Bug 10455 - winbind doesn't permitt offline logon anymore
winbind doesn't permitt offline logon anymore
Status: NEEDINFO
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.1.4
All Linux
: P1 critical
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-19 14:35 UTC by Piviul
Modified: 2016-12-01 12:25 UTC (History)
5 users (show)

See Also:


Attachments
log level 10 of winbindd daemon (508.27 KB, application/octet-stream)
2014-05-14 12:11 UTC, Piviul
no flags Details
winbindd loglevel 10 (508.27 KB, application/octet-stream)
2014-05-14 15:24 UTC, Piviul
no flags Details
winbindd loglevel 10 (466.13 KB, application/octet-stream)
2014-05-22 09:54 UTC, Piviul
no flags Details
wb-DOMINIOCSA.log (112.73 KB, text/x-log)
2014-06-12 07:05 UTC, Piviul
no flags Details
winbindd.log (700.88 KB, text/x-log)
2014-06-12 07:08 UTC, Piviul
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Piviul 2014-02-19 14:35:08 UTC
Hi all,
offline logon doesn't works any more. If you configure winbind in offline logon
if there is no network connection the logon fails even if the password is
correct. These are the logs in auth.log when there is no network connection:

Feb 13 08:47:02 psala-lx2 gdm3][3380]: pam_unix(gdm3:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=DOMINIOCSA\psala
Feb 13 08:47:02 psala-lx2 gdm3][3380]: pam_winbind(gdm3:auth): getting password
(0x00004388)
Feb 13 08:47:02 psala-lx2 gdm3][3380]: pam_winbind(gdm3:auth): pam_get_item
returned a password
Feb 13 08:47:02 psala-lx2 gdm3][3380]: pam_winbind(gdm3:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4),
NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: Unexpected
information received
Feb 13 08:47:02 psala-lx2 gdm3][3380]: pam_winbind(gdm3:auth): internal module
error (retval = PAM_SYSTEM_ERR(4), user = 'DOMINIOCSA\psala')

Then I have plug the network cable and restart winbind:
Feb 13 08:47:37 psala-lx2 sshd[2646]: Received signal 15; terminating.
Feb 13 08:47:37 psala-lx2 sshd[3696]: Server listening on 0.0.0.0 port 22.
Feb 13 08:47:37 psala-lx2 sshd[3696]: Server listening on :: port 22.
Feb 13 08:47:47 psala-lx2 sudo: administrator : TTY=tty2 ;
PWD=/home/administrator ; USER=root ; COMMAND=/usr/sbin/service winbind restart
Feb 13 08:47:47 psala-lx2 sudo: pam_unix(sudo:session): session opened for user
root by administrator(uid=0)
Feb 13 08:47:50 psala-lx2 sudo: pam_unix(sudo:session): session closed for user
root

And the logon now is successfully:
Feb 13 08:48:01 psala-lx2 gdm3][3805]: pam_unix(gdm3:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=DOMINIOCSA\psala
Feb 13 08:48:01 psala-lx2 gdm3][3805]: pam_winbind(gdm3:auth): getting password
(0x00004388)
Feb 13 08:48:01 psala-lx2 gdm3][3805]: pam_winbind(gdm3:auth): pam_get_item
returned a password
Feb 13 08:48:01 psala-lx2 gdm3][3805]: pam_winbind(gdm3:auth): user
'DOMINIOCSA\psala' granted access
Feb 13 08:48:01 psala-lx2 gdm3][3805]: pam_unix(gdm3:session): session opened
for user DOMINIOCSA\psala by (uid=0)
Feb 13 08:48:01 psala-lx2 gdm3][3805]: pam_ck_connector(gdm3:session): nox11
mode, ignoring PAM_TTY :0
Feb 13 08:48:01 psala-lx2 gdm-launch-environment][2733]: pam_unix(gdm-launch-
environment:session): session closed for user Debian-gdm
Feb 13 08:48:01 psala-lx2 polkitd(authority=local): Unregistered Authentication
Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name
:1.26, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
it_IT.UTF-8) (disconnected from bus)

This is my smb.conf:
[global]
        workgroup = DOMINIOCSA
        server string = %h server (Samba, Ubuntu)
        security = DOMAIN
        allow trusted domains = No
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind offline logon = Yes
        idmap config DOMINIOCSA : range = 10000-25000
        idmap config DOMINIOCSA : backend = rid
        idmap config * : range = 10000-25000
        idmap config * : backend = tdb

If you need some more infos please ask but consider this bug: offline logon can
be very usefull for mobile users!

Piviul

PS
I have reported this bug in debian too: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738817
Comment 1 Piviul 2014-05-08 14:38:11 UTC
Please consider this bug: offline logon is a very important feature in laptops! Now Ubuntu 14:04 is out and suffers this bug... 4 years without the possibility to have laptops bound to samba domain! hundred and hundred laptops can't upgrade to 14:04

Please I need this bug solved!

Piviul
Comment 2 Christian Ambach 2014-05-14 09:40:23 UTC
Can you please run winbindd with log level 10, reproduce the issue and attach all winbindd log files?
Comment 3 Piviul 2014-05-14 12:11:37 UTC
Created attachment 9940 [details]
log level 10 of winbindd daemon

I have attached the log.windbindd that is the log level 10 of winbindd daemon. It should contain the logs generated during a gnome session closed command, a disconnecting from the LAN and some (2/3 attempt) failed logon; then a reconnecting to the LAN, a winbind restart and finally a successfully logon. Theses are the logs from auth.log during the failed and successfully logon:

May 14 12:47:38 10net0512 gdm3][5928]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=DOMINIOCSA\psala
May 14 12:47:38 10net0512 gdm3][5928]: pam_winbind(gdm3:auth): getting password (0x00000388)
May 14 12:47:38 10net0512 gdm3][5928]: pam_winbind(gdm3:auth): pam_get_item returned a password
May 14 12:47:38 10net0512 gdm3][5928]: pam_winbind(gdm3:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: Unexpected information received
May 14 12:47:38 10net0512 gdm3][5928]: pam_winbind(gdm3:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'DOMINIOCSA\psala')
May 14 12:47:48 10net0512 gdm3][5956]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=DOMINIOCSA\psala
May 14 12:47:48 10net0512 gdm3][5956]: pam_winbind(gdm3:auth): getting password (0x00000388)
May 14 12:47:48 10net0512 gdm3][5956]: pam_winbind(gdm3:auth): pam_get_item returned a password
May 14 12:47:48 10net0512 gdm3][5956]: pam_winbind(gdm3:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: Unexpected information received
May 14 12:47:48 10net0512 gdm3][5956]: pam_winbind(gdm3:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'DOMINIOCSA\psala')
May 14 12:48:02 10net0512 sshd[5716]: Received signal 15; terminating.
May 14 12:48:02 10net0512 sshd[6067]: Server listening on 0.0.0.0 port 22.
May 14 12:48:02 10net0512 sshd[6067]: Server listening on :: port 22.
May 14 12:48:21 10net0512 gdm3][5962]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=DOMINIOCSA\psala
May 14 12:48:21 10net0512 gdm3][5962]: pam_winbind(gdm3:auth): getting password (0x00000388)
May 14 12:48:21 10net0512 gdm3][5962]: pam_winbind(gdm3:auth): pam_get_item returned a password
May 14 12:48:22 10net0512 gdm3][5962]: pam_winbind(gdm3:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: Unexpected information received
May 14 12:48:22 10net0512 gdm3][5962]: pam_winbind(gdm3:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'DOMINIOCSA\psala')
May 14 12:48:31 10net0512 gdm3][6128]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=DOMINIOCSA\psala
May 14 12:48:31 10net0512 gdm3][6128]: pam_winbind(gdm3:auth): getting password (0x00000388)
May 14 12:48:31 10net0512 gdm3][6128]: pam_winbind(gdm3:auth): pam_get_item returned a password
May 14 12:48:31 10net0512 gdm3][6128]: pam_winbind(gdm3:auth): user 'DOMINIOCSA\psala' granted access
May 14 12:48:31 10net0512 gdm3][6128]: pam_unix(gdm3:session): session opened for user DOMINIOCSA\psala by (uid=0)
May 14 12:48:31 10net0512 polkitd(authority=local): Unregistered Authentication Agent for unix-session:3 (system bus name :1.91, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale it_IT.UTF-8) (disconnected from bus)

Thanks a lot

Piviul
Comment 4 Christian Ambach 2014-05-14 13:03:58 UTC
Unfortunately, the log file starts after the time your problem occured.
Can you please increase the log file size and try again (and maybe check the timestamps in the logs that it contains the failed attempt before uploading it)?
Comment 5 Piviul 2014-05-14 15:24:56 UTC
Created attachment 9941 [details]
winbindd loglevel 10

I'm pretty sure that the log start before the problem has occurred...

Any way I attach a new winbindd loglevel 10 file. I have enabled winbind loglevel 10 then restart the pc and discnnected from the lan. Then from gdm I tried to logon twice then I reconnected the LAN, restart winbind and at the second attempt successfully logon on the system.

I hope this time you can find the information you are looking for.

Have a great day

Piviul
Comment 6 Piviul 2014-05-22 09:54:31 UTC
Created attachment 9968 [details]
winbindd loglevel 10

Hi Christian, you are right: the logs I sent previously doesn't contain unsuccessful log... I can't understand why the log.winbindd file has been reset after connecting to the LAN (perhaps each winbind restart reset the winbind log file?)... 

Any way the file I attach now contain two unsuccessful logon and a subsequent successful logon after connecting to the LAN.

I'm very sorry for the inconvenient.

Piviul
Comment 7 Christian Ambach 2014-06-11 19:09:30 UTC
You should have a log.wb-DOMINIOCSA file as well. The main winbindd log only shows that the domain child returned the error, so we need to look at that file as well.
Can you please attach it?
Comment 8 Piviul 2014-06-12 07:05:49 UTC
Created attachment 10024 [details]
wb-DOMINIOCSA.log

This is the wb-DOMINIOCSA log file during 2 failed offline logon and one successfull online logon from GDM3.

Thank a lot

Piviul
Comment 9 Piviul 2014-06-12 07:08:23 UTC
Created attachment 10025 [details]
winbindd.log

This is the winbindd log file generated from the same attempts of the wb-DOMINIOCSA previous log file.

Thank a lot

Piviul
Comment 10 David Pinheiro 2014-08-28 10:06:58 UTC
Same problem here!
Comment 11 antonellacavuoti@gmail.com 2014-08-28 14:30:08 UTC
I've just upgraded to ubuntu 14:04 and the same bug affects now me too. 

Please consider to solve it!

Antonella
Comment 12 pol 2014-08-30 08:37:57 UTC
Same problem here. After the upgrade to 14.04 winbind doesn't work, 
please try to fix this bug. 
Thank you, 
Pol
Comment 13 pol 2014-08-30 09:02:53 UTC
Hi, 
I've just upgraded my notebook to Ubuntu 14.04 LTS and I'm not more able to logon when I'm offline. Now I realize that this definitely depends on this bug. 
If you will solve it I shall be very grateful...
Comment 14 estrella roja 2014-08-30 09:21:15 UTC
Hi there, 
I guess this bug is affecting me, too. 
can you do something? 
many thanks 
estroja
Comment 15 David Pinheiro 2014-09-02 13:32:58 UTC
In /etc/pam.d/common-auth i've had
auth  [success=1 default=ignore]  pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

I've changed to
auth  [success=1 default=ignore]  pam_winbind.so cached_login try_first_pass

and now it works properly.
Comment 16 Piviul 2014-09-03 07:27:49 UTC
samba-bugs@samba.org scrisse in data 02/09/2014 15:32:
> https://bugzilla.samba.org/show_bug.cgi?id=10455
>
> --- Comment #15 from David Pinheiro <davidpinh@gmail.com> 2014-09-02 13:32:58 UTC ---
> In /etc/pam.d/common-auth i've had
> auth  [success=1 default=ignore]  pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
>
> I've changed to
> auth  [success=1 default=ignore]  pam_winbind.so cached_login try_first_pass
>
> and now it works properly.
I confirm that changing /etc/pam.d/common-auth as explained above solve 
the problem.

Thanks David!

Piviul
Comment 17 pol 2014-09-03 12:55:19 UTC
Thank you very much indeed
Pol
Comment 18 estrella roja 2014-09-03 13:10:15 UTC
thanks
estroja
Comment 19 fin 2015-02-23 09:58:50 UTC
can't find and locate smb4.conf in /usr/local/etc folder
Comment 20 Piviul 2015-02-23 11:32:16 UTC
(In reply to fin from comment #19)
What's your problem? You can't find the smb.conf file? Are you affected from this bug too? Why you are looking from the smb.conf file? 
Any way you can find it executing testparm command and reading the first row from the output.

Piviul
Comment 21 ljo 2015-05-22 11:42:22 UTC
I've exactly the same problem since I migrated from Debian wheezy to jessie!

The workaround of David Pinheiro didn't work for me. The following procedure solved this problem (ensure first the network connection is online):

service winbind restart
wbinfo -K YOURDOM\\youruser%password
smbcontrol winbind offline
wbinfo -K YOURDOM\\youruser%password
reboot

Reference: https://wiki.samba.org/index.php/PAM_Offline_Authentication

Unfortunately, this procedure shall be followed for every user which needs offline login!
Comment 22 ljo 2016-06-30 09:53:39 UTC
What are the needed info so that you can fix this problem?
Comment 23 Louis 2016-12-01 12:23:54 UTC
Did nobody notice the overlapping idmappings in the suplied config.

idmap config DOMINIOCSA : range = 10000-25000
idmap config DOMINIOCSA : backend = rid
idmap config * : range = 10000-25000
idmap config * : backend = tdb 

i suggest first fix the errors in smb.conf first.

I can confirm that offline logons work fine on debian jessie. 
samba 4.4.5 ( a rebuild from Debian stretch )

If one if affected by it. ( on debian ) 
try running : pam-auth-update and select.
 [*] Winbind NT/Active Directory authentication


content of that file is : 
cat /usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
        [success=end default=ignore]    pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
        [success=end new_authtok_reqd=done default=ignore]      pam_winbind.so
Password-Type: Primary
Password:
        [success=end default=ignore]    pam_winbind.so use_authtok try_first_pass
Password-Initial:
        [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
Session:
        optional                        pam_winbind.so


from the wiki: 
https://wiki.samba.org/index.php/PAM_Offline_Authentication
my smb.conf has : "winbind offline logon = yes" 

i did NOT set /etc/security/pam_winbind.conf 

# Test result. 
# wbinfo -K NTDOM\\username -p
Enter NTDOM\username's password:
plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
Ping to winbindd succeeded
# smbcontrol winbind offline
# wbinfo -K NTDOM\\username -p
Enter NTDOM\username's password:
plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0
Ping to winbindd succeeded