[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
Roy Eastwood
spindles7 at gmail.com
Tue Jul 24 09:32:32 UTC 2018
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van
> Belle via samba
> Sent: 24 July 2018 09:41
> To: samba at lists.samba.org
> Subject: Re: [Samba] Failed to establish your Kerberos Ticket cache due time
> differences with the domain controller
>
> I did re-read the whole thread again.
>
> Im running out of options..
>
> When i look at :
> https://wiki.samba.org/index.php/PAM_Offline_Authentication
> You can do these last checks.
>
> Run the : Testing offline authentication as show on the wiki.
I added winbind offline login = yes to the smb.conf file and restarted samba-ad-dc. But as winbind/winbindd is not started separately I couldn't work out how to take winbind offline. "smbcontrol winbind offline" doesn't seem to do anything.
>
> Debian normaly does not have /etc/security/pam_winbind.conf, check if its there
> if so backup it remove it.
>
No it's not present.
> Check if these packages are installed.
> libpam-krb5
> libpam-winbind
> libnss-winbind
>
dpkg-query -s reports these are not installed, but samba was compiled from sources and libnss_winbind.so.2 links are in place, as is also the link for pam.winbind.so:
root at pi-dc:~# ls -l /lib/arm-linux-gnueabihf/libnss_winbind*
lrwxrwxrwx 1 root root 44 Jul 21 00:26 /lib/arm-linux-gnueabihf/libnss_winbind.so -> /lib/arm-linux-gnueabihf/libnss_winbind.so.2
lrwxrwxrwx 1 root root 40 Jul 21 00:26 /lib/arm-linux-gnueabihf/libnss_winbind.so.2 -> /usr/local/samba/lib/libnss_winbind.so.2
root at pi-dc:~# ls -l /lib/arm-linux-gnueabihf/security/pam_winbind*
lrwxrwxrwx 1 root root 44 Jul 21 08:23 /lib/arm-linux-gnueabihf/security/pam_winbind.so -> /usr/local/samba/lib/security/pam_winbind.so
> Now edit :
> /usr/share/pam-configs/winbind
>
> And change it to : (see debug debug_state)
> Auth:
> [success=end default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass debug debug_state
> Auth-Initial:
> [success=end default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login debug debug_state
>
>
> Run : pam-auth-update
> And login again.
>
> Lets see what you get of that debug output.
>
OK, after making the changes to /usr/share/pam-configs/winbind and running pam-auth-update and logging in as AD user roy, auth.log has this:
Jul 24 10:13:18 pi-dc sshd[865]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.240 user=roy
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] ENTER: pam_sm_authenticate (flags: 0x0001)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "roy" (0x1021aa8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_AUTHTOK) = 0x1021ab8
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x102c068
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): getting password (0x00001389)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): pam_get_item returned a password
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): Verify user 'roy'
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): enabling krb5 login flag
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): enabling cached login flag
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): request wbcLogonUser succeeded
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): user 'roy' granted access
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): User roy: Clock skew when getting Krb5 TGT
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): Returned user was 'MICROLYNX\roy'
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_AUTHTOK) = 0x1021ab8
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x102c068
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8)
Jul 24 10:13:18 pi-dc sshd[865]: Accepted password for roy from 192.168.2.240 port 59748 ssh2
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] ENTER: pam_sm_setcred (flags: 0x0002)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x101f128
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x101f128
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_unix(sshd:session): session opened for user MICROLYNX\roy by (uid=0)
Jul 24 10:13:19 pi-dc systemd-logind[293]: New session c8 of user MICROLYNX\roy.
Jul 24 10:13:19 pi-dc systemd: pam_unix(systemd-user:session): session opened for user MICROLYNX\roy by (uid=0)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] ENTER: pam_sm_setcred (flags: 0x0002)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x101f4d0
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x101f4d0
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8)
HTH
Roy
More information about the samba
mailing list