[Samba] Fwd: PAM Offline Authentication in Ubuntu 22.04...
Rowland Penny
rpenny at samba.org
Sat Jun 3 11:06:57 UTC 2023
On 03/06/2023 10:56, Kees van Vloten via samba wrote:
>
>
>
>
> Hi Team,
>
> Probably helpful is the config on my test machine:
>
> /etc/samba/smb.conf
> [global]
> interfaces = lo
> bind interfaces only = yes
> netbios name = TESTVM
> security = ADS
> dedicated keytab file = /etc/krb5.keytab
> realm = SAMDOM.COM
> workgroup = COMPOSERS
> min domain uid = 0
> username map = /etc/samba/user.map
> log level = 3
> lock directory = /var/cache/samba
> idmap config samdom:backend = ad
> idmap config samdom:schema_mode = rfc2307
> idmap config samdom:unix_primary_group = yes
> idmap config samdom:unix_nss_info = yes
> idmap config samdom:range = 1001-100000
> idmap config *:backend = tdb
> idmap config *:range = 1000000-1999999
> winbind cache time = 300
> winbind offline logon = yes
> winbind nss info = rfc2307
> winbind enum groups = no
> winbind enum users = no
> winbind nested groups = yes
> winbind expand groups = 10
> winbind normalize names = no
> winbind refresh tickets = yes
> winbind scan trusted domains = no
> winbind use default domain = yes
> kerberos method = secrets and keytab
> kerberos encryption types = strong
> rpc server dynamic port range = 50000-55000
> ntlm auth = mschapv2-and-ntlmv2-only
> disable netbios = yes
> template homedir = /home/%U
> template shell = /bin/bash
> tls enabled = yes
> tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
> tls cafile = /etc/ssl/certs/ca.pem
>
> /etc/security/pam_winbind.conf
> [global]
> warn_pwd_expire = 30
> cached_login = yes
> krb5_auth = yes
> krb5_ccache_type = FILE
> require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1934
>
> /etc/nsswitch.conf
> passwd: files systemd winbind
> group: files systemd winbind
> shadow: files
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
>
>
> I have setup a test machine unfornately not a real laptop (it is in use
> for other things) but a virtualbox VM with Debian 10, KDE (sddm) and
> Samba 4.17.8.
>
> The test scenario is quite simple.
>
> 1. Login with root on the (text) console (tty2)
> 2. wbinfo --ping-dc
> 3. time id testuser
> 4. Disconnect network in virtualbox
> 5. wbinfo --ping-dc
> 6. time id testuser
> 7. Connect network in virtualbox + wait 10 secs (for dhcp etc.)
> 8. wbinfo --ping-dc
> 9. time id testuser
>
> Results:
>
> 2. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
> "dc1.samdom.com" succeeded'
> 3. output in 0.037s
> 5. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to ""
> failed'
> 6. output in 63.120s
> 8. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
> "dc1.samdom.com" succeeded'
> 9. output in 0.191s
>
> Now when I logging in on the graphical interface (sddm) fails when
> disconnected, probably due t the fact that a response in 63s is too long
> for sddm, it gives up before that.
>
> When I login while connected on sddm, then disconnect and I lock the
> screen, I am unable to unlock, likely due to the same (short) timeout in
> sddm.
>
> Now the question is why it takes winbind so long (63s) to do a simple
> user and group lookup when it knows that is disconnected.
>
> - Kees.
>
>
> On 01-06-2023 16:38, Rowland Penny via samba wrote:
>>
>>
>> On 01/06/2023 15:11, Eduardo Moraes via samba wrote:
>>>> OK, but... further investigation in what direction?!
>>>
>>> Greetings, friends!
>>>
>>> Sorry for butting in on the discussion, but I'm also interested in
>>> solving
>>> this problem, as users of my project (CID -
>>> https://sourceforge.net/projects/c-i-d/) have also been reporting the
>>> same
>>> difficulty.
>>>
>>> I've been researching it and it looks like the problem has been
>>> around for
>>> a long time and is specific to Debian-like distributions, as these
>>> two bug
>>> reports suggest:
>>>
>>> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461
>>> https://bugzilla.samba.org/show_bug.cgi?id=14618
>>>
>>> I tried to make the suggested changes to the "lock directory" and even
>>> adapted it to my scripts, but according to reports the users, it doesn't
>>> always work.
>>>
>>> I've tested other distributions, like Fedora and OpenSuse, and
>>> everything
>>> seems to work just fine.
>>>
>>> I stopped researching some time ago, so I can't contribute more than
>>> that,
>>> but I hope that at least I helped them to find a way to a solution.
>>>
>>> Good luck!
>>
>> The plot thickens, I am testing using an Oracle VM with a bridged
>> adapter, which can connect to either wifi or ethernet. Whilst doing
>> further testing I just discovered something. If I logon as a domain
>> user with the bridged adapter connected to wifi (wlan0), the user gets
>> logged in. If I then log out and switch the bridged adapter to eth0
>> with the cable disconnected, the user can still logon and quickly.
>> However if the cable isn't disconnected, then the user can still
>> logon, but after a considerable amount of time and there is a similar
>> pause when the user logs out.
>>
>> I am surmising that the pause is coming from something searching for
>> the network and then, finally, giving up.
>>
>> Now to try and find the 'something' and stop it doing it.
>>
>> Rowland
>>
>
My test machine is in a virtualbox VM with Ubuntu 22.04, MATE (lightdm)
and Samba 4.17.8.
I have tried Debian with similar results, but without the timings.
The Computer it is running on uses wifi (wlan0) but it also has an
ethernet port (eth0), but there is no cable plugged into it.
The VM Network is set to use a Bridged Adapter connected to wlan0.
I followed Kees's test scenario with a few changes.
1. Login with a local Unix user that can use sudo
1a open a (text) console
2. wbinfo --ping-dc
3. time id rowland
4. Change network device from wlan0 to eth0 and disconnect cable in
virtualbox
5. wbinfo --ping-dc
6. time id rowland
6a. reconnect cable in virtualbox, still using eth0
6b. wbinfo --ping-dc
6c. time id rowland
7. Connect network in virtualbox (switched back to wlan0) + wait 10 secs
8. wbinfo --ping-dc
9. time id testuser
Results:
2. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
"rpidc2.samdom.example.com" succeeded'
3. output
real 0m0.551s
user 0m0.008s
sys 0m0.000s
5. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to ""
failed'
'failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND'
6. output
real 0m0.022s
user 0m0.007s
sys 0m0.001s
6b. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
"" failed'
'failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND'
NOTE: This was after a long delay,
so I ran the command again with 'time' and got this:
real 1m2.580s
user 0m0.005s
sys 0m0.009s
6c. output
real 0m0.005s
user 0m0.002s
sys 0m0.001s
8. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
"rpidc2.samdom.example.com" succeeded'
9. output
real 0m0.494s
user 0m0.000s
sys 0m0.008s
If I attempt to logon as a domain user when the network is disconnected
but the 'cable' is connected in Virtualbox, there is a short pause, then
I get logged in. There is a similar pause when I log out.
However just disconnecting the 'cable' (but not connecting to the
network) in Virtualbox removes the pauses, logon and logout are
virtually instantaneous.
This is the smb.conf file I am using:
[global]
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba Client %h
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
winbind offline logon = yes
disable netbios = yes
dns proxy = no
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
template shell = /bin/bash
template homedir = /home/%U
# user Administrator workaround, without it you are unable to set
privileges
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = Yes
# Comment the following 4 lines to act as a print server
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
# logging
log level = 3
log file = /var/log/samba/%m.log
logging = file
min domain uid = 0
[homes]
comment = Home Directories
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
[Demo]
path = /srv/samba/Demo
read only = no
I do not have /etc/security/pam_winbind.conf, Debian based distros do
everything through /etc/pam.d/common-auth and this is the relevant line
from that file:
auth [success=1 default=ignore] pam_winbind.so debug krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
Rowland
More information about the samba
mailing list