[Samba] intermittent pam_winbind authentication failure
Rowland Penny
rpenny at samba.org
Sun Jun 15 09:36:22 UTC 2025
On Wed, 11 Jun 2025 14:53:01 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Wed, 11 Jun 2025 14:22:54 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
>
> > > We didn't (obviously) have a need for BUILTIN for just winbind,
> > > there are no shares or printing etc. We felt that the
> > > idmap_autorid was more suitable for our environment as it does not
> > > require a database which needs to be managed. The ranges are
> > > large to reduce the chances of a collision in the autorid scheme.
> >
> > Yes, I can understand using 'autorid', just not with 'rid' at the
> > same time. I have never set up Samba in the way you have, but I
> > presume that 'rid' is mapping your 'DOMAIN' users and I have no
> > idea if 'autorid' is doing anything because you have stopped it
> > from mapping the BUILTIN domain and, yes, you do need the BUILTIN
> > domain.
>
> I should have read the code (sometimes it is better than the
> documentation) and I would have found that 'ignore builtin' was added
> in 2012 and it doesn't do what it sounds like it does. 'autorid'
> always ignores BUILTIN and passes it to passdb to be handled, unless
> passdb does not know about a SID, in which case, 'autorid' creates a
> range for BUILTIN and maps it, 'ignore builtin' turns off this fall
> back behaviour. This means (as far as I understand it) that your
> BUILTIN users & groups are being handled by 'autorid' except for any
> BUILTIN SIDs that are unknown (which do not get mapped) and your
> 'DOMAIN' users & groups are being mapped by the 'rid' idmap backend.
> I stand by my suggestion to replace 'autorid' in your smb.conf with
> 'tdb'.
>
> You could just remove the 'DOMAIN' idmap config lines (along with
> 'ignore builtin') and use 'autorid', but this would mean your
> 'DOMAIN' users & groups would very probably get new IDs.
>
> Rowland
>
>
It appears that the OP has posted a bug report on this:
https://bugzilla.samba.org/show_bug.cgi?id=15870
As I hadn't tried their rather strange idmap config lines, I did so on
a Unix domain member running in a VM. I created a new user, logged in
as that user, created the test script and ran it.
It started here:
authtest at testmem1:~$ bash ./testauth.sh P4ssw0rd*
TRY: 0
Sun 15 Jun 08:52:25 BST 2025
[sudo] password for SAMDOM\authtest: sudo success
I let it run to see if it failed, it didn't, I finally stopped it here:
TRY: 4609
Sun 15 Jun 10:30:12 BST 2025
[sudo] password for SAMDOM\authtest: sudo success
I am now, finally, able to go on record as saying that I cannot
recreate the OPs problem.
I used an identical smb.conf, just changed the obvious because of
different Netbios domain etc.
The only real difference between the OPs setup and mine is, I used
Samba AD DCs and a Unix domain member, all running on Debian 12 with
Samba from backports (4.22.2), I would therefor suggest the OP upgrades
to the latest version of Samba and then try again. If it still doesn't
work correctly, then they could be looking at something like a network
problem or something on the Windows DC.
Rowland
More information about the samba
mailing list