Hi all, offline logon doesn't works any more. If you configure winbind in offline logon if there is no network connection the logon fails even if the password is correct. These are the logs in auth.log when there is no network connection: Feb 13 08:47:02 psala-lx2 gdm3][3380]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=DOMINIOCSA\psala Feb 13 08:47:02 psala-lx2 gdm3][3380]: pam_winbind(gdm3:auth): getting password (0x00004388) Feb 13 08:47:02 psala-lx2 gdm3][3380]: pam_winbind(gdm3:auth): pam_get_item returned a password Feb 13 08:47:02 psala-lx2 gdm3][3380]: pam_winbind(gdm3:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: Unexpected information received Feb 13 08:47:02 psala-lx2 gdm3][3380]: pam_winbind(gdm3:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'DOMINIOCSA\psala') Then I have plug the network cable and restart winbind: Feb 13 08:47:37 psala-lx2 sshd[2646]: Received signal 15; terminating. Feb 13 08:47:37 psala-lx2 sshd[3696]: Server listening on 0.0.0.0 port 22. Feb 13 08:47:37 psala-lx2 sshd[3696]: Server listening on :: port 22. Feb 13 08:47:47 psala-lx2 sudo: administrator : TTY=tty2 ; PWD=/home/administrator ; USER=root ; COMMAND=/usr/sbin/service winbind restart Feb 13 08:47:47 psala-lx2 sudo: pam_unix(sudo:session): session opened for user root by administrator(uid=0) Feb 13 08:47:50 psala-lx2 sudo: pam_unix(sudo:session): session closed for user root And the logon now is successfully: Feb 13 08:48:01 psala-lx2 gdm3][3805]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=DOMINIOCSA\psala Feb 13 08:48:01 psala-lx2 gdm3][3805]: pam_winbind(gdm3:auth): getting password (0x00004388) Feb 13 08:48:01 psala-lx2 gdm3][3805]: pam_winbind(gdm3:auth): pam_get_item returned a password Feb 13 08:48:01 psala-lx2 gdm3][3805]: pam_winbind(gdm3:auth): user 'DOMINIOCSA\psala' granted access Feb 13 08:48:01 psala-lx2 gdm3][3805]: pam_unix(gdm3:session): session opened for user DOMINIOCSA\psala by (uid=0) Feb 13 08:48:01 psala-lx2 gdm3][3805]: pam_ck_connector(gdm3:session): nox11 mode, ignoring PAM_TTY :0 Feb 13 08:48:01 psala-lx2 gdm-launch-environment][2733]: pam_unix(gdm-launch- environment:session): session closed for user Debian-gdm Feb 13 08:48:01 psala-lx2 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale it_IT.UTF-8) (disconnected from bus) This is my smb.conf: [global] workgroup = DOMINIOCSA server string = %h server (Samba, Ubuntu) security = DOMAIN allow trusted domains = No map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind offline logon = Yes idmap config DOMINIOCSA : range = 10000-25000 idmap config DOMINIOCSA : backend = rid idmap config * : range = 10000-25000 idmap config * : backend = tdb If you need some more infos please ask but consider this bug: offline logon can be very usefull for mobile users! Piviul PS I have reported this bug in debian too: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738817
Please consider this bug: offline logon is a very important feature in laptops! Now Ubuntu 14:04 is out and suffers this bug... 4 years without the possibility to have laptops bound to samba domain! hundred and hundred laptops can't upgrade to 14:04 Please I need this bug solved! Piviul
Can you please run winbindd with log level 10, reproduce the issue and attach all winbindd log files?
Created attachment 9940 [details] log level 10 of winbindd daemon I have attached the log.windbindd that is the log level 10 of winbindd daemon. It should contain the logs generated during a gnome session closed command, a disconnecting from the LAN and some (2/3 attempt) failed logon; then a reconnecting to the LAN, a winbind restart and finally a successfully logon. Theses are the logs from auth.log during the failed and successfully logon: May 14 12:47:38 10net0512 gdm3][5928]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=DOMINIOCSA\psala May 14 12:47:38 10net0512 gdm3][5928]: pam_winbind(gdm3:auth): getting password (0x00000388) May 14 12:47:38 10net0512 gdm3][5928]: pam_winbind(gdm3:auth): pam_get_item returned a password May 14 12:47:38 10net0512 gdm3][5928]: pam_winbind(gdm3:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: Unexpected information received May 14 12:47:38 10net0512 gdm3][5928]: pam_winbind(gdm3:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'DOMINIOCSA\psala') May 14 12:47:48 10net0512 gdm3][5956]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=DOMINIOCSA\psala May 14 12:47:48 10net0512 gdm3][5956]: pam_winbind(gdm3:auth): getting password (0x00000388) May 14 12:47:48 10net0512 gdm3][5956]: pam_winbind(gdm3:auth): pam_get_item returned a password May 14 12:47:48 10net0512 gdm3][5956]: pam_winbind(gdm3:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: Unexpected information received May 14 12:47:48 10net0512 gdm3][5956]: pam_winbind(gdm3:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'DOMINIOCSA\psala') May 14 12:48:02 10net0512 sshd[5716]: Received signal 15; terminating. May 14 12:48:02 10net0512 sshd[6067]: Server listening on 0.0.0.0 port 22. May 14 12:48:02 10net0512 sshd[6067]: Server listening on :: port 22. May 14 12:48:21 10net0512 gdm3][5962]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=DOMINIOCSA\psala May 14 12:48:21 10net0512 gdm3][5962]: pam_winbind(gdm3:auth): getting password (0x00000388) May 14 12:48:21 10net0512 gdm3][5962]: pam_winbind(gdm3:auth): pam_get_item returned a password May 14 12:48:22 10net0512 gdm3][5962]: pam_winbind(gdm3:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_INVALID_PARAMETER, Error message was: Unexpected information received May 14 12:48:22 10net0512 gdm3][5962]: pam_winbind(gdm3:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'DOMINIOCSA\psala') May 14 12:48:31 10net0512 gdm3][6128]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=DOMINIOCSA\psala May 14 12:48:31 10net0512 gdm3][6128]: pam_winbind(gdm3:auth): getting password (0x00000388) May 14 12:48:31 10net0512 gdm3][6128]: pam_winbind(gdm3:auth): pam_get_item returned a password May 14 12:48:31 10net0512 gdm3][6128]: pam_winbind(gdm3:auth): user 'DOMINIOCSA\psala' granted access May 14 12:48:31 10net0512 gdm3][6128]: pam_unix(gdm3:session): session opened for user DOMINIOCSA\psala by (uid=0) May 14 12:48:31 10net0512 polkitd(authority=local): Unregistered Authentication Agent for unix-session:3 (system bus name :1.91, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale it_IT.UTF-8) (disconnected from bus) Thanks a lot Piviul
Unfortunately, the log file starts after the time your problem occured. Can you please increase the log file size and try again (and maybe check the timestamps in the logs that it contains the failed attempt before uploading it)?
Created attachment 9941 [details] winbindd loglevel 10 I'm pretty sure that the log start before the problem has occurred... Any way I attach a new winbindd loglevel 10 file. I have enabled winbind loglevel 10 then restart the pc and discnnected from the lan. Then from gdm I tried to logon twice then I reconnected the LAN, restart winbind and at the second attempt successfully logon on the system. I hope this time you can find the information you are looking for. Have a great day Piviul
Created attachment 9968 [details] winbindd loglevel 10 Hi Christian, you are right: the logs I sent previously doesn't contain unsuccessful log... I can't understand why the log.winbindd file has been reset after connecting to the LAN (perhaps each winbind restart reset the winbind log file?)... Any way the file I attach now contain two unsuccessful logon and a subsequent successful logon after connecting to the LAN. I'm very sorry for the inconvenient. Piviul
You should have a log.wb-DOMINIOCSA file as well. The main winbindd log only shows that the domain child returned the error, so we need to look at that file as well. Can you please attach it?
Created attachment 10024 [details] wb-DOMINIOCSA.log This is the wb-DOMINIOCSA log file during 2 failed offline logon and one successfull online logon from GDM3. Thank a lot Piviul
Created attachment 10025 [details] winbindd.log This is the winbindd log file generated from the same attempts of the wb-DOMINIOCSA previous log file. Thank a lot Piviul
Same problem here!
I've just upgraded to ubuntu 14:04 and the same bug affects now me too. Please consider to solve it! Antonella
Same problem here. After the upgrade to 14.04 winbind doesn't work, please try to fix this bug. Thank you, Pol
Hi, I've just upgraded my notebook to Ubuntu 14.04 LTS and I'm not more able to logon when I'm offline. Now I realize that this definitely depends on this bug. If you will solve it I shall be very grateful...
Hi there, I guess this bug is affecting me, too. can you do something? many thanks estroja
In /etc/pam.d/common-auth i've had auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass I've changed to auth [success=1 default=ignore] pam_winbind.so cached_login try_first_pass and now it works properly.
samba-bugs@samba.org scrisse in data 02/09/2014 15:32: > https://bugzilla.samba.org/show_bug.cgi?id=10455 > > --- Comment #15 from David Pinheiro <davidpinh@gmail.com> 2014-09-02 13:32:58 UTC --- > In /etc/pam.d/common-auth i've had > auth [success=1 default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass > > I've changed to > auth [success=1 default=ignore] pam_winbind.so cached_login try_first_pass > > and now it works properly. I confirm that changing /etc/pam.d/common-auth as explained above solve the problem. Thanks David! Piviul
Thank you very much indeed Pol
thanks estroja
can't find and locate smb4.conf in /usr/local/etc folder
(In reply to fin from comment #19) What's your problem? You can't find the smb.conf file? Are you affected from this bug too? Why you are looking from the smb.conf file? Any way you can find it executing testparm command and reading the first row from the output. Piviul
I've exactly the same problem since I migrated from Debian wheezy to jessie! The workaround of David Pinheiro didn't work for me. The following procedure solved this problem (ensure first the network connection is online): service winbind restart wbinfo -K YOURDOM\\youruser%password smbcontrol winbind offline wbinfo -K YOURDOM\\youruser%password reboot Reference: https://wiki.samba.org/index.php/PAM_Offline_Authentication Unfortunately, this procedure shall be followed for every user which needs offline login!
What are the needed info so that you can fix this problem?
Did nobody notice the overlapping idmappings in the suplied config. idmap config DOMINIOCSA : range = 10000-25000 idmap config DOMINIOCSA : backend = rid idmap config * : range = 10000-25000 idmap config * : backend = tdb i suggest first fix the errors in smb.conf first. I can confirm that offline logons work fine on debian jessie. samba 4.4.5 ( a rebuild from Debian stretch ) If one if affected by it. ( on debian ) try running : pam-auth-update and select. [*] Winbind NT/Active Directory authentication content of that file is : cat /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass Password-Initial: [success=end default=ignore] pam_winbind.so Session-Type: Additional Session: optional pam_winbind.so from the wiki: https://wiki.samba.org/index.php/PAM_Offline_Authentication my smb.conf has : "winbind offline logon = yes" i did NOT set /etc/security/pam_winbind.conf # Test result. # wbinfo -K NTDOM\\username -p Enter NTDOM\username's password: plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 Ping to winbindd succeeded # smbcontrol winbind offline # wbinfo -K NTDOM\\username -p Enter NTDOM\username's password: plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT credentials were put in: FILE:/tmp/krb5cc_0 Ping to winbindd succeeded
(In reply to Louis from comment #23) in my debian stretch, or ubuntu 18.04 doesn't work. Any way removing krb5_ccache_type=FILE as suggested from Davide Pinheiro seems to solve the problem. In my opinion offline logon in your configuration works because you use kerberos not winbind to logon. Try remove libpam-krb5 package and use --pam-logon instead of -K in wbinfo (i.e. wbinfo --pam-logon NTDOM\\username -p). Piviul
(In reply to Piviul from comment #24) Hello Piviul, good to hear you did find a workaround. Ok,i did a new test, Debian 9, samba 4.8.9 and 4.9.4. I got on both same results as before, sorry. I dont say its not a bug, but i not sure, since this is an old bug report. We need to re-check the setup. And i did a few small checks again. wbinfo --pam-logon NTDOM\\username -p wbinfo -K username Both work as expected. smbcontrol winbind offline wbinfo -K username%pass plaintext kerberos password authentication for [username%pass] succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT credentials were put in: FILE:/tmp/krb5cc_0 Which looks good. what do you get with: wbinfo -a username Resulted for me in : Enter username's password: plaintext password authentication succeeded Enter username's password: challenge/response password authentication succeeded but now after : smbcontrol winbind offline wbinfo -a username Enter username's password: challenge/response password authentication failed wbcAuthenticateUserEx(NTDOM\username): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e, authoritative=0) error message was: No logon servers are currently available to service the logon request. Enter username's password: Could not authenticate user username with challenge/response now with : wbinfo --pam-logon=username%pass --domain=NTDOM works, but no message its a cached login. wbinfo -K username%pass also still works. with a notice its cached. Since this is a bit old bug report, would mind to post you problem again also on the samba list. Refer also to this bugnr. There are more people there, i know one with a simular problem, maybe we can determin on the list whats exact going on. In winbind auth and authentications its a bit a maze to me. Due to these options.. basic/ntlmssp/gssapi/gss-spnego/ntlmv1/ntlmv2 We need the running OS, samba version, pre-packages or self compiled? And also the content of these files. /etc/hosts /etc/resolv.conf /etc/nsswitch.conf /etc/samba/smb.conf /etc/pam.d/common-auth /etc/pam.d/gdm3 There where a lot of changes in winbind and i cant tell whats off here. We will update the bug here when we find the problem. Google tells me a lot more people are strugling with this. Or if we Lucky, one of the devs sees this can can tell us more. They are quite buzzy atm, therefor i suggest, if its not to much trouble, a post to the samba list.
Il 13/02/19 15:31, samba-bugs@samba.org ha scritto: > [...] > Ok,i did a new test, Debian 9, samba 4.8.9 and 4.9.4. > I got on both same results as before, sorry. I have tested it in debian 9.8 with samba 4.5.16 and ubuntu 18.04.2 with samba 4.7.6 Hi Louis I'm sure you can't find the bug but have you removed the package libpam-krb5 or configured PAM to have only the following modules to auth? [*] Unix authentication [*] Winbind NT/Active Directory authentication I ask you because the bug concern the libpam-winbind module not all the module that can manage offline logon! I have added these posts because I have forgotten that there was this bug opened and I have opened a new bug report to ubuntu launchpad and they told me about this bug... Any way 5 years are gone and the bug is ever here! If you use the winbind and not kerberos to offline authentication (even if would be very strange that winbind can authenticate offline without setting the param cached_login in /etc/security/pam_winbind.conf... or have you set it now!?!) perhaps the difference behaviour can depend on that my domain is a samba3 domain? Piviul
if i remove : libpam-krb5 i loss my Single sign on and i cant do that, i test on production servers. ( at least now. But before we continue, i suggest you first post what i've asked. we need configs. And yes, your problem might be in relation to your samba3 domain, but i cant tell that, since we are missing info.
But if you don't use winbind to get offline logon but libpam-krb5 you can't reproduce the bug present in libpam_winbind, you don't think? Any way this is my result: # smbcontrol winbind onlinestatus PID 1155: global:Online BUILTIN:Online 103NOTE0512:Online MYDOMAIN:Online # wbinfo -K MYDOMAIN\\myusername Enter MYDOMAIN\myusername's password: plaintext kerberos password authentication for [MYDOMAIN\myusername] succeeded (requesting cctype: FILE) # man wbinfo # wbinfo -a MYDOMAIN\\myusername Enter MYDOMAIN\myusername's password: plaintext password authentication succeeded Enter MYDOMAIN\myusername's password: challenge/response password authentication succeeded # smbcontrol winbind offline # wbinfo -K MYDOMAIN\\myusername Enter MYDOMAIN\myusername's password: plaintext kerberos password authentication for [MYDOMAIN\myusername] failed (requesting cctype: FILE) wbcLogonUser(MYDOMAIN\myusername): error code was NT_STATUS_INVALID_PARAMETER (0xc000000d) error message was: An invalid parameter was passed to a service or function. Could not authenticate user [MYDOMAIN\myusername] with Kerberos (ccache: FILE) # wbinfo -a MYDOMAIN\\myusername Enter MYDOMAIN\myusername's password: plaintext password authentication failed Could not authenticate user MYDOMAIN\myusername with plaintext password Enter MYDOMAIN\myusername's password: challenge/response password authentication failed wbcAuthenticateUserEx(MYDOMAIN\myusername): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e, authoritative=0) error message was: No logon servers are currently available to service the logon request. Could not authenticate user MYDOMAIN\myusername with challenge/response I hope you can forgive me but I can't understand, in your post, what do you mean when you say: Il 13/02/19 15:31, samba-bugs@samba.org ha scritto:> [...] > In winbind auth and authentications its a bit a maze to me. > Due to these options.. basic/ntlmssp/gssapi/gss-spnego/ntlmv1/ntlmv2 I Any way in the following the infos you ask me: > We need the running OS, samba version, pre-packages or self compiled? I have the same problem in debian stretch (debian 9.8), in ubuntu bionic (ubuntu 18.04.2). All the samba packages are the ones presents in the officials distribution repositories. > And also the content of these files. > /etc/hosts # egrep -v ^\([!#]\|$\) /etc/hosts 127.0.0.1 localhost 127.0.1.1 103note0512 ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters > /etc/resolv.conf # egrep -v ^\([!#]\|$\) /etc/resolv.conf nameserver 127.0.0.53 options edns0 search csaricerche.com > /etc/nsswitch.conf # egrep -v ^\([!#]\|$\) /etc/nsswitch.conf passwd: files winbind group: files winbind shadow: files hosts: files wins mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis > /etc/samba/smb.conf [global] allow trusted domains = No client ipc signing = if_required dns proxy = No log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u security = DOMAIN server signing = required server string = %h server (Samba, Ubuntu) template shell = /bin/bash unix password sync = Yes usershare allow guests = Yes winbind enum groups = Yes winbind enum users = Yes winbind expand groups = 1 winbind offline logon = Yes workgroup = DOMINIOCSA idmap config * : range = 25000-30000 idmap config dominiocsa : range = 10000-24999 idmap config dominiocsa : backend = rid idmap config * : backend = tdb [printers] browseable = No comment = All Printers create mask = 0700 path = /var/spool/samba printable = Yes [print$] comment = Printer Drivers path = /var/lib/samba/printers > /etc/pam.d/common-auth # egrep -v ^\([!#]\|$\) /etc/pam.d/common-auth auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so > /etc/pam.d/gdm3 I have not a /etc/pam.d/gdm3 file > [...] if its not to much trouble, a > post to the samba list. I'm not subscribed to the samba list or better I have a subscription only to the Italian version... my English is not so fluently... any way ok, I'll subscribe then I send a message about this bug... Thank you very much Piviul
In my opinion, until winbind and NT-Style domain are supported by samba the bugs found would be solved! In other word please can you change the status needinfo in verified or please ask me the more info you need... didn't you? Thank you Piviul
I believe what is being pointed out is that using the krb5* options against an NT4 style domain doesn't work for offline logons, and maybe it used to. Namely, this line: pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass does not work when the machine is a member of an NT4 style domain *and* the PDC is unreachable. For it to work with an offline NT4 PDC, it has to be: pam_winbind.so cached_login try_first_pass
yes, looks like a configuration issue, not a samba bug