[Samba] PAM Offline Authentication in Ubuntu 22.04

Rowland Penny rpenny at samba.org
Fri Jun 30 14:31:05 UTC 2023



On 28/06/2023 17:52, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
>    In chel di` si favelave...
> 
>> I didn't try turning the last one off, but at least you are getting
>> somewhere :-)
> 
> With very little steps... ;-)
> 
> 
>> When you say 'back to login screen', do you mean that you cannot just
>> click the screen, enter your password and close the screensaver ? From
>> what you posted, it sounds like you are taken right back to the intial
>> login screen.
> 
> I've done some more test; before if i shut off the wireless, winbind stop
> immediately responding.
> 
> Now, it worked for some minutes, then stop responding and seems behave badly
> as my first test (eg, loooooon gelay for everything, machine totally
> unusable, ...).
> 
> So still it is not a solution....
> 

OK, there does seem to be something wrong with the 'ad' idmap backend.

I left a VM running overnight, with the network disconnected. This VM 
was using the 'ad' idmap backend.

The following morning, the screensaver had kicked in, but I couldn't 
unlock it as the domain user, the user seemed to be known, but the 
password was reported as incorrect.

I logged the user out and logged in a local Unix user.

When I ran 'getent', I got this:
adminuser at ubugdm: $ getent passwd usertest3
usertest3:*:20002:20005::/home/usertest3:/bin/bash

Trying to su to the domain user, produced this:
adminuser at ubugdm: $ su - usertest3
Password:
su: Authentication failure

I found this when checking /var/log/auth.log
Jun 29 10:45:57 ubugdm su: pam_unix(su-l:auth): authentication failure; 
logname= uid=1000 euid=0 tty=/dev/pts/0 ruser=adminuser rhost= 
user=usertest3
Jun 29 10:45:57 ubugdm su: pam_winbind(su-l:auth): getting password 
(0x00000388)
Jun 29 10:45:57 ubugdm su: pam_winbind(su-l:auth): pam_get_item returned 
a password
Jun 29 10:45:57 ubugdm su: pam_winbind(su-l:auth): request wbcLogonUser 
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: 
NT_STATUS_NO_SUCH_USER, Error message was: The specified account does 
not exist.
Jun 29 10:45:59 ubugdm su: FAILED SU (to usertest3) adminuser on pts/0

So I reconnected the network and tried to su again:

adminuser at ubugdm: $ su - usertest3
Password:
usertest3 at ubugdm: $

Jun 29 11:03:56 ubugdm su: pam_unix(su-l:auth): authentication failure; 
logname= uid=1000 euid=0 tty=/dev/pts/0 ruser=adminuser rhost= 
user=usertest3
Jun 29 11:03:56 ubugdm su: pam_winbind(su-l:auth): getting password 
(0x00000388)
Jun 29 11:03:56 ubugdm su: pam_winbind(su-l:auth): pam_get_item returned 
a password
Jun 29 11:03:56 ubugdm su: pam_winbind(su-l:auth): user 'usertest3' 
granted access
Jun 29 11:03:57 ubugdm su: (to usertest3) adminuser on pts/0
Jun 29 11:03:57 ubugdm su: pam_unix(su-l:session): session opened for 
user usertest3(uid=20002) by (uid=1000)

So I exited as the domain user and disconnected the network again.

adminuser at ubugdm: $ su - usertest3
Password:
<long wait>
su: Authentication failure

Jun 29 11:07:16 ubugdm su: pam_unix(su-l:session): session closed for 
user usertest3
Jun 29 11:08:03 ubugdm su: pam_unix(su-l:auth): authentication failure; 
logname= uid=1000 euid=0 tty=/dev/pts/0 ruser=adminuser rhost= 
user=usertest3
Jun 29 11:08:03 ubugdm su: pam_winbind(su-l:auth): getting password 
(0x00000388)
Jun 29 11:08:03 ubugdm su: pam_winbind(su-l:auth): pam_get_item returned 
a password
Jun 29 11:08:17 ubugdm su: pam_winbind(su-l:auth): request wbcLogonUser 
failed: WBC_ERR_WINBIND_NOT_AVAILABLE, PAM error: PAM_AUTHINFO_UNAVAIL (9)!
Jun 29 11:08:17 ubugdm su: pam_winbind(su-l:auth): internal module error 
(retval = PAM_AUTHINFO_UNAVAIL(9), user = 'usertest3')
Jun 29 11:08:19 ubugdm su: FAILED SU (to usertest3) adminuser on pts/0

Reconnected the network again and changed to the rid backend and 
rebooted, logged on as usertest3

I then disconnected from the network and left the VM alone. This was at 
11:32 on the 29th of June (yesterday)

When I checked at 12:22 it was locked by the screensaver, but I was 
allowed to unlock the screensaver.

Checked at 15:06 today, locked by screensaver, but I could easily unlock it.

So put it into short terms, using the 'ad' idmap backend gives nothing 
but problems when 'winbind offline logon' is used, but (for myself) 
absolutely no problems if the 'rid' idmap backend is used.

Rowland




More information about the samba mailing list