[Samba] making pam_winbind to work

Michael Tokarev mjt at tls.msk.ru
Mon Feb 14 14:51:31 UTC 2022


14.02.2022 16:22, Michael Tokarev via samba wrote:
...
> Feb 14 16:07:23 tsrv sshd[179020]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.177.130  user=mjt
> Feb 14 16:07:23 tsrv sshd[179020]: pam_winbind(sshd:auth): getting password (0x00000388)
> Feb 14 16:07:23 tsrv sshd[179020]: pam_winbind(sshd:auth): pam_get_item returned a password
> Feb 14 16:07:23 tsrv sshd[179020]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_DOMAIN_NOT_FOUND, PAM error: PAM_AUTHINFO_UNAVAIL (9)!
> Feb 14 16:07:23 tsrv sshd[179020]: pam_winbind(sshd:auth): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'mjt')
> Feb 14 16:07:25 tsrv sshd[179020]: Failed password for mjt from 192.168.177.130 port 41252 ssh2
> Feb 14 16:07:27 tsrv sshd[179020]: Connection closed by authenticating user mjt 192.168.177.130 port 41252 [preauth]
> 

> [2022/02/14 16:07:23.278506,  0, pid=178279, effective(0, 0), real(0, 0), class=winbind] 
> ../../source3/winbindd/winbindd_cred_cache.c:819(store_memory_creds)
>    failed to mlock memory: Operation not permitted (1)
> [2022/02/14 16:07:23.278623, 10, pid=178279, effective(0, 0), real(0, 0), class=winbind] 
> ../../source3/winbindd/winbindd_pam_auth.c:160(winbindd_pam_auth_recv)
>    winbindd_add_memory_creds returned: NT_STATUS_ACCESS_DENIED
> [2022/02/14 16:07:23.278658, 10, pid=178279, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:801(process_request_done)
>    process_request_done: [nss_winbind(179020):PAM_AUTH]: NT_STATUS_ACCESS_DENIED

So, this was the issue.

After digging in the source. Sigh.

This is a container, -- as said in the wiki, single machine can not be
both file server and an AD DC, so I created a new machine, actually a
container, using systemd-nspawn.

As it turned out, by default systemd-nspawn does not enable CAP_IPC_LOCK
capability by default. So eg mlock() system call fails with ENOPERM.
After adding this capability to the fileserver container, it started
working.

And now, HOW can we map this ENOPERM into WBC_ERR_DOMAIN_NOT_FOUND?
This is just insane.

Thanks,

/mjt



More information about the samba mailing list