[Samba] sudo issues after upgrading to samba/winbind 4.0.13 on Debian Wheezy
Hans-Kristian Bakke
hkbakke at gmail.com
Wed Jan 15 13:34:12 MST 2014
After doing some experiments I finally found the issue for this
winbind pam authentication hang on Samba4 Debian Wheezy (with samba
4.0.13 from backports) and Jessie.
1. Edit /etc/pam.d/common-auth
2. Remove "krb5_auth" from the pam_winbind.so line so it reads:
"auth [success=1 default=ignore] pam_winbind.so
krb5_ccache_type=FILE cached_login try_first_pass"
3. Run pam-auth-update
I thought maybe kerberos would break when removing krb5_auth, but SSH
with or without SSO (GSSAPI) works perfectly, and the same with sudo.
Now the question is: why do adding krb5_auth to pam_winbind.so break
non-kerberos authentication? Is this a Debian bug? Should it be
removed from common-auth in Samba4?
Regards,
Hans-Kristian
On 7 January 2014 23:14, Georg Vorlaufer <georg.vorlaufer at gmail.com> wrote:
> Dear Hans-Kristian,
>
> I have a problem which I believe is related to yours
> (https://lists.samba.org/archive/samba/2014-January/177783.html)
>
> Unfortunately did not find a solution yet.
>
> Regards,
>
> Georg
>
>
> 2014/1/4 Hans-Kristian Bakke <hkbakke at gmail.com>
>>
>> Actullay, when disabling gssapi for SSH login also fails for SSH. It
>> is in other words a general issue when using winbind for logins and
>> not kerberos tickets. I also did a completely clean netinstall of
>> Debian jessie, just installing openssh-server, bash-completion, vim,
>> less, winbind, libpam-winbind and libnss-winbind, adding the machine
>> to the domain, updating the nsswitch.conf with ldconfig -v | grep
>> winbind verified and adding mkhomedir to /usr/share/pam-config/ like
>> usual. Changing nothing else!
>>
>> Output from /var/log/auth.log when trying to authenticate as the user
>> "hk":
>> ...
>> Jan 4 21:15:13 test sshd[1765]: debug1: userauth-request for user hk
>> service ssh-connection method password [preauth]
>> Jan 4 21:15:13 test sshd[1765]: debug1: attempt 2 failures 1 [preauth]
>> Jan 4 21:15:13 test sshd[1765]: debug2: input_userauth_request: try
>> method password [preauth]
>> Jan 4 21:15:13 test sshd[1765]: debug3: mm_auth_password entering
>> [preauth]
>> Jan 4 21:15:13 test sshd[1765]: debug3: mm_request_send entering:
>> type 12 [preauth]
>> Jan 4 21:15:13 test sshd[1765]: debug3: mm_auth_password: waiting for
>> MONITOR_ANS_AUTHPASSWORD [preauth]
>> Jan 4 21:15:13 test sshd[1765]: debug3: mm_request_receive_expect
>> entering: type 13 [preauth]
>> Jan 4 21:15:13 test sshd[1765]: debug3: mm_request_receive entering
>> [preauth]
>> Jan 4 21:15:13 test sshd[1765]: debug3: mm_request_receive entering
>> Jan 4 21:15:13 test sshd[1765]: debug3: monitor_read: checking request 12
>> Jan 4 21:15:13 test sshd[1765]: debug3: PAM: sshpam_passwd_conv
>> called with 1 messages
>> Jan 4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): getting
>> password (0x00000388)
>> Jan 4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): pam_get_item
>> returned a password
>> Jan 4 21:15:13 test sshd[1713]: debug1: server_input_channel_req:
>> channel 0 request winadj at putty.projects.tartarus.org reply 1
>> Jan 4 21:15:13 test sshd[1713]: debug1: session_by_channel: session 0
>> channel 0
>> Jan 4 21:15:13 test sshd[1713]: debug1: session_input_channel_req:
>> session 0 req winadj at putty.projects.tartarus.org
>> Jan 4 21:15:13 test sshd[1713]: debug2: channel 0: rcvd adjust 8740
>> Jan 4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): request
>> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ER
>>
>>
>> R (4), NTSTATUS:
>> NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
>> NT_STATUS_CONNECTION_DISCONNECTED
>> Jan 4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): internal
>> module error (retval = PAM_SYSTEM_ERR(4), user = 'hk')
>> Jan 4 21:15:15 test sshd[1765]: debug1: PAM: password authentication
>> failed for hk: Authentication failure
>> ...
>>
>> My smb.conf (remember samba is not used or installed, but it makes no
>> difference with samba installed):
>> [global]
>> server string = %h server
>> dns proxy = no
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> syslog = 0
>> panic action = /usr/share/samba/panic-action %d
>> encrypt passwords = true
>> passdb backend = tdbsam
>> obey pam restrictions = yes
>> unix password sync = yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> pam password change = yes
>> map to guest = bad user
>> usershare allow guests = yes
>> disable netbios = yes
>>
>> # Active directory integration
>> workgroup = PROIKT
>> server role = member server
>> security = ads
>> realm = ad.proikt.com
>> client ldap sasl wrapping = seal
>> kerberos method = secrets and keytab
>> winbind cache time = 300
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind expand groups = 5
>> winbind use default domain = yes
>> winbind refresh tickets = yes
>> winbind offline logon = yes
>> template shell = /bin/bash
>> template homedir = /home/%U@%D
>> idmap config * : backend = tdb
>> idmap config * : range = 100000-299999
>> idmap config PROIKT : backend = rid
>> idmap config PROIKT : range = 300000-499999
>> ---
>>
>> This exact configuration worked perfectly on 3.6.X, but do not work on
>> 4.0.13 (wheezy-backports on wheezy) or 4.1.3 (jessie). sudo and
>> non-GSSAPI SSH logins are currently not working.
>>
>> Any ideas?
>>
>> I do enforce LDAPS with valid certificates on my domain controllers
>> (clean Server 2012 and Server 2012 R2). DNS seems to be working
>> perfectly, allthough I did see some seemingly unrelated ipv6
>> DNS-lookups from the same host in my tcpdumps, but I have no
>> indication if that is related to this issue as I do not use IPv6 in my
>> network (although it is enabled by default in Debian)
>>
>> Regards,
>> Hans-Kristian
>>
>>
>> On 4 January 2014 04:24, Hans-Kristian Bakke <hkbakke at gmail.com> wrote:
>> > Hi
>> >
>> > I have upgraded from samba 3.6.19 to samba 4.0.13 on Debian Wheezy
>> > 64-bit with Samba 4.0.13 from wheezy-backports. I use winbind to
>> > authenticate against a two-server AD domain on Server 2012 functional
>> > level and forced LDAPS.
>> >
>> > After upgrading from 3.6.19 to 4.0.13 everything still works for me as
>> > usual. That is samba shares authentication, all things relying on the
>> > keytab, SSO logins with SSH using GSSAPI and so on. But strangely sudo
>> > for winbind users do not work anymore. The sudo package was not
>> > updated, but i installed a newer version just to check (1.8.8) but no
>> > success.
>> >
>> > wbinfo, getent, id, groups and su - work perfectly with all users and
>> > group memberships listed.
>> >
>> > When trying sudo in any form, like sudo -i, I get the password
>> > question, but after inputting the password sudo just hangs, not
>> > responding to anything and somethimes timing out, other times I kill
>> > it from another root session.
>> >
>> > It is like this on all my Wheezy servers after upgrading to 4.0.13
>> > (and installing libpam-winbind and libnss-winbind). I have not messed
>> > with the sudo configuration or pam.d configuration on any of the
>> > servers, other than adding the user to sudoers (adduser xxx sudo).
>> > Local users works perfectly with sudo. Wheezy servers that I have not
>> > upgraded to 4.0.13 is working correctly and the pam.d configs seem
>> > identical.
>> >
>> > I have purged everything related to samba/winbind and reinstalled,
>> > including leaving and joining the domain with no success for sudo.
>> >
>> > I have straced the issue and it seems to be looping trying to pull
>> > data from /var/lib/samba/winbindd_privileged/pipe.
>> >
>> > The strace had to be started via pid after initiating sudo -i and
>> > waiting for input as I got som setuid error trying to run the command
>> > it self with strace.
>> >
>> > ---
>> > lstat("/var/run/samba/winbindd", {st_mode=S_IFDIR|0755, st_size=60,
>> > ...}) = 0
>> > lstat("/var/run/samba/winbindd/pipe", {st_mode=S_IFSOCK|0777,
>> > st_size=0, ...}) = 0
>> > socket(PF_FILE, SOCK_STREAM, 0) = 4
>> > fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
>> > fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0
>> > fcntl(4, F_GETFD) = 0
>> > fcntl(4, F_SETFD, FD_CLOEXEC) = 0
>> > connect(4, {sa_family=AF_FILE, path="/var/run/samba/winbindd/pipe"},
>> > 110) = 0
>> > poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4,
>> > revents=POLLOUT}])
>> > write(4,
>> > "0\10\0\0\0\0\0\0\0\0\0\0\17\34\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
>> > 2096) = 2096
>> > poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4,
>> > revents=POLLIN}])
>> > read(4,
>> > "\250\r\0\0\2\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
>> > 3496) = 3496
>> > poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4,
>> > revents=POLLOUT}])
>> > write(4,
>> > "0\10\0\0/\0\0\0\0\0\0\0\17\34\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
>> > 2096) = 2096
>> > poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4,
>> > revents=POLLIN}])
>> > read(4,
>> > "\313\r\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
>> > 3496) = 3496
>> > poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4,
>> > revents=POLLIN}])
>> > read(4, "/var/lib/samba/winbindd_privileg"..., 35) = 35
>> > lstat("/var/lib/samba/winbindd_privileged", {st_mode=S_IFDIR|0750,
>> > st_size=4096, ...}) = 0
>> > lstat("/var/lib/samba/winbindd_privileged/pipe",
>> > {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
>> > socket(PF_FILE, SOCK_STREAM, 0) = 10
>> > fcntl(10, F_GETFL) = 0x2 (flags O_RDWR)
>> > fcntl(10, F_SETFL, O_RDWR|O_NONBLOCK) = 0
>> > fcntl(10, F_GETFD) = 0
>> > fcntl(10, F_SETFD, FD_CLOEXEC) = 0
>> > connect(10, {sa_family=AF_FILE,
>> > path="/var/lib/samba/winbindd_privileged/pipe"}, 110) = 0
>> > close(4) = 0
>> > poll([{fd=10, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=10,
>> > revents=POLLOUT}])
>> > write(10,
>> > "0\10\0\0\r\0\0\0\0\0\0\0\17\34\0\0\0\0\0\0\236\360\0\0\0\0\0\0\0\0\0\0"...,
>> > 2096) = 2096
>> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
>> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
>> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
>> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
>> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
>> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
>> > poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
>> > close(10)
>> > ---
>> >
>> > Regards
>> > Hans-Kristian
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list