Bug 1484 - winbind causes root login to fail
winbind causes root login to fail
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.5
All Linux
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-28 11:16 UTC by Norman Zhang
Modified: 2005-08-24 10:18 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Norman Zhang 2004-06-28 11:16:27 UTC
From 3.0.2 to 3.0.5pre1, winbind service cannot be stop/restarted using root. It
requires NT domain users.

/var/log/messages shows,

Jun 24 10:17:01 proxy pam_winbind[1656]: request failed: No such user, PAM error
was 10, NT error was NT_STATUS_NO_SUCH_USER

If I added root as a domain user to my NT 4.0 users, the error message
disappears but I still can't stop/restart winbind. Also winbind forces users to
authenticate against itself by default even /etc/nsswitch.conf is set as follows,

passwd:     files nisplus nis winbind
shadow:     files nisplus nis
group:      files nisplus nis winbind

Thus causing swat login to fail for root and KDE, SSH login to fail for the
first time. This never happened with 2.2.x. I have exhausted my google search,
many users seem to be seeing the same thing under 3.0.x, but so far there's no
resolution. Chapter 10 of Samba HOWTO mentions some backend services but doesn't
cover this case.

[global]
        workgroup = MYDOMAIN
        netbios name = Proxy
        server string = Samba Server %v
        security = DOMAIN
        encrypt passwords = Yes
        password server = BAKSERVER
        log file = /var/log/samba/log.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#       character set = ISO8859-15
        os level = 18
        local master = No
        preferred master = No
        domain master = No
        dns proxy = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = /
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
Comment 1 Gerald (Jerry) Carter 2004-07-07 04:41:15 UTC
I think you have your pam setting misconfigured.  Please attach
the relavant pam configuration files referring to pam_winbind
Comment 2 Norman Zhang 2004-07-07 08:57:02 UTC
If there's more info you need, I will be glad to post it.

[root@proxy pam.d]# more system-auth-winbind
#%PAM-1.0

auth        required      pam_env.so
auth        sufficient    pam_winbind.so
auth        sufficient    pam_unix.so likeauth nullok use_first_pass
auth        required      pam_deny.so

account     sufficient    pam_winbind.so
account     required      pam_unix.so

password    required      pam_cracklib.so retry=3
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    required      pam_deny.so

session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     required      pam_limits.so
session     required      pam_unix.so

[root@proxy pam.d]# more system-auth
#%PAM-1.0

auth        required      pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass
auth        sufficient    /lib/security/pam_winbind.so
auth        required      pam_deny.so

account     sufficient    /lib/security/pam_unix.so use_first_pass
account     sufficient    /lib/security/pam_winbind.so
account     required      /lib/security/pam_deny.so

password    required      pam_cracklib.so retry=3 minlen=4  dcredit=0  ucredit=0
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    required      pam_deny.so

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     required      pam_limits.so
session     required      pam_unix.so

[root@proxy pam.d]# slocate pam_winbind
/lib/security/pam_winbind.so

[root@proxy pam.d]# more sshd
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
Comment 3 Norman Zhang 2004-07-08 11:52:53 UTC
(In reply to comment #1)
> I think you have your pam setting misconfigured.  Please attach
> the relavant pam configuration files referring to pam_winbind

Hi Jerry,

In addition to the pam_winbind files that I posted to the bugzilla. I'm posting
the following /var/log/messages for the ssh login. It always fail for the first
time. I suspect winbind service cannot be resolve to the local files for some
services like stop/restart winbind. Do you see what's wrong?

Regards,
Norman

Jul  8 11:45:36 proxy sshd(pam_unix)[6228]: auth could not identify password for
 [root]
Jul  8 11:45:36 proxy pam_winbind[6228]: request failed: No such user, PAM error
 was 10, NT error was NT_STATUS_NO_SUCH_USER
Jul  8 11:45:40 proxy sshd(pam_unix)[6228]: authentication failure; logname= uid
=0 euid=0 tty=NODEVssh ruser= rhost=2d-052.hq.arkonnetworks.com  user=root
Jul  8 11:45:40 proxy pam_winbind[6228]: request failed: No such user, PAM error
 was 10, NT error was NT_STATUS_NO_SUCH_USER
Jul  8 11:45:42 proxy sshd[6228]: Failed password for root from ::ffff:192.168.2
2.7 port 1835 ssh2
Jul  8 11:45:46 proxy sshd[6228]: Accepted password for root from ::ffff:192.168
.22.7 port 1835 ssh2
Jul  8 11:45:46 proxy sshd(pam_unix)[6228]: session opened for user root by (uid
=0)
Comment 4 Norman Zhang 2004-07-20 17:36:47 UTC
Bug found in drakauth from LM10.0. Workaround as follows.

# more system-auth
auth        required      pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok 
auth        sufficient    /lib/security/pam_winbind.so try_first_pass
auth        required      pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_winbind.so try_first_pass
account     required      /lib/security/pam_deny.so
password    required      pam_cracklib.so retry=3 minlen=4  dcredit=0  ucredit=0
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    required      pam_deny.so
session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     required      pam_limits.so
session     required      pam_unix.so
Comment 5 Gerald (Jerry) Carter 2005-02-07 09:47:45 UTC
originally against 3.0.5pre1 (which became 3.0.6pre1 due to security release))
Comment 6 Gerald (Jerry) Carter 2005-08-24 10:18:30 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.