Bug 11446 - Bad error reporting on tmp file permission error
Bad error reporting on tmp file permission error
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.2.2
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-13 14:44 UTC by David Woodhouse
Modified: 2015-08-16 15:28 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Woodhouse 2015-08-13 14:44:46 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1253088 reports a case where SELinux policy prevented winbind from accessing /var/tmp/dwoodhou--linux-044_500

This should *not* have resulted in 'error code was NT_STATUS_LOGON_FAILURE (0xc000006d)' with absolutely no clue about the actual error. This is the logs from log.wb-GER for a failing attempt:

[2015/08/13 15:40:17.649860,  4, pid=16375, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1353(child_handler)
  child daemon request 13
[2015/08/13 15:40:17.649932, 10, pid=16375, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:476(child_process_request)
  child_process_request: request fn PAM_AUTH
[2015/08/13 15:40:17.650002,  3, pid=16375, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1646(winbindd_dual_pam_auth)
  [16371]: dual pam auth GER\dwoodhou
[2015/08/13 15:40:17.650042, 10, pid=16375, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1688(winbindd_dual_pam_auth)
  winbindd_dual_pam_auth: domain: GER last was online
[2015/08/13 15:40:17.650063, 10, pid=16375, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1149(winbindd_dual_pam_auth_kerberos)
  winbindd_dual_pam_auth_kerberos
[2015/08/13 15:40:17.650112, 10, pid=16375, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:532(generate_krb5_ccache)
  using ccache: FILE:/tmp/krb5cc_500
[2015/08/13 15:40:17.650143, 10, pid=16375, effective(500, 0), real(500, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:654(winbindd_raw_kerberos_login)
  winbindd_raw_kerberos_login: uid is 500
[2015/08/13 15:40:18.347133, 10, pid=16375, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1702(winbindd_dual_pam_auth)
  winbindd_dual_pam_auth_kerberos failed: NT_STATUS_LOGON_FAILURE
[2015/08/13 15:40:18.347197,  2, pid=16375, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1907(winbindd_dual_pam_auth)
  Plain-text authentication for user GER\dwoodhou returned NT_STATUS_LOGON_FAILURE (PAM: 7)
[2015/08/13 15:40:18.347219,  4, pid=16375, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1361(child_handler)
  Finished processing child request 13
[2015/08/13 15:40:18.347241, 10, pid=16375, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:102(child_write_response)
  Writing 3496 bytes to parent

The permission failure is a SELinux bug, filed elsewhere as noted. This bug is for the fact that winbind gives me a completely bogus error message, sending me off on a wild goose chase blaming keyboard mappings for an incorrect password and wondering if the domain servers are playing up, and comparing with 'kinit' behaviour in the same terminal...