Bug 3800 - pam_winbind does not work on a Samba PDC
Summary: pam_winbind does not work on a Samba PDC
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.23
Hardware: All All
: P3 normal
Target Milestone: 3.0.23
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-05-25 07:15 UTC by John Janosik
Modified: 2006-08-07 16:34 UTC (History)
0 users

See Also:


Attachments
lookup password policies when on a PDC (1.77 KB, patch)
2006-05-30 06:38 UTC, Guenther Deschner
no flags Details
JPJLIN1 Test Domain smb.conf (1.98 KB, text/plain)
2006-06-01 07:55 UTC, John Janosik
no flags Details
Working PAM config (559 bytes, text/plain)
2006-06-01 07:56 UTC, John Janosik
no flags Details
Broken PAM config (508 bytes, text/plain)
2006-06-01 07:58 UTC, John Janosik
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Janosik 2006-05-25 07:15:36 UTC
I have test 3.0.21b Samba DC with ldapsam backend called JPJLIN1.  When trying to authenticate via PAM on the DC with pam_winbind I get the following errors:

from log.wb-JPJLIN1:
[2006/05/24 15:16:11.386764, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1248)
  Failed to get password policies: NT_STATUS_NOT_IMPLEMENTED
[2006/05/24 15:16:11.386828, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1274)
  Plain-text authentication for user jpjtest1 returned NT_STATUS_NOT_IMPLEMENTED (PAM: 4)
[2006/05/24 15:16:11.386891, 10]
nsswitch/winbindd_cache.c:cache_store_response(1912)
  Storing response for pid 27804, len 3192

from /var/log/messages:
May 24 15:16:11 jpjlin pam_winbind[27810]: request failed: Not implemented,
PAM error was System error (4), NT error was NT_STATUS_NOT_IMPLEMENTED
May 24 15:16:11 jpjlin pam_winbind[27810]: internal module error (retval =
4, user = `jpjtest1')

Looking in nsswitch/winbind_util.c it looks like the methods to get the
password policy are only implemented in the case that the role is
ROLE_DOMAIN_MEMBER.  From a quick look at the new code in
pam_winbindd.c:winbind_auth_request it relies on being able to get the
password policy.
Comment 1 Guenther Deschner 2006-05-30 06:38:48 UTC
Created attachment 1920 [details]
lookup password policies when on a PDC

That patch should fix that wrong behaviour (untested yet, I'll do that next)
Comment 2 John Janosik 2006-05-30 11:47:08 UTC
I tried the patch and it is still failing even though things look OK in log.wb-JPJLIN1:

[2006/05/30 11:39:59.792883, 10] lib/account_pol.c:account_policy_get(337)
  account_policy_get: name: minimum password age, val: 0
[2006/05/30 11:39:59.793019, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1274)
  Plain-text authentication for user jpjtest1 returned NT_STATUS_OK (PAM: 0)
[2006/05/30 11:39:59.793087, 10] nsswitch/winbindd_cache.c:cache_store_response(1912)
  Storing response for pid 15615, len 3192


From /var/log/messages:
May 30 11:39:59 jpjlin pam_winbind[15635]: user 'jpjtest1' granted access
May 30 11:39:59 jpjlin pam_winbind[15635]: request failed, but PAM error 0!
May 30 11:39:59 jpjlin pam_winbind[15635]: internal module error (retval = 3, user = `jpjtest1')


Also I noticed a new problem - If I try to su to a user right after starting smbd/nmbd/winbindd then I get auth failures that look like this in log.wb-JPJLIN1:
[2006/05/30 11:34:30.705222, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1101)
  winbindd_dual_pam_auth: domain: JPJLIN1 last was offline
[2006/05/30 11:34:30.705318, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1274)
  Plain-text authentication for user jpjtest1 returned NT_STATUS_LOGON_FAILURE (PAM: 7)
[2006/05/30 11:34:30.705380, 10] nsswitch/winbindd_cache.c:cache_store_response(1912)
  Storing response for pid 15472, len 3192

Doing wbinfo -t before trying the su makes this go away.  Want me to open a new bug on this one?




Comment 3 Guenther Deschner 2006-05-31 04:32:25 UTC
(In reply to comment #2)
> I tried the patch and it is still failing even though things look OK in
> log.wb-JPJLIN1:
> 
> [2006/05/30 11:39:59.792883, 10] lib/account_pol.c:account_policy_get(337)
>   account_policy_get: name: minimum password age, val: 0
> [2006/05/30 11:39:59.793019, 5]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1274)
>   Plain-text authentication for user jpjtest1 returned NT_STATUS_OK (PAM: 0)
> [2006/05/30 11:39:59.793087, 10]
> nsswitch/winbindd_cache.c:cache_store_response(1912)
>   Storing response for pid 15615, len 3192
> 
> 
> From /var/log/messages:
> May 30 11:39:59 jpjlin pam_winbind[15635]: user 'jpjtest1' granted access
> May 30 11:39:59 jpjlin pam_winbind[15635]: request failed, but PAM error 0!
> May 30 11:39:59 jpjlin pam_winbind[15635]: internal module error (retval = 3,
> user = `jpjtest1')

Can you please describe the exact scenario how to reproduce that (including the smb.conf you're using) ?

> Also I noticed a new problem - If I try to su to a user right after starting
> smbd/nmbd/winbindd then I get auth failures that look like this in
> log.wb-JPJLIN1:
> [2006/05/30 11:34:30.705222, 10]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1101)
>   winbindd_dual_pam_auth: domain: JPJLIN1 last was offline
> [2006/05/30 11:34:30.705318, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1274)
>   Plain-text authentication for user jpjtest1 returned NT_STATUS_LOGON_FAILURE
> (PAM: 7)
> [2006/05/30 11:34:30.705380, 10]
> nsswitch/winbindd_cache.c:cache_store_response(1912)
>   Storing response for pid 15472, len 3192
> 
> Doing wbinfo -t before trying the su makes this go away.  Want me to open a new
> bug on this one?

Not necessary, that should be fixed with revision 15976.
Comment 4 Guenther Deschner 2006-05-31 05:08:55 UTC
(In reply to comment #2)
> From /var/log/messages:
> May 30 11:39:59 jpjlin pam_winbind[15635]: user 'jpjtest1' granted access
> May 30 11:39:59 jpjlin pam_winbind[15635]: request failed, but PAM error 0!
> May 30 11:39:59 jpjlin pam_winbind[15635]: internal module error (retval = 3,
> user = `jpjtest1')

Ok, this happens in the pam_sm_acct_mgmt() of pam_winbind where we clearly need to indentify whether a user belongs to winbindd or to the local system (to handle password policies for users in other modules in the PAM stack). It will fail when WINBINDD_GETPWNAM won't return the user.

As the getpwnam for winbindd accounts on a PDC with "winbindd trusted domains only" set won't return anything, make sure to not mark your account block as  "requisite" for pam_winbind.
Comment 5 John Janosik 2006-05-31 08:23:16 UTC
ok, making changes to my PAM config worked with this patch.  But this should probably be documented in the release notes because my PAM config worked with the last version of Samba.
Comment 6 Guenther Deschner 2006-05-31 09:22:40 UTC
Can you please post your PAM config (along with your smb.conf)?
Comment 7 John Janosik 2006-06-01 07:55:20 UTC
Created attachment 1933 [details]
JPJLIN1 Test Domain smb.conf
Comment 8 John Janosik 2006-06-01 07:56:48 UTC
Created attachment 1934 [details]
Working PAM config
Comment 9 John Janosik 2006-06-01 07:58:26 UTC
Created attachment 1935 [details]
Broken PAM config

I created this pam config by copying the redhat system-auth pam config and replacing pam_unix.so with pam_winbind.so.  I did this because I wanted the radius service to only authenticate users in the Samba domain via winbindd and not local users.
Comment 10 Gerald (Jerry) Carter (dead mail address) 2006-08-04 12:25:56 UTC
Is this still a problem after the config file parsing fixes in 3.0.23a?
Comment 11 John Janosik 2006-08-07 15:16:36 UTC
I tested both PAM configuration files from comments #8 and #9 and neither work on my test samba 3.0.23a domain controller.  I have had to rebuild my test environment since I opened this bug so the configuration may not be exactly the same.


Here is what I see when using the PAM config I previously found to work after applying Guenther's patch to enable looking up password policies when running on a DC.

[root@jpjlin var]# /bin/su - user1
Password:
/bin/su: incorrect password

[root@jpjlin var]# tail /var/log/messages

Aug  7 15:12:44 jpjlin pam_winbind[16678]: user 'user1' granted access
Aug  7 15:12:44 jpjlin pam_winbind[16678]: request failed, but PAM error 0!
Aug  7 15:12:44 jpjlin pam_winbind[16678]: internal module error (retval = 3, user = `user1')

From log.wb-JPJLIN3:
[2006/08/07 15:12:44.357394, 10] lib/account_pol.c:account_policy_get(337)
  account_policy_get: name: minimum password age, val: 0
[2006/08/07 15:12:44.357452, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1319)
  Plain-text authentication for user user1 returned NT_STATUS_OK (PAM: 0)
[2006/08/07 15:12:44.357501, 10] nsswitch/winbindd_cache.c:cache_store_response(1913)
  Storing response for pid 16534, len 3240


Comment 12 John Janosik 2006-08-07 15:50:05 UTC
I realized the correct pam config after my last comment.  The following works on my 3.0.23a test DC:

#%PAM-1.0
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so debug
auth        required      /lib/security/pam_deny.so

account     sufficient    /lib/security/pam_ldap.so
account     sufficient    /lib/security/pam_winbind.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_winbind.so debug
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_winbind.so debug

This bug has been resolved since Guenther's patch to add password policy handling on a DC.  I thought this should have been mentioned in the release notes since PAM configs that worked on pre-3.0.23 DCs could be broken on upgrade, but it is late for that now.
Comment 13 Gerald (Jerry) Carter (dead mail address) 2006-08-07 16:34:06 UTC
Thanks for following up John.  Closing this one out now.