[Samba] strange issues with pam_winbind and sudo
Nathan Johnson
n.johnson at vanderbilt.edu
Wed Jan 23 18:55:32 GMT 2008
I have two issues, potentially related, potentially not. First
off, a bit about my environment:
I am experiencing the same issues on two boxes, one of which is
running red hat linux ES 4 update 6 i386, the other running red hat
enterprise linux server release 5.1 x86_64 . Both appear to be
running samba 3.0.25b, both are members of an active directory
domain . There are 7 domain controllers in total, and there are a
largish number of users: approximately 34,000. I am only allowing
users that belong to a certain group to log in, selecting in
/etc/security/pam_winbind.conf with require_membership_of=[GROUP
SID]. I also have this same group named in /etc/sudoers with a
line similar to:
%Name\ Of\ My\ Group ALL=(ALL) ALL
(note that I am using a group name with spaces in it, though it
states in docs this is a no-no it seems to work, initially at least
- more on that later)
The first issue is that after winbindd has been running for a while
(several hours perhaps?) , logins slow down to a crawl. It can
take upwards of two minutes to log in, whether the username exists
in the local passwd file or whether an AD user. If I restart
winbindd, logins are once again snappy.
The second issue is that after I have logged in as an AD user and
the session has sat idle for maybe 10 minutes or so, I get the
following error when trying to sudo:
sudo: uid [some number] does not exist in the passwd file!
If I log out and log back in, I can do sudo commands. Also, of
note, if I run anything that calls getpwent() , sudo once again
works. I came up with this test program:
#include <sys/types.h> #include <pwd.h> #include <stdio.h>
int main(int argc, char** argv) {
struct passwd * whatevs = getpwent(); if (whatevs) {
printf("%s:%s:%d:%d:%s:%s:%s\n",
whatevs->pw_name, whatevs->pw_passwd, whatevs->pw_uid,
whatevs->pw_gid, whatevs->pw_gecos, whatevs->pw_dir,
whatevs->pw_shell);
} else {
printf("crap!!!! null\n");
} return 0;
}
Here is my smb.conf:
[global]
workgroup=VANDERBILT
server string = Lamborghini Metaclinic (RHEL5.1) netbios
name = lamborghini realm = DS.VANDERBILT.EDU
preferred master = no security = ADS encrypt passwords = yes log
level = 3 log file = /var/log/samba/%m max log size = 50 printcap
name = cups printing = cups winbind enum users = Yes winbind
enum groups = Yes winbind use default domain = Yes winbind nested
groups = Yes winbind separator = + idmap uid = 1000-100000000
idmap gid = 1000-100000000 idmap backend =
idmap_rid:VANDERBILT=1000-50000000 ;template primary group =
"Domain Users" template shell = /bin/bash winbind offline logon
= yes
Here is my /etc/krb5.conf :
[logging]
default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DS.VANDERBILT.EDU dns_lookup_realm = false
dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms]
DS.VANDERBILT.EDU = {
kdc = ds.vanderbilt.edu
}
[domain_realm]
.kerberos.server = DS.VANDERBILT.EDU
[appdefaults]
pam = {
debug = true ticket_lifetime = 36000 renew_lifetime = 36000
forwardable = true krb4_convert = false
}
my /etc/security/pam_winbind.conf:
[global] require_membership_of = [some long SID here]
and I've already given the relevant bits of the sudoers file.
As an aside, is there a way to give an SID instead of a group name
in the /etc/sudoers file?
Nathan Johnson
More information about the samba
mailing list