[Samba] making pam_winbind to work
Michael Tokarev
mjt at tls.msk.ru
Mon Feb 14 14:51:31 UTC 2022
14.02.2022 16:22, Michael Tokarev via samba wrote:
...
> Feb 14 16:07:23 tsrv sshd[179020]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.177.130 user=mjt
> Feb 14 16:07:23 tsrv sshd[179020]: pam_winbind(sshd:auth): getting password (0x00000388)
> Feb 14 16:07:23 tsrv sshd[179020]: pam_winbind(sshd:auth): pam_get_item returned a password
> Feb 14 16:07:23 tsrv sshd[179020]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_DOMAIN_NOT_FOUND, PAM error: PAM_AUTHINFO_UNAVAIL (9)!
> Feb 14 16:07:23 tsrv sshd[179020]: pam_winbind(sshd:auth): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'mjt')
> Feb 14 16:07:25 tsrv sshd[179020]: Failed password for mjt from 192.168.177.130 port 41252 ssh2
> Feb 14 16:07:27 tsrv sshd[179020]: Connection closed by authenticating user mjt 192.168.177.130 port 41252 [preauth]
>
> [2022/02/14 16:07:23.278506, 0, pid=178279, effective(0, 0), real(0, 0), class=winbind]
> ../../source3/winbindd/winbindd_cred_cache.c:819(store_memory_creds)
> failed to mlock memory: Operation not permitted (1)
> [2022/02/14 16:07:23.278623, 10, pid=178279, effective(0, 0), real(0, 0), class=winbind]
> ../../source3/winbindd/winbindd_pam_auth.c:160(winbindd_pam_auth_recv)
> winbindd_add_memory_creds returned: NT_STATUS_ACCESS_DENIED
> [2022/02/14 16:07:23.278658, 10, pid=178279, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:801(process_request_done)
> process_request_done: [nss_winbind(179020):PAM_AUTH]: NT_STATUS_ACCESS_DENIED
So, this was the issue.
After digging in the source. Sigh.
This is a container, -- as said in the wiki, single machine can not be
both file server and an AD DC, so I created a new machine, actually a
container, using systemd-nspawn.
As it turned out, by default systemd-nspawn does not enable CAP_IPC_LOCK
capability by default. So eg mlock() system call fails with ENOPERM.
After adding this capability to the fileserver container, it started
working.
And now, HOW can we map this ENOPERM into WBC_ERR_DOMAIN_NOT_FOUND?
This is just insane.
Thanks,
/mjt
More information about the samba
mailing list