pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba |
Confirmed
|
Medium
|
|||
samba (Ubuntu) |
Fix Released
|
High
|
Canonical Server | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Utopic |
Fix Released
|
High
|
Canonical Server |
Bug Description
=======
Impact: pam-winbind stops working, preventing AD logins
Regression potential: This patch is not accepted upstream so could for instance be introducing a memory leak in failure paths.
Test case: login using pam-winbind
=======
Ubuntu version: 14.04 AMD64
samba, winbind, libpam-winbind version: 2:4.1.6+
After upgrading to 14.04 from 13.10 I couldn't log in with any Active Directory accounts.
After checking that Winbind itself worked (eg wbinfo and getent still worked properly) and plain old Kerberos kinit still worked fine, it seemed like it had to be a PAM problem.
This is from /var/log/auth.log after enabling debug and debug_state on pam_winbind and trying to log in via ssh (local logins had the same problem both via the console and lightdm)
Apr 22 16:21:23 ben sshd[10932]: pam_unix(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
ONNECTION_
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:23 ben sshd[10932]: pam_winbind(
Apr 22 16:21:25 ben sshd[10932]: Failed password for anton from 192.168.20.100 port 58950 ssh2
Apr 22 16:21:27 ben sshd[10932]: Connection closed by 192.168.20.100 [preauth]
After seeing that the line before the first error was about request a FILE krb5 ccache, I successfully tried with a different credential cache type (krb5_ccache_
Apr 22 16:23:34 ben sshd[10946]: pam_unix(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: Accepted password for anton from 192.168.20.100 port 58955 ssh2
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_winbind(
Apr 22 16:23:34 ben sshd[10946]: pam_unix(
Apr 22 16:23:34 ben systemd-
Apr 22 16:23:34 ben systemd-
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
Apr 22 16:23:34 ben sshd[10984]: pam_winbind(
It would fail again if changed back to krb5_ccache_
Also kinit could successfully create a FILE ccache. And (I don't know if this is relevant) even with a KEYRING ccache, klist would still show the standard FILE ccache path.
contents of /usr/share/
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
Auth-Initial:
Account-Type: Primary
Account:
Password-Type: Primary
Password:
Password-Initial:
Session-Type: Additional
Session:
optional pam_winbind.so
contents of /etc/pam.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
testparm service definition:
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
security = ADS
kerberos method = secrets and keytab
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
local master = No
template homedir = /home/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = Yes
idmap config EXAMPLE:range = 10000 - 19999
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:default = yes
idmap config EXAMPLE:readonly = yes
idmap config EXAMPLE:backend = ad
idmap config * : range = 50000 - 50999
idmap config * : backend = tdb
Changed in samba (Ubuntu): | |
assignee: | nobody → Canonical Server Team (canonical-server) |
tags: | added: regression-release |
description: | updated |
Changed in samba (Ubuntu Trusty): | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in samba: | |
importance: | Unknown → Medium |
status: | Unknown → Confirmed |
Another data point...
This problem also goes away with a world readable system keytab (/etc/krb5.keytab). So it isn't just the pam_winbind 'krb5_ccache_ type=FILE' setting.
I'll do some more testing to find out whether or not changing the 'kerberos method = secrets and keytab' setting in smb.conf has any affect.
These keytab related areas have been ripe for winbind regressions in the past for us :)