[Samba] sudo issues after upgrading to samba/winbind 4.0.13 on Debian Wheezy
Hans-Kristian Bakke
hkbakke at gmail.com
Sat Jan 4 13:27:32 MST 2014
Actullay, when disabling gssapi for SSH login also fails for SSH. It
is in other words a general issue when using winbind for logins and
not kerberos tickets. I also did a completely clean netinstall of
Debian jessie, just installing openssh-server, bash-completion, vim,
less, winbind, libpam-winbind and libnss-winbind, adding the machine
to the domain, updating the nsswitch.conf with ldconfig -v | grep
winbind verified and adding mkhomedir to /usr/share/pam-config/ like
usual. Changing nothing else!
Output from /var/log/auth.log when trying to authenticate as the user "hk":
...
Jan 4 21:15:13 test sshd[1765]: debug1: userauth-request for user hk
service ssh-connection method password [preauth]
Jan 4 21:15:13 test sshd[1765]: debug1: attempt 2 failures 1 [preauth]
Jan 4 21:15:13 test sshd[1765]: debug2: input_userauth_request: try
method password [preauth]
Jan 4 21:15:13 test sshd[1765]: debug3: mm_auth_password entering [preauth]
Jan 4 21:15:13 test sshd[1765]: debug3: mm_request_send entering:
type 12 [preauth]
Jan 4 21:15:13 test sshd[1765]: debug3: mm_auth_password: waiting for
MONITOR_ANS_AUTHPASSWORD [preauth]
Jan 4 21:15:13 test sshd[1765]: debug3: mm_request_receive_expect
entering: type 13 [preauth]
Jan 4 21:15:13 test sshd[1765]: debug3: mm_request_receive entering [preauth]
Jan 4 21:15:13 test sshd[1765]: debug3: mm_request_receive entering
Jan 4 21:15:13 test sshd[1765]: debug3: monitor_read: checking request 12
Jan 4 21:15:13 test sshd[1765]: debug3: PAM: sshpam_passwd_conv
called with 1 messages
Jan 4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): getting
password (0x00000388)
Jan 4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): pam_get_item
returned a password
Jan 4 21:15:13 test sshd[1713]: debug1: server_input_channel_req:
channel 0 request winadj at putty.projects.tartarus.org reply 1
Jan 4 21:15:13 test sshd[1713]: debug1: session_by_channel: session 0 channel 0
Jan 4 21:15:13 test sshd[1713]: debug1: session_input_channel_req:
session 0 req winadj at putty.projects.tartarus.org
Jan 4 21:15:13 test sshd[1713]: debug2: channel 0: rcvd adjust 8740
Jan 4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ER
R (4), NTSTATUS:
NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
NT_STATUS_CONNECTION_DISCONNECTED
Jan 4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): internal
module error (retval = PAM_SYSTEM_ERR(4), user = 'hk')
Jan 4 21:15:15 test sshd[1765]: debug1: PAM: password authentication
failed for hk: Authentication failure
...
My smb.conf (remember samba is not used or installed, but it makes no
difference with samba installed):
[global]
server string = %h server
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
disable netbios = yes
# Active directory integration
workgroup = PROIKT
server role = member server
security = ads
realm = ad.proikt.com
client ldap sasl wrapping = seal
kerberos method = secrets and keytab
winbind cache time = 300
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 5
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
template shell = /bin/bash
template homedir = /home/%U@%D
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config PROIKT : backend = rid
idmap config PROIKT : range = 300000-499999
---
This exact configuration worked perfectly on 3.6.X, but do not work on
4.0.13 (wheezy-backports on wheezy) or 4.1.3 (jessie). sudo and
non-GSSAPI SSH logins are currently not working.
Any ideas?
I do enforce LDAPS with valid certificates on my domain controllers
(clean Server 2012 and Server 2012 R2). DNS seems to be working
perfectly, allthough I did see some seemingly unrelated ipv6
DNS-lookups from the same host in my tcpdumps, but I have no
indication if that is related to this issue as I do not use IPv6 in my
network (although it is enabled by default in Debian)
Regards,
Hans-Kristian
On 4 January 2014 04:24, Hans-Kristian Bakke <hkbakke at gmail.com> wrote:
> Hi
>
> I have upgraded from samba 3.6.19 to samba 4.0.13 on Debian Wheezy
> 64-bit with Samba 4.0.13 from wheezy-backports. I use winbind to
> authenticate against a two-server AD domain on Server 2012 functional
> level and forced LDAPS.
>
> After upgrading from 3.6.19 to 4.0.13 everything still works for me as
> usual. That is samba shares authentication, all things relying on the
> keytab, SSO logins with SSH using GSSAPI and so on. But strangely sudo
> for winbind users do not work anymore. The sudo package was not
> updated, but i installed a newer version just to check (1.8.8) but no
> success.
>
> wbinfo, getent, id, groups and su - work perfectly with all users and
> group memberships listed.
>
> When trying sudo in any form, like sudo -i, I get the password
> question, but after inputting the password sudo just hangs, not
> responding to anything and somethimes timing out, other times I kill
> it from another root session.
>
> It is like this on all my Wheezy servers after upgrading to 4.0.13
> (and installing libpam-winbind and libnss-winbind). I have not messed
> with the sudo configuration or pam.d configuration on any of the
> servers, other than adding the user to sudoers (adduser xxx sudo).
> Local users works perfectly with sudo. Wheezy servers that I have not
> upgraded to 4.0.13 is working correctly and the pam.d configs seem
> identical.
>
> I have purged everything related to samba/winbind and reinstalled,
> including leaving and joining the domain with no success for sudo.
>
> I have straced the issue and it seems to be looping trying to pull
> data from /var/lib/samba/winbindd_privileged/pipe.
>
> The strace had to be started via pid after initiating sudo -i and
> waiting for input as I got som setuid error trying to run the command
> it self with strace.
>
> ---
> lstat("/var/run/samba/winbindd", {st_mode=S_IFDIR|0755, st_size=60, ...}) = 0
> lstat("/var/run/samba/winbindd/pipe", {st_mode=S_IFSOCK|0777,
> st_size=0, ...}) = 0
> socket(PF_FILE, SOCK_STREAM, 0) = 4
> fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
> fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> fcntl(4, F_GETFD) = 0
> fcntl(4, F_SETFD, FD_CLOEXEC) = 0
> connect(4, {sa_family=AF_FILE, path="/var/run/samba/winbindd/pipe"}, 110) = 0
> poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4,
> revents=POLLOUT}])
> write(4, "0\10\0\0\0\0\0\0\0\0\0\0\17\34\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 2096) = 2096
> poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
> read(4, "\250\r\0\0\2\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 3496) = 3496
> poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4,
> revents=POLLOUT}])
> write(4, "0\10\0\0/\0\0\0\0\0\0\0\17\34\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 2096) = 2096
> poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
> read(4, "\313\r\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 3496) = 3496
> poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
> read(4, "/var/lib/samba/winbindd_privileg"..., 35) = 35
> lstat("/var/lib/samba/winbindd_privileged", {st_mode=S_IFDIR|0750,
> st_size=4096, ...}) = 0
> lstat("/var/lib/samba/winbindd_privileged/pipe",
> {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
> socket(PF_FILE, SOCK_STREAM, 0) = 10
> fcntl(10, F_GETFL) = 0x2 (flags O_RDWR)
> fcntl(10, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> fcntl(10, F_GETFD) = 0
> fcntl(10, F_SETFD, FD_CLOEXEC) = 0
> connect(10, {sa_family=AF_FILE,
> path="/var/lib/samba/winbindd_privileged/pipe"}, 110) = 0
> close(4) = 0
> poll([{fd=10, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=10,
> revents=POLLOUT}])
> write(10, "0\10\0\0\r\0\0\0\0\0\0\0\17\34\0\0\0\0\0\0\236\360\0\0\0\0\0\0\0\0\0\0"...,
> 2096) = 2096
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> close(10)
> ---
>
> Regards
> Hans-Kristian
More information about the samba
mailing list