[Samba] strange issues with pam_winbind and sudo

Nathan Johnson n.johnson at vanderbilt.edu
Wed Jan 23 18:55:32 GMT 2008 

I have two issues, potentially related, potentially not.  First
off, a bit about my environment:

I am experiencing the same issues on two boxes, one of which is
running red hat linux ES 4 update 6 i386, the other running red hat
enterprise linux server release 5.1 x86_64 .  Both appear to be
running samba 3.0.25b, both are members of an active directory
domain .  There are 7 domain controllers in total, and there are a
largish number of users: approximately 34,000.  I am only allowing
users that belong to a certain group to log in, selecting in
/etc/security/pam_winbind.conf with require_membership_of=[GROUP
SID].  I also have this same group named in /etc/sudoers with a
line similar to:

%Name\ Of\ My\ Group ALL=(ALL)       ALL

(note that I am using a group name with spaces in it, though it
states in docs this is a no-no it seems to work, initially at least
- more on that later)

The first issue is that after winbindd has been running for a while
(several hours perhaps?) , logins slow down to a crawl.  It can
take upwards of two minutes to log in, whether the username exists
in the local passwd file or whether an AD user.  If I restart
winbindd, logins are once again snappy.

The second issue is that after I have logged in as an AD user and
the session has sat idle for maybe 10 minutes or so, I get the
following error when trying to sudo:

sudo: uid [some number] does not exist in the passwd file!

If I log out and log back in, I can do sudo commands.  Also, of
note, if I run anything that calls getpwent() , sudo once again
works.  I came up with this test program:

#include <sys/types.h> #include <pwd.h> #include <stdio.h>

int main(int argc, char** argv) {
   struct passwd * whatevs = getpwent(); if (whatevs) {
	printf("%s:%s:%d:%d:%s:%s:%s\n",
		   whatevs->pw_name, whatevs->pw_passwd, whatevs->pw_uid,
		   whatevs->pw_gid, whatevs->pw_gecos, whatevs->pw_dir,
		   whatevs->pw_shell);
   } else {
	printf("crap!!!! null\n");
   } return 0;
}


Here is my smb.conf:

[global]
    workgroup=VANDERBILT
	server string = Lamborghini Metaclinic (RHEL5.1) netbios
	name = lamborghini realm = DS.VANDERBILT.EDU
    preferred master = no security = ADS encrypt passwords = yes log
    level = 3 log file = /var/log/samba/%m max log size = 50 printcap
    name = cups printing = cups winbind enum users = Yes winbind
    enum groups = Yes winbind use default domain = Yes winbind nested
    groups = Yes winbind separator = + idmap uid = 1000-100000000
    idmap gid = 1000-100000000 idmap backend =
    idmap_rid:VANDERBILT=1000-50000000 ;template primary group =
    "Domain Users" template shell = /bin/bash winbind offline logon
    = yes

Here is my /etc/krb5.conf :

[logging]
  default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = DS.VANDERBILT.EDU dns_lookup_realm = false
  dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes

[realms]
  DS.VANDERBILT.EDU = {
   kdc = ds.vanderbilt.edu
  }

[domain_realm]
  .kerberos.server = DS.VANDERBILT.EDU

[appdefaults]
  pam = {
    debug = true ticket_lifetime = 36000 renew_lifetime = 36000
    forwardable = true krb4_convert = false
  }

my /etc/security/pam_winbind.conf:

[global] require_membership_of = [some long SID here]

and I've already given the relevant bits of the sudoers file.

As an aside, is there a way to give an SID instead of a group name
in the /etc/sudoers file?

Nathan Johnson

More information about the samba mailing list