[Samba] sudo issues after upgrading to samba/winbind 4.0.13 on Debian Wheezy

Georg Vorlaufer georg.vorlaufer at gmail.com
Tue Jan 7 15:14:17 MST 2014 

Dear Hans-Kristian,

I have a problem which I believe is related to yours (
https://lists.samba.org/archive/samba/2014-January/177783.html)

Unfortunately did not find a solution yet.

Regards,

Georg


2014/1/4 Hans-Kristian Bakke <hkbakke at gmail.com>

> Actullay, when disabling gssapi for SSH login also fails for SSH. It
> is in other words a general issue when using winbind for logins and
> not kerberos tickets. I also did a completely clean netinstall of
> Debian jessie, just installing openssh-server, bash-completion, vim,
> less, winbind, libpam-winbind and libnss-winbind, adding the machine
> to the domain, updating the nsswitch.conf with ldconfig -v | grep
> winbind verified and adding mkhomedir to /usr/share/pam-config/ like
> usual. Changing nothing else!
>
> Output from /var/log/auth.log when trying to authenticate as the user "hk":
> ...
> Jan  4 21:15:13 test sshd[1765]: debug1: userauth-request for user hk
> service ssh-connection method password [preauth]
> Jan  4 21:15:13 test sshd[1765]: debug1: attempt 2 failures 1 [preauth]
> Jan  4 21:15:13 test sshd[1765]: debug2: input_userauth_request: try
> method password [preauth]
> Jan  4 21:15:13 test sshd[1765]: debug3: mm_auth_password entering
> [preauth]
> Jan  4 21:15:13 test sshd[1765]: debug3: mm_request_send entering:
> type 12 [preauth]
> Jan  4 21:15:13 test sshd[1765]: debug3: mm_auth_password: waiting for
> MONITOR_ANS_AUTHPASSWORD [preauth]
> Jan  4 21:15:13 test sshd[1765]: debug3: mm_request_receive_expect
> entering: type 13 [preauth]
> Jan  4 21:15:13 test sshd[1765]: debug3: mm_request_receive entering
> [preauth]
> Jan  4 21:15:13 test sshd[1765]: debug3: mm_request_receive entering
> Jan  4 21:15:13 test sshd[1765]: debug3: monitor_read: checking request 12
> Jan  4 21:15:13 test sshd[1765]: debug3: PAM: sshpam_passwd_conv
> called with 1 messages
> Jan  4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): getting
> password (0x00000388)
> Jan  4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): pam_get_item
> returned a password
> Jan  4 21:15:13 test sshd[1713]: debug1: server_input_channel_req:
> channel 0 request winadj at putty.projects.tartarus.org reply 1
> Jan  4 21:15:13 test sshd[1713]: debug1: session_by_channel: session 0
> channel 0
> Jan  4 21:15:13 test sshd[1713]: debug1: session_input_channel_req:
> session 0 req winadj at putty.projects.tartarus.org
> Jan  4 21:15:13 test sshd[1713]: debug2: channel 0: rcvd adjust 8740
> Jan  4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): request
> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ER
>
>
>                                           R (4), NTSTATUS:
> NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
> NT_STATUS_CONNECTION_DISCONNECTED
> Jan  4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): internal
> module error (retval = PAM_SYSTEM_ERR(4), user = 'hk')
> Jan  4 21:15:15 test sshd[1765]: debug1: PAM: password authentication
> failed for hk: Authentication failure
> ...
>
> My smb.conf (remember samba is not used or installed, but it makes no
> difference with samba installed):
> [global]
>     server string = %h server
>     dns proxy = no
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     syslog = 0
>     panic action = /usr/share/samba/panic-action %d
>     encrypt passwords = true
>     passdb backend = tdbsam
>     obey pam restrictions = yes
>     unix password sync = yes
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     pam password change = yes
>     map to guest = bad user
>     usershare allow guests = yes
>     disable netbios = yes
>
>     # Active directory integration
>     workgroup = PROIKT
>     server role = member server
>     security = ads
>     realm = ad.proikt.com
>     client ldap sasl wrapping = seal
>     kerberos method = secrets and keytab
>     winbind cache time = 300
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind expand groups = 5
>     winbind use default domain = yes
>     winbind refresh tickets = yes
>     winbind offline logon = yes
>     template shell = /bin/bash
>     template homedir = /home/%U@%D
>     idmap config * : backend = tdb
>     idmap config * : range = 100000-299999
>     idmap config PROIKT : backend  = rid
>     idmap config PROIKT : range = 300000-499999
> ---
>
> This exact configuration worked perfectly on 3.6.X, but do not work on
> 4.0.13 (wheezy-backports on wheezy) or 4.1.3 (jessie). sudo and
> non-GSSAPI SSH logins are currently not working.
>
> Any ideas?
>
> I do enforce LDAPS with valid certificates on my domain controllers
> (clean Server 2012 and Server 2012 R2). DNS seems to be working
> perfectly, allthough I did see some seemingly unrelated ipv6
> DNS-lookups from the same host in my tcpdumps, but I have no
> indication if that is related to this issue as I do not use IPv6 in my
> network (although it is enabled by default in Debian)
>
> Regards,
> Hans-Kristian
>
>
> On 4 January 2014 04:24, Hans-Kristian Bakke <hkbakke at gmail.com> wrote:
> > Hi
> >
> > I have upgraded from samba 3.6.19 to samba 4.0.13 on Debian Wheezy
> > 64-bit with Samba 4.0.13 from wheezy-backports. I use winbind to
> > authenticate against a two-server AD domain on Server 2012 functional
> > level and forced LDAPS.
> >
> > After upgrading from 3.6.19 to 4.0.13 everything still works for me as
> > usual. That is samba shares authentication, all things relying on the
> > keytab, SSO logins with SSH using GSSAPI and so on. But strangely sudo
> > for winbind users do not work anymore. The sudo package was not
> > updated, but i installed a newer version just to check (1.8.8) but no
> > success.
> >
> > wbinfo, getent, id, groups and su - work perfectly with all users and
> > group memberships listed.
> >
> > When trying sudo in any form, like sudo -i, I get the password
> > question, but after inputting the password sudo just hangs, not
> > responding to anything and somethimes timing out, other times I kill
> > it from another root session.
> >
> > It is like this on all my Wheezy servers after upgrading to 4.0.13
> > (and installing libpam-winbind and libnss-winbind). I have not messed
> > with the sudo configuration or pam.d configuration on any of the
> > servers, other than adding the user to sudoers (adduser xxx sudo).
> > Local users works perfectly with sudo. Wheezy servers that I have not
> > upgraded to 4.0.13 is working correctly and the pam.d configs seem
> > identical.
> >
> > I have purged everything related to samba/winbind and reinstalled,
> > including leaving and joining the domain with no success for sudo.
> >
> > I have straced the issue and it seems to be looping trying to pull
> > data from /var/lib/samba/winbindd_privileged/pipe.
> >
> > The strace had to be started via pid after initiating sudo -i and
> > waiting for input as I got som setuid error trying to run the command
> > it self with strace.
> >
> > ---
> > lstat("/var/run/samba/winbindd", {st_mode=S_IFDIR|0755, st_size=60,
> ...}) = 0
> > lstat("/var/run/samba/winbindd/pipe", {st_mode=S_IFSOCK|0777,
> > st_size=0, ...}) = 0
> > socket(PF_FILE, SOCK_STREAM, 0)         = 4
> > fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
> > fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
> > fcntl(4, F_GETFD)                       = 0
> > fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
> > connect(4, {sa_family=AF_FILE, path="/var/run/samba/winbindd/pipe"},
> 110) = 0
> > poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4,
> > revents=POLLOUT}])
> > write(4,
> "0\10\0\0\0\0\0\0\0\0\0\0\17\34\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> > 2096) = 2096
> > poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4,
> revents=POLLIN}])
> > read(4,
> "\250\r\0\0\2\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> > 3496) = 3496
> > poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4,
> > revents=POLLOUT}])
> > write(4,
> "0\10\0\0/\0\0\0\0\0\0\0\17\34\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> > 2096) = 2096
> > poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4,
> revents=POLLIN}])
> > read(4,
> "\313\r\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> > 3496) = 3496
> > poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4,
> revents=POLLIN}])
> > read(4, "/var/lib/samba/winbindd_privileg"..., 35) = 35
> > lstat("/var/lib/samba/winbindd_privileged", {st_mode=S_IFDIR|0750,
> > st_size=4096, ...}) = 0
> > lstat("/var/lib/samba/winbindd_privileged/pipe",
> > {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
> > socket(PF_FILE, SOCK_STREAM, 0)         = 10
> > fcntl(10, F_GETFL)                      = 0x2 (flags O_RDWR)
> > fcntl(10, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
> > fcntl(10, F_GETFD)                      = 0
> > fcntl(10, F_SETFD, FD_CLOEXEC)          = 0
> > connect(10, {sa_family=AF_FILE,
> > path="/var/lib/samba/winbindd_privileged/pipe"}, 110) = 0
> > close(4)                                = 0
> > poll([{fd=10, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=10,
> > revents=POLLOUT}])
> > write(10,
> "0\10\0\0\r\0\0\0\0\0\0\0\17\34\0\0\0\0\0\0\236\360\0\0\0\0\0\0\0\0\0\0"...,
> > 2096) = 2096
> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> > close(10)
> > ---
> >
> > Regards
> > Hans-Kristian
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list