[Samba] Fwd: PAM Offline Authentication in Ubuntu 22.04...
Kees van Vloten
keesvanvloten at gmail.com
Sat Jun 3 11:27:01 UTC 2023
On 03-06-2023 13:06, Rowland Penny via samba wrote:
>
>
> On 03/06/2023 10:56, Kees van Vloten via samba wrote:
>>
>>
>>
>>
>> Hi Team,
>>
>> Probably helpful is the config on my test machine:
>>
>> /etc/samba/smb.conf
>> [global]
>> interfaces = lo
>> bind interfaces only = yes
>> netbios name = TESTVM
>> security = ADS
>> dedicated keytab file = /etc/krb5.keytab
>> realm = SAMDOM.COM
>> workgroup = COMPOSERS
>> min domain uid = 0
>> username map = /etc/samba/user.map
>> log level = 3
>> lock directory = /var/cache/samba
>> idmap config samdom:backend = ad
>> idmap config samdom:schema_mode = rfc2307
>> idmap config samdom:unix_primary_group = yes
>> idmap config samdom:unix_nss_info = yes
>> idmap config samdom:range = 1001-100000
>> idmap config *:backend = tdb
>> idmap config *:range = 1000000-1999999
>> winbind cache time = 300
>> winbind offline logon = yes
>> winbind nss info = rfc2307
>> winbind enum groups = no
>> winbind enum users = no
>> winbind nested groups = yes
>> winbind expand groups = 10
>> winbind normalize names = no
>> winbind refresh tickets = yes
>> winbind scan trusted domains = no
>> winbind use default domain = yes
>> kerberos method = secrets and keytab
>> kerberos encryption types = strong
>> rpc server dynamic port range = 50000-55000
>> ntlm auth = mschapv2-and-ntlmv2-only
>> disable netbios = yes
>> template homedir = /home/%U
>> template shell = /bin/bash
>> tls enabled = yes
>> tls priority =
>> NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>> tls cafile = /etc/ssl/certs/ca.pem
>>
>> /etc/security/pam_winbind.conf
>> [global]
>> warn_pwd_expire = 30
>> cached_login = yes
>> krb5_auth = yes
>> krb5_ccache_type = FILE
>> require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1934
>>
>> /etc/nsswitch.conf
>> passwd: files systemd winbind
>> group: files systemd winbind
>> shadow: files
>> gshadow: files
>>
>> hosts: files mdns4_minimal [NOTFOUND=return] dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>>
>>
>> I have setup a test machine unfornately not a real laptop (it is in
>> use for other things) but a virtualbox VM with Debian 10, KDE (sddm)
>> and Samba 4.17.8.
>>
>> The test scenario is quite simple.
>>
>> 1. Login with root on the (text) console (tty2)
>> 2. wbinfo --ping-dc
>> 3. time id testuser
>> 4. Disconnect network in virtualbox
>> 5. wbinfo --ping-dc
>> 6. time id testuser
>> 7. Connect network in virtualbox + wait 10 secs (for dhcp etc.)
>> 8. wbinfo --ping-dc
>> 9. time id testuser
>>
>> Results:
>>
>> 2. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
>> "dc1.samdom.com" succeeded'
>> 3. output in 0.037s
>> 5. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
>> "" failed'
>> 6. output in 63.120s
>> 8. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
>> "dc1.samdom.com" succeeded'
>> 9. output in 0.191s
>>
>> Now when I logging in on the graphical interface (sddm) fails when
>> disconnected, probably due t the fact that a response in 63s is too
>> long for sddm, it gives up before that.
>>
>> When I login while connected on sddm, then disconnect and I lock the
>> screen, I am unable to unlock, likely due to the same (short) timeout
>> in sddm.
>>
>> Now the question is why it takes winbind so long (63s) to do a simple
>> user and group lookup when it knows that is disconnected.
>>
>> - Kees.
>>
>>
>> On 01-06-2023 16:38, Rowland Penny via samba wrote:
>>>
>>>
>>> On 01/06/2023 15:11, Eduardo Moraes via samba wrote:
>>>>> OK, but... further investigation in what direction?!
>>>>
>>>> Greetings, friends!
>>>>
>>>> Sorry for butting in on the discussion, but I'm also interested in
>>>> solving
>>>> this problem, as users of my project (CID -
>>>> https://sourceforge.net/projects/c-i-d/) have also been reporting
>>>> the same
>>>> difficulty.
>>>>
>>>> I've been researching it and it looks like the problem has been
>>>> around for
>>>> a long time and is specific to Debian-like distributions, as these
>>>> two bug
>>>> reports suggest:
>>>>
>>>> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461
>>>> https://bugzilla.samba.org/show_bug.cgi?id=14618
>>>>
>>>> I tried to make the suggested changes to the "lock directory" and even
>>>> adapted it to my scripts, but according to reports the users, it
>>>> doesn't
>>>> always work.
>>>>
>>>> I've tested other distributions, like Fedora and OpenSuse, and
>>>> everything
>>>> seems to work just fine.
>>>>
>>>> I stopped researching some time ago, so I can't contribute more
>>>> than that,
>>>> but I hope that at least I helped them to find a way to a solution.
>>>>
>>>> Good luck!
>>>
>>> The plot thickens, I am testing using an Oracle VM with a bridged
>>> adapter, which can connect to either wifi or ethernet. Whilst doing
>>> further testing I just discovered something. If I logon as a domain
>>> user with the bridged adapter connected to wifi (wlan0), the user
>>> gets logged in. If I then log out and switch the bridged adapter to
>>> eth0 with the cable disconnected, the user can still logon and
>>> quickly. However if the cable isn't disconnected, then the user can
>>> still logon, but after a considerable amount of time and there is a
>>> similar pause when the user logs out.
>>>
>>> I am surmising that the pause is coming from something searching for
>>> the network and then, finally, giving up.
>>>
>>> Now to try and find the 'something' and stop it doing it.
>>>
>>> Rowland
>>>
>>
>
>
> My test machine is in a virtualbox VM with Ubuntu 22.04, MATE
> (lightdm) and Samba 4.17.8.
> I have tried Debian with similar results, but without the timings.
>
> The Computer it is running on uses wifi (wlan0) but it also has an
> ethernet port (eth0), but there is no cable plugged into it.
> The VM Network is set to use a Bridged Adapter connected to wlan0.
>
> I followed Kees's test scenario with a few changes.
>
> 1. Login with a local Unix user that can use sudo
> 1a open a (text) console
> 2. wbinfo --ping-dc
> 3. time id rowland
> 4. Change network device from wlan0 to eth0 and disconnect cable in
> virtualbox
> 5. wbinfo --ping-dc
> 6. time id rowland
> 6a. reconnect cable in virtualbox, still using eth0
> 6b. wbinfo --ping-dc
> 6c. time id rowland
> 7. Connect network in virtualbox (switched back to wlan0) + wait 10 secs
> 8. wbinfo --ping-dc
> 9. time id testuser
>
> Results:
>
> 2. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
> "rpidc2.samdom.example.com" succeeded'
> 3. output
> real 0m0.551s
> user 0m0.008s
> sys 0m0.000s
> 5. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
> "" failed'
> 'failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND'
> 6. output
> real 0m0.022s
> user 0m0.007s
> sys 0m0.001s
> 6b. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
> "" failed'
> 'failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND'
> NOTE: This was after a long delay,
> so I ran the command again with 'time' and got this:
> real 1m2.580s
> user 0m0.005s
> sys 0m0.009s
> 6c. output
> real 0m0.005s
> user 0m0.002s
> sys 0m0.001s
> 8. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
> "rpidc2.samdom.example.com" succeeded'
> 9. output
> real 0m0.494s
> user 0m0.000s
> sys 0m0.008s
>
> If I attempt to logon as a domain user when the network is
> disconnected but the 'cable' is connected in Virtualbox, there is a
> short pause, then I get logged in. There is a similar pause when I log
> out.
> However just disconnecting the 'cable' (but not connecting to the
> network) in Virtualbox removes the pauses, logon and logout are
> virtually instantaneous.
>
> This is the smb.conf file I am using:
>
> [global]
> workgroup = SAMDOM
> security = ADS
> realm = SAMDOM.EXAMPLE.COM
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = Samba Client %h
>
> winbind use default domain = yes
> winbind expand groups = 2
> winbind refresh tickets = Yes
> winbind offline logon = yes
> disable netbios = yes
> dns proxy = no
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config SAMDOM : backend = rid
> idmap config SAMDOM : range = 10000-999999
> template shell = /bin/bash
> template homedir = /home/%U
>
> # user Administrator workaround, without it you are unable to set
> privileges
> username map = /etc/samba/user.map
>
> vfs objects = acl_xattr
> map acl inherit = Yes
>
> # Comment the following 4 lines to act as a print server
> printcap name = /dev/null
> load printers = no
> disable spoolss = yes
> printing = bsd
>
> # logging
> log level = 3
> log file = /var/log/samba/%m.log
> logging = file
>
> min domain uid = 0
>
> [homes]
> comment = Home Directories
> read only = no
> create mask = 0700
> directory mask = 0700
> valid users = %S
>
> [Demo]
> path = /srv/samba/Demo
> read only = no
>
> I do not have /etc/security/pam_winbind.conf, Debian based distros do
> everything through /etc/pam.d/common-auth and this is the relevant
> line from that file:
>
> auth [success=1 default=ignore] pam_winbind.so debug krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
>
I have exactly the the same line in /etc/pam.d/common-auth. In addition
pam_winbind.conf restricts login to a members of specific AD-group,
indeed all other entries are also set through the line in pam.d/common-auth.
However for a lookup with the command 'id' pam_winbind is irrelevant
> Rowland
>
>
However for a lookup with the command 'id' pam_winbind is irrelevant
since we only do a user and group lookup, it is nss-winbind that is
being used.
I don't see any differences between our smb.conf file that could cause
this issue, do you?
I guess the next thing to try is increase log level to a high value and
repeat the test, any other ideas?
- Kees.
More information about the samba
mailing list