[Samba] sudo issues after upgrading to samba/winbind 4.0.13 on Debian Wheezy

Hans-Kristian Bakke hkbakke at gmail.com
Sat Jan 4 13:27:32 MST 2014 

Actullay, when disabling gssapi for SSH login also fails for SSH. It
is in other words a general issue when using winbind for logins and
not kerberos tickets. I also did a completely clean netinstall of
Debian jessie, just installing openssh-server, bash-completion, vim,
less, winbind, libpam-winbind and libnss-winbind, adding the machine
to the domain, updating the nsswitch.conf with ldconfig -v | grep
winbind verified and adding mkhomedir to /usr/share/pam-config/ like
usual. Changing nothing else!

Output from /var/log/auth.log when trying to authenticate as the user "hk":
...
Jan  4 21:15:13 test sshd[1765]: debug1: userauth-request for user hk
service ssh-connection method password [preauth]
Jan  4 21:15:13 test sshd[1765]: debug1: attempt 2 failures 1 [preauth]
Jan  4 21:15:13 test sshd[1765]: debug2: input_userauth_request: try
method password [preauth]
Jan  4 21:15:13 test sshd[1765]: debug3: mm_auth_password entering [preauth]
Jan  4 21:15:13 test sshd[1765]: debug3: mm_request_send entering:
type 12 [preauth]
Jan  4 21:15:13 test sshd[1765]: debug3: mm_auth_password: waiting for
MONITOR_ANS_AUTHPASSWORD [preauth]
Jan  4 21:15:13 test sshd[1765]: debug3: mm_request_receive_expect
entering: type 13 [preauth]
Jan  4 21:15:13 test sshd[1765]: debug3: mm_request_receive entering [preauth]
Jan  4 21:15:13 test sshd[1765]: debug3: mm_request_receive entering
Jan  4 21:15:13 test sshd[1765]: debug3: monitor_read: checking request 12
Jan  4 21:15:13 test sshd[1765]: debug3: PAM: sshpam_passwd_conv
called with 1 messages
Jan  4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): getting
password (0x00000388)
Jan  4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): pam_get_item
returned a password
Jan  4 21:15:13 test sshd[1713]: debug1: server_input_channel_req:
channel 0 request winadj at putty.projects.tartarus.org reply 1
Jan  4 21:15:13 test sshd[1713]: debug1: session_by_channel: session 0 channel 0
Jan  4 21:15:13 test sshd[1713]: debug1: session_input_channel_req:
session 0 req winadj at putty.projects.tartarus.org
Jan  4 21:15:13 test sshd[1713]: debug2: channel 0: rcvd adjust 8740
Jan  4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ER


                                          R (4), NTSTATUS:
NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
NT_STATUS_CONNECTION_DISCONNECTED
Jan  4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): internal
module error (retval = PAM_SYSTEM_ERR(4), user = 'hk')
Jan  4 21:15:15 test sshd[1765]: debug1: PAM: password authentication
failed for hk: Authentication failure
...

My smb.conf (remember samba is not used or installed, but it makes no
difference with samba installed):
[global]
    server string = %h server
    dns proxy = no
    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    encrypt passwords = true
    passdb backend = tdbsam
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes
    map to guest = bad user
    usershare allow guests = yes
    disable netbios = yes

    # Active directory integration
    workgroup = PROIKT
    server role = member server
    security = ads
    realm = ad.proikt.com
    client ldap sasl wrapping = seal
    kerberos method = secrets and keytab
    winbind cache time = 300
    winbind enum users = yes
    winbind enum groups = yes
    winbind expand groups = 5
    winbind use default domain = yes
    winbind refresh tickets = yes
    winbind offline logon = yes
    template shell = /bin/bash
    template homedir = /home/%U@%D
    idmap config * : backend = tdb
    idmap config * : range = 100000-299999
    idmap config PROIKT : backend  = rid
    idmap config PROIKT : range = 300000-499999
---

This exact configuration worked perfectly on 3.6.X, but do not work on
4.0.13 (wheezy-backports on wheezy) or 4.1.3 (jessie). sudo and
non-GSSAPI SSH logins are currently not working.

Any ideas?

I do enforce LDAPS with valid certificates on my domain controllers
(clean Server 2012 and Server 2012 R2). DNS seems to be working
perfectly, allthough I did see some seemingly unrelated ipv6
DNS-lookups from the same host in my tcpdumps, but I have no
indication if that is related to this issue as I do not use IPv6 in my
network (although it is enabled by default in Debian)

Regards,
Hans-Kristian


On 4 January 2014 04:24, Hans-Kristian Bakke <hkbakke at gmail.com> wrote:
> Hi
>
> I have upgraded from samba 3.6.19 to samba 4.0.13 on Debian Wheezy
> 64-bit with Samba 4.0.13 from wheezy-backports. I use winbind to
> authenticate against a two-server AD domain on Server 2012 functional
> level and forced LDAPS.
>
> After upgrading from 3.6.19 to 4.0.13 everything still works for me as
> usual. That is samba shares authentication, all things relying on the
> keytab, SSO logins with SSH using GSSAPI and so on. But strangely sudo
> for winbind users do not work anymore. The sudo package was not
> updated, but i installed a newer version just to check (1.8.8) but no
> success.
>
> wbinfo, getent, id, groups and su - work perfectly with all users and
> group memberships listed.
>
> When trying sudo in any form, like sudo -i, I get the password
> question, but after inputting the password sudo just hangs, not
> responding to anything and somethimes timing out, other times I kill
> it from another root session.
>
> It is like this on all my Wheezy servers after upgrading to 4.0.13
> (and installing libpam-winbind and libnss-winbind). I have not messed
> with the sudo configuration or pam.d configuration on any of the
> servers, other than adding the user to sudoers (adduser xxx sudo).
> Local users works perfectly with sudo. Wheezy servers that I have not
> upgraded to 4.0.13 is working correctly and the pam.d configs seem
> identical.
>
> I have purged everything related to samba/winbind and reinstalled,
> including leaving and joining the domain with no success for sudo.
>
> I have straced the issue and it seems to be looping trying to pull
> data from /var/lib/samba/winbindd_privileged/pipe.
>
> The strace had to be started via pid after initiating sudo -i and
> waiting for input as I got som setuid error trying to run the command
> it self with strace.
>
> ---
> lstat("/var/run/samba/winbindd", {st_mode=S_IFDIR|0755, st_size=60, ...}) = 0
> lstat("/var/run/samba/winbindd/pipe", {st_mode=S_IFSOCK|0777,
> st_size=0, ...}) = 0
> socket(PF_FILE, SOCK_STREAM, 0)         = 4
> fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
> fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
> fcntl(4, F_GETFD)                       = 0
> fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
> connect(4, {sa_family=AF_FILE, path="/var/run/samba/winbindd/pipe"}, 110) = 0
> poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4,
> revents=POLLOUT}])
> write(4, "0\10\0\0\0\0\0\0\0\0\0\0\17\34\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 2096) = 2096
> poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
> read(4, "\250\r\0\0\2\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 3496) = 3496
> poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4,
> revents=POLLOUT}])
> write(4, "0\10\0\0/\0\0\0\0\0\0\0\17\34\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 2096) = 2096
> poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
> read(4, "\313\r\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 3496) = 3496
> poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
> read(4, "/var/lib/samba/winbindd_privileg"..., 35) = 35
> lstat("/var/lib/samba/winbindd_privileged", {st_mode=S_IFDIR|0750,
> st_size=4096, ...}) = 0
> lstat("/var/lib/samba/winbindd_privileged/pipe",
> {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
> socket(PF_FILE, SOCK_STREAM, 0)         = 10
> fcntl(10, F_GETFL)                      = 0x2 (flags O_RDWR)
> fcntl(10, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
> fcntl(10, F_GETFD)                      = 0
> fcntl(10, F_SETFD, FD_CLOEXEC)          = 0
> connect(10, {sa_family=AF_FILE,
> path="/var/lib/samba/winbindd_privileged/pipe"}, 110) = 0
> close(4)                                = 0
> poll([{fd=10, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=10,
> revents=POLLOUT}])
> write(10, "0\10\0\0\r\0\0\0\0\0\0\0\17\34\0\0\0\0\0\0\236\360\0\0\0\0\0\0\0\0\0\0"...,
> 2096) = 2096
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> close(10)
> ---
>
> Regards
> Hans-Kristian

More information about the samba mailing list