa). Building should start shortly.

p.s.: I have opened a bugreport upstream (https://bugzilla.samba.org/show_bug.cgi?id=10490), but since older versions of samba did not have this problem, the root cause could also be in the system kerberos implementation.

Changed in samba (Ubuntu):
assignee: nobody → Canonical Server Team (canonical-server)
tags: added: regression-release
Serge Hallyn (serge-hallyn) wrote :

Can anyone confirm whether that fix did in fact fix the bug?

Changed in samba (Ubuntu):
importance: Undecided → High
msaxl (saxl) wrote :

I can confirm that this fixes the bug for my installations (two different domains on multiple 14.04 clients), everywhere using kerberos method = secrets and keytab

and the keytab access set to root:root 600

just a side note: the bug is not in pam_winbind but in winbindd itself (as you can read here: Apr 22 16:21:23 ben sshd[10932]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: --> NT_STATUS_CONNECTION_DISCONNECTED <--).

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.1.6+dfsg-1ubuntu3

---------------
samba (2:4.1.6+dfsg-1ubuntu3) utopic; urgency=medium

  * cherrypick upstream patch 1310919 to fix pam_winbind regression
    (LP: #1310919)
 -- Serge Hallyn <email address hidden> Tue, 29 Apr 2014 16:05:44 -0500

Changed in samba (Ubuntu Utopic):
status: Confirmed → Fix Released
description: updated
Changed in samba (Ubuntu Trusty):
importance: Undecided → High
status: New → Confirmed

Hello styro, or anyone else affected,

Accepted samba into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/samba/2:4.1.6+dfsg-1ubuntu2.14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in samba (Ubuntu Trusty):
status: Confirmed → Fix Committed
tags: added: verification-needed
Changed in samba:
importance: Unknown → Medium
status: Unknown → Confirmed
styro (anton-list) wrote :

Thanks everyone, I can confirm that 2:4.1.6+dfsg-1ubuntu2.14.04.1 does fix my problem.

tags: added: verification-done
removed: verification-needed
seebk (seebk) wrote :

I can confirm that it is fixed in proposed, too. When can we expect the fix to be pushed to updates repository?

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.1.6+dfsg-1ubuntu2.14.04.1

---------------
samba (2:4.1.6+dfsg-1ubuntu2.14.04.1) trusty-proposed; urgency=medium

  * cherrypick upstream patch 1310919 to fix pam_winbind regression
    (LP: #1310919)
 -- Serge Hallyn <email address hidden> Tue, 29 Apr 2014 16:05:44 -0500

Changed in samba (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for samba has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Thiago Martins (martinx) wrote :

Guys,

 I'm facing this problem with Samba 4.1.11 from Utopic, downgrading to Samba 4.1.6, it works!

 Maybe there is still something wrong with Samba from Utopic...

Regards,
Thiago

Thiago Martins (martinx) wrote :

BTW, when using Sambas 4.1.11, I need to replace the following smb.conf line from:

--
kerberos method = secrets and keytab
--

to:

--
kerberos method = secrets only
--

Then, pam_winbind did not crash (core dumped) again...

Cheers!

Thiago Martins (martinx) wrote :

I need to say that I'm trying to use Samba 4.1.11 from Utopic, backported to Trusty...

My own PPA:
https://launchpad.net/~martinx/+archive/ubuntu/ig

I'm not trying it using Utopic but, I'll test it again next week...

Best!

msaxl (saxl) wrote :

well, I have the same problem with 14.10,

to get a working samba 4.1.11 all you need to do is apply the patch in this bugreport. It has been dropped when syncing with debian.

In my private ppa there is a working samba version for utopic.

As a longterm workaround I have changed from pam_winbind to pam_sss.

Serge Hallyn (serge-hallyn) wrote :

It looks like the patch was accidentally dropped from series two merges ago, and in the last merge was dropped for not being in series. However, the deeper problem is that the patch hasn't made it upstream. Looking at the upstream bug, in fact, the proposed fix has changed a bit.

Would someone care to test a package with the last patch from https://bugzilla.samba.org/show_bug.cgi?id=10490 and, if that still works, try to push the samba bug along?

Please report here if that patch does work and I will push the patch into our samba package and raise a debian bug to do the same.

Changed in samba (Ubuntu Utopic):
status: Fix Released → Incomplete
msaxl (saxl) wrote :

I have built a package some time ago with the "new" patch posted on bugs.samba.org for utopic
(https://launchpad.net/~saxl/+archive/ubuntu/ppa/+build/6263614),

The 4.1.11+dfsg-1ubuntu1saxl1 build works well on my site. The problem is that I am also the bug reporter on bugs.samba.org, so maybe someone else should try to test and maybe post a comment on bugs.samba.org.

Serge Hallyn (serge-hallyn) wrote :

Thanks @msaxl, I'll add this patch to our package.

Changed in samba (Ubuntu Utopic):
status: Incomplete → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.1.11+dfsg-1ubuntu2

---------------
samba (2:4.1.11+dfsg-1ubuntu2) utopic; urgency=medium

  * d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
    pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
 -- Serge Hallyn <email address hidden> Thu, 11 Sep 2014 11:53:36 -0500

Changed in samba (Ubuntu Utopic):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.