Please consider this bug: offline logon is a very important feature in laptops! Now Ubuntu 14:04 is out and suffers this bug... 4 years without the possibility to have laptops bound to samba domain! hundred and hundred laptops can't upgrade to 14:04

Please I need this bug solved!

Piviul

Can you please run winbindd with log level 10, reproduce the issue and attach all winbindd log files?

Created attachment 9940 [details]
log level 10 of winbindd daemon

I have attached the log.windbindd that is the log level 10 of winbindd daemon. It should contain the logs generated during a gnome session closed command, a disconnecting from the LAN and some (2/3 attempt) failed logon; then a reconnecting to the LAN, a winbind restart and finally a successfully logon. Theses are the logs from auth.log during the failed and successfully logon:

May 14 12:47:38 10net0512 gdm3][5928]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=DOMINIOCSA\psala
May 14 12:47:38 10net0512 gdm3][5928]: pam_winbind(gdm3:auth): getting password (0x00000388)
May 14 12:47:38 10net0512 gdm3][5928]: pam_winbind(gdm3:auth): pam_get_item returned a password
May 14 12:47:38 10net0512 gdm3][5928]: pam_winbind(gdm3:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: Unexpected information received
May 14 12:47:38 10net0512 gdm3][5928]: pam_winbind(gdm3:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'DOMINIOCSA\psala')
May 14 12:47:48 10net0512 gdm3][5956]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=DOMINIOCSA\psala
May 14 12:47:48 10net0512 gdm3][5956]: pam_winbind(gdm3:auth): getting password (0x00000388)
May 14 12:47:48 10net0512 gdm3][5956]: pam_winbind(gdm3:auth): pam_get_item returned a password
May 14 12:47:48 10net0512 gdm3][5956]: pam_winbind(gdm3:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: Unexpected information received
May 14 12:47:48 10net0512 gdm3][5956]: pam_winbind(gdm3:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'DOMINIOCSA\psala')
May 14 12:48:02 10net0512 sshd[5716]: Received signal 15; terminating.
May 14 12:48:02 10net0512 sshd[6067]: Server listening on 0.0.0.0 port 22.
May 14 12:48:02 10net0512 sshd[6067]: Server listening on :: port 22.
May 14 12:48:21 10net0512 gdm3][5962]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=DOMINIOCSA\psala
May 14 12:48:21 10net0512 gdm3][5962]: pam_winbind(gdm3:auth): getting password (0x00000388)
May 14 12:48:21 10net0512 gdm3][5962]: pam_winbind(gdm3:auth): pam_get_item returned a password
May 14 12:48:22 10net0512 gdm3][5962]: pam_winbind(gdm3:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: Unexpected information received
May 14 12:48:22 10net0512 gdm3][5962]: pam_winbind(gdm3:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'DOMINIOCSA\psala')
May 14 12:48:31 10net0512 gdm3][6128]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=DOMINIOCSA\psala
May 14 12:48:31 10net0512 gdm3][6128]: pam_winbind(gdm3:auth): getting password (0x00000388)
May 14 12:48:31 10net0512 gdm3][6128]: pam_winbind(gdm3:auth): pam_get_item returned a password
May 14 12:48:31 10net0512 gdm3][6128]: pam_winbind(gdm3:auth): user 'DOMINIOCSA\psala' granted access
May 14 12:48:31 10net0512 gdm3][6128]: pam_unix(gdm3:session): session opened for user DOMINIOCSA\psala by (uid=0)
May 14 12:48:31 10net0512 polkitd(authority=local): Unregistered Authentication Agent for unix-session:3 (system bus name :1.91, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale it_IT.UTF-8) (disconnected from bus)

Thanks a lot

Piviul

Unfortunately, the log file starts after the time your problem occured.
Can you please increase the log file size and try again (and maybe check the timestamps in the logs that it contains the failed attempt before uploading it)?

Created attachment 9941 [details]
winbindd loglevel 10

I'm pretty sure that the log start before the problem has occurred...

Any way I attach a new winbindd loglevel 10 file. I have enabled winbind loglevel 10 then restart the pc and discnnected from the lan. Then from gdm I tried to logon twice then I reconnected the LAN, restart winbind and at the second attempt successfully logon on the system.

I hope this time you can find the information you are looking for.

Have a great day

Piviul

Created attachment 9968 [details]
winbindd loglevel 10

Hi Christian, you are right: the logs I sent previously doesn't contain unsuccessful log... I can't understand why the log.winbindd file has been reset after connecting to the LAN (perhaps each winbind restart reset the winbind log file?)... 

Any way the file I attach now contain two unsuccessful logon and a subsequent successful logon after connecting to the LAN.

I'm very sorry for the inconvenient.

Piviul

You should have a log.wb-DOMINIOCSA file as well. The main winbindd log only shows that the domain child returned the error, so we need to look at that file as well.
Can you please attach it?

Created attachment 10024 [details]
wb-DOMINIOCSA.log

This is the wb-DOMINIOCSA log file during 2 failed offline logon and one successfull online logon from GDM3.

Thank a lot

Piviul

Created attachment 10025 [details]
winbindd.log

This is the winbindd log file generated from the same attempts of the wb-DOMINIOCSA previous log file.

Thank a lot

Piviul

Same problem here!

I've just upgraded to ubuntu 14:04 and the same bug affects now me too. 

Please consider to solve it!

Antonella

Same problem here. After the upgrade to 14.04 winbind doesn't work, 
please try to fix this bug. 
Thank you, 
Pol

Hi, 
I've just upgraded my notebook to Ubuntu 14.04 LTS and I'm not more able to logon when I'm offline. Now I realize that this definitely depends on this bug. 
If you will solve it I shall be very grateful...

Hi there, 
I guess this bug is affecting me, too. 
can you do something? 
many thanks 
estroja

In /etc/pam.d/common-auth i've had
auth  [success=1 default=ignore]  pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

I've changed to
auth  [success=1 default=ignore]  pam_winbind.so cached_login try_first_pass

and now it works properly.

samba-bugs@samba.org scrisse in data 02/09/2014 15:32:
> https://bugzilla.samba.org/show_bug.cgi?id=10455
>
> --- Comment #15 from David Pinheiro <davidpinh@gmail.com> 2014-09-02 13:32:58 UTC ---
> In /etc/pam.d/common-auth i've had
> auth  [success=1 default=ignore]  pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
>
> I've changed to
> auth  [success=1 default=ignore]  pam_winbind.so cached_login try_first_pass
>
> and now it works properly.
I confirm that changing /etc/pam.d/common-auth as explained above solve 
the problem.

Thanks David!

Piviul

Thank you very much indeed
Pol

thanks
estroja

can't find and locate smb4.conf in /usr/local/etc folder

(In reply to fin from comment #19)
What's your problem? You can't find the smb.conf file? Are you affected from this bug too? Why you are looking from the smb.conf file? 
Any way you can find it executing testparm command and reading the first row from the output.

Piviul

I've exactly the same problem since I migrated from Debian wheezy to jessie!

The workaround of David Pinheiro didn't work for me. The following procedure solved this problem (ensure first the network connection is online):

service winbind restart
wbinfo -K YOURDOM\\youruser%password
smbcontrol winbind offline
wbinfo -K YOURDOM\\youruser%password
reboot

Reference: https://wiki.samba.org/index.php/PAM_Offline_Authentication

Unfortunately, this procedure shall be followed for every user which needs offline login!

What are the needed info so that you can fix this problem?

Did nobody notice the overlapping idmappings in the suplied config.

idmap config DOMINIOCSA : range = 10000-25000
idmap config DOMINIOCSA : backend = rid
idmap config * : range = 10000-25000
idmap config * : backend = tdb 

i suggest first fix the errors in smb.conf first.

I can confirm that offline logons work fine on debian jessie. 
samba 4.4.5 ( a rebuild from Debian stretch )

If one if affected by it. ( on debian ) 
try running : pam-auth-update and select.
 [*] Winbind NT/Active Directory authentication


content of that file is : 
cat /usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
        [success=end default=ignore]    pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
        [success=end new_authtok_reqd=done default=ignore]      pam_winbind.so
Password-Type: Primary
Password:
        [success=end default=ignore]    pam_winbind.so use_authtok try_first_pass
Password-Initial:
        [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
Session:
        optional                        pam_winbind.so


from the wiki: 
https://wiki.samba.org/index.php/PAM_Offline_Authentication
my smb.conf has : "winbind offline logon = yes" 

i did NOT set /etc/security/pam_winbind.conf 

# Test result. 
# wbinfo -K NTDOM\\username -p
Enter NTDOM\username's password:
plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
Ping to winbindd succeeded
# smbcontrol winbind offline
# wbinfo -K NTDOM\\username -p
Enter NTDOM\username's password:
plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0
Ping to winbindd succeeded

(In reply to Louis from comment #23)
in my debian stretch, or ubuntu 18.04 doesn't work.

Any way removing krb5_ccache_type=FILE as suggested from Davide Pinheiro seems to solve the problem.

In my opinion offline logon in your configuration works because you use kerberos not winbind to logon. Try remove libpam-krb5 package and use --pam-logon instead of -K in wbinfo (i.e. wbinfo --pam-logon NTDOM\\username -p).

Piviul

(In reply to Piviul from comment #24)

Hello Piviul, good to hear you did find a workaround. 

Ok,i did a new test, Debian 9, samba 4.8.9 and 4.9.4. 
I got on both same results as before, sorry. 

I dont say its not a bug, but i not sure, since this is an old bug report. 
We need to re-check the setup. 

And i did a few small checks again. 

wbinfo --pam-logon NTDOM\\username -p
wbinfo -K username 
Both work as expected. 

smbcontrol winbind offline

wbinfo -K username%pass
plaintext kerberos password authentication for [username%pass] succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0

Which looks good. 

what do you get with: 
 wbinfo -a username 

Resulted for me in : 
Enter username's password:
plaintext password authentication succeeded
Enter username's password:
challenge/response password authentication succeeded

but now after : 
smbcontrol winbind offline

wbinfo -a username
Enter username's password:
challenge/response password authentication failed
wbcAuthenticateUserEx(NTDOM\username): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e, authoritative=0)
error message was: No logon servers are currently available to service the logon request.
Enter username's password:
Could not authenticate user username with challenge/response

now with : 
wbinfo --pam-logon=username%pass --domain=NTDOM
works, but no message its a cached login. 

wbinfo -K username%pass also still works. with a notice its cached. 

Since this is a bit old bug report, would mind to post you problem again also on the samba list. Refer also to this bugnr. 
There are more people there, i know one with a simular problem, maybe we can determin on the list whats exact going on. 

In winbind auth and authentications its a bit a maze to me. 
Due to these options..  basic/ntlmssp/gssapi/gss-spnego/ntlmv1/ntlmv2 

We need the running OS, samba version, pre-packages or self compiled? 
And also the content of these files. 
/etc/hosts
/etc/resolv.conf
/etc/nsswitch.conf
/etc/samba/smb.conf
/etc/pam.d/common-auth
/etc/pam.d/gdm3 

There where a lot of changes in winbind and i cant tell whats off here.

We will update the bug here when we find the problem. 
Google tells me a lot more people are strugling with this. 

Or if we Lucky, one of the devs sees this can can tell us more.
They are quite buzzy atm, therefor i suggest, if its not to much trouble, a post to the samba list.

Il 13/02/19 15:31, samba-bugs@samba.org ha scritto:
> [...]
> Ok,i did a new test, Debian 9, samba 4.8.9 and 4.9.4.
> I got on both same results as before, sorry.
I have tested it in debian 9.8 with samba 4.5.16 and ubuntu 18.04.2 with 
samba 4.7.6

Hi Louis I'm sure you can't find the bug but have you removed the 
package libpam-krb5 or configured PAM to have only the following modules 
to auth?
[*] Unix authentication 
                                                            [*] Winbind 
NT/Active Directory authentication 


I ask you because the bug concern the libpam-winbind module not all the 
module that can manage offline logon!

I have added these posts because I have forgotten that there was this 
bug opened and I have opened a new bug report to ubuntu launchpad and 
they told me about this bug...

Any way 5 years are gone and the bug is ever here!

If you use the winbind and not kerberos to offline authentication (even 
if would be very strange that winbind can authenticate offline without 
setting the param cached_login in /etc/security/pam_winbind.conf... or 
have you set it now!?!) perhaps the difference behaviour can depend on 
that my domain is a samba3 domain?

Piviul

if i remove : libpam-krb5 i loss my Single sign on and i cant do that, i test on production servers. ( at least now. 

But before we continue, i suggest you first post what i've asked. 
we need configs.

And yes, your problem might be in relation to your samba3 domain, but i cant tell that, since we are missing info.

But if you don't use winbind to get offline logon but libpam-krb5 you can't reproduce the bug present in libpam_winbind, you don't think?

Any way this is my result:

# smbcontrol winbind onlinestatus
PID 1155: global:Online BUILTIN:Online 103NOTE0512:Online MYDOMAIN:Online 
# wbinfo -K MYDOMAIN\\myusername
Enter MYDOMAIN\myusername's password: 
plaintext kerberos password authentication for [MYDOMAIN\myusername] succeeded (requesting cctype: FILE)
# man wbinfo
# wbinfo -a MYDOMAIN\\myusername
Enter MYDOMAIN\myusername's password: 
plaintext password authentication succeeded
Enter MYDOMAIN\myusername's password: 
challenge/response password authentication succeeded

# smbcontrol winbind offline
# wbinfo -K MYDOMAIN\\myusername
Enter MYDOMAIN\myusername's password: 
plaintext kerberos password authentication for [MYDOMAIN\myusername] failed (requesting cctype: FILE)
wbcLogonUser(MYDOMAIN\myusername): error code was NT_STATUS_INVALID_PARAMETER (0xc000000d)
error message was: An invalid parameter was passed to a service or function.
Could not authenticate user [MYDOMAIN\myusername] with Kerberos (ccache: FILE)
# wbinfo -a MYDOMAIN\\myusername
Enter MYDOMAIN\myusername's password: 
plaintext password authentication failed
Could not authenticate user MYDOMAIN\myusername with plaintext password
Enter MYDOMAIN\myusername's password: 
challenge/response password authentication failed
wbcAuthenticateUserEx(MYDOMAIN\myusername): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e, authoritative=0)
error message was: No logon servers are currently available to service the logon request.
Could not authenticate user MYDOMAIN\myusername with challenge/response

I hope you can forgive me but I can't understand, in your post, what do you mean when you say:

Il 13/02/19 15:31, samba-bugs@samba.org ha scritto:> [...]
> In winbind auth and authentications its a bit a maze to me.
> Due to these options..  basic/ntlmssp/gssapi/gss-spnego/ntlmv1/ntlmv2 I

Any way in the following the infos you ask me:

> We need the running OS, samba version, pre-packages or self compiled?
I have the same problem in debian stretch (debian 9.8), in ubuntu bionic (ubuntu 18.04.2). All the samba packages are the ones presents in the officials distribution repositories.

> And also the content of these files.
> /etc/hosts
# egrep -v ^\([!#]\|$\) /etc/hosts
127.0.0.1	localhost
127.0.1.1	103note0512
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

> /etc/resolv.conf
# egrep -v ^\([!#]\|$\) /etc/resolv.conf
nameserver 127.0.0.53
options edns0
search csaricerche.com

> /etc/nsswitch.conf
# egrep -v ^\([!#]\|$\) /etc/nsswitch.conf
passwd:         files winbind
group:          files winbind
shadow:         files
hosts:          files wins mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

> /etc/samba/smb.conf
[global]
	allow trusted domains = No
	client ipc signing = if_required
	dns proxy = No
	log file = /var/log/samba/log.%m
	map to guest = Bad User
	max log size = 1000
	obey pam restrictions = Yes
	pam password change = Yes
	panic action = /usr/share/samba/panic-action %d
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	security = DOMAIN
	server signing = required
	server string = %h server (Samba, Ubuntu)
	template shell = /bin/bash
	unix password sync = Yes
	usershare allow guests = Yes
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind expand groups = 1
	winbind offline logon = Yes
	workgroup = DOMINIOCSA
	idmap config * : range = 25000-30000
	idmap config dominiocsa : range = 10000-24999
	idmap config dominiocsa : backend = rid
	idmap config * : backend = tdb


[printers]
	browseable = No
	comment = All Printers
	create mask = 0700
	path = /var/spool/samba
	printable = Yes


[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers

> /etc/pam.d/common-auth
# egrep -v ^\([!#]\|$\) /etc/pam.d/common-auth
auth	[success=2 default=ignore]	pam_unix.so nullok_secure
auth	[success=1 default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so
auth	optional			pam_cap.so 

> /etc/pam.d/gdm3
I have not a /etc/pam.d/gdm3 file

> [...] if its not to much trouble, a
> post to the samba list.
I'm not subscribed to the samba list or better I have a subscription only to the Italian version... my English is not so fluently... any way ok, I'll subscribe then I send a message about this bug...

Thank you very much

Piviul

In my opinion, until winbind and NT-Style domain are supported by samba the bugs found would be solved! In other word please can you change the status needinfo in verified or please ask me the more info you need... didn't you?

Thank you

Piviul

I believe what is being pointed out is that using the krb5* options against an NT4 style domain doesn't work for offline logons, and maybe it used to.

Namely, this line:

pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

does not work when the machine is a member of an NT4 style domain *and* the PDC is unreachable. For it to work with an offline NT4 PDC, it has to be:

pam_winbind.so cached_login try_first_pass

yes, looks like a configuration issue, not a samba bug