[Samba] PAM Offline Authentication in Ubuntu 22.04
Rowland Penny
rpenny at samba.org
Fri Jun 30 14:31:05 UTC 2023
On 28/06/2023 17:52, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
>> I didn't try turning the last one off, but at least you are getting
>> somewhere :-)
>
> With very little steps... ;-)
>
>
>> When you say 'back to login screen', do you mean that you cannot just
>> click the screen, enter your password and close the screensaver ? From
>> what you posted, it sounds like you are taken right back to the intial
>> login screen.
>
> I've done some more test; before if i shut off the wireless, winbind stop
> immediately responding.
>
> Now, it worked for some minutes, then stop responding and seems behave badly
> as my first test (eg, loooooon gelay for everything, machine totally
> unusable, ...).
>
> So still it is not a solution....
>
OK, there does seem to be something wrong with the 'ad' idmap backend.
I left a VM running overnight, with the network disconnected. This VM
was using the 'ad' idmap backend.
The following morning, the screensaver had kicked in, but I couldn't
unlock it as the domain user, the user seemed to be known, but the
password was reported as incorrect.
I logged the user out and logged in a local Unix user.
When I ran 'getent', I got this:
adminuser at ubugdm: $ getent passwd usertest3
usertest3:*:20002:20005::/home/usertest3:/bin/bash
Trying to su to the domain user, produced this:
adminuser at ubugdm: $ su - usertest3
Password:
su: Authentication failure
I found this when checking /var/log/auth.log
Jun 29 10:45:57 ubugdm su: pam_unix(su-l:auth): authentication failure;
logname= uid=1000 euid=0 tty=/dev/pts/0 ruser=adminuser rhost=
user=usertest3
Jun 29 10:45:57 ubugdm su: pam_winbind(su-l:auth): getting password
(0x00000388)
Jun 29 10:45:57 ubugdm su: pam_winbind(su-l:auth): pam_get_item returned
a password
Jun 29 10:45:57 ubugdm su: pam_winbind(su-l:auth): request wbcLogonUser
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS:
NT_STATUS_NO_SUCH_USER, Error message was: The specified account does
not exist.
Jun 29 10:45:59 ubugdm su: FAILED SU (to usertest3) adminuser on pts/0
So I reconnected the network and tried to su again:
adminuser at ubugdm: $ su - usertest3
Password:
usertest3 at ubugdm: $
Jun 29 11:03:56 ubugdm su: pam_unix(su-l:auth): authentication failure;
logname= uid=1000 euid=0 tty=/dev/pts/0 ruser=adminuser rhost=
user=usertest3
Jun 29 11:03:56 ubugdm su: pam_winbind(su-l:auth): getting password
(0x00000388)
Jun 29 11:03:56 ubugdm su: pam_winbind(su-l:auth): pam_get_item returned
a password
Jun 29 11:03:56 ubugdm su: pam_winbind(su-l:auth): user 'usertest3'
granted access
Jun 29 11:03:57 ubugdm su: (to usertest3) adminuser on pts/0
Jun 29 11:03:57 ubugdm su: pam_unix(su-l:session): session opened for
user usertest3(uid=20002) by (uid=1000)
So I exited as the domain user and disconnected the network again.
adminuser at ubugdm: $ su - usertest3
Password:
<long wait>
su: Authentication failure
Jun 29 11:07:16 ubugdm su: pam_unix(su-l:session): session closed for
user usertest3
Jun 29 11:08:03 ubugdm su: pam_unix(su-l:auth): authentication failure;
logname= uid=1000 euid=0 tty=/dev/pts/0 ruser=adminuser rhost=
user=usertest3
Jun 29 11:08:03 ubugdm su: pam_winbind(su-l:auth): getting password
(0x00000388)
Jun 29 11:08:03 ubugdm su: pam_winbind(su-l:auth): pam_get_item returned
a password
Jun 29 11:08:17 ubugdm su: pam_winbind(su-l:auth): request wbcLogonUser
failed: WBC_ERR_WINBIND_NOT_AVAILABLE, PAM error: PAM_AUTHINFO_UNAVAIL (9)!
Jun 29 11:08:17 ubugdm su: pam_winbind(su-l:auth): internal module error
(retval = PAM_AUTHINFO_UNAVAIL(9), user = 'usertest3')
Jun 29 11:08:19 ubugdm su: FAILED SU (to usertest3) adminuser on pts/0
Reconnected the network again and changed to the rid backend and
rebooted, logged on as usertest3
I then disconnected from the network and left the VM alone. This was at
11:32 on the 29th of June (yesterday)
When I checked at 12:22 it was locked by the screensaver, but I was
allowed to unlock the screensaver.
Checked at 15:06 today, locked by screensaver, but I could easily unlock it.
So put it into short terms, using the 'ad' idmap backend gives nothing
but problems when 'winbind offline logon' is used, but (for myself)
absolutely no problems if the 'rid' idmap backend is used.
Rowland
More information about the samba
mailing list