Bug 1125149 - winbind offline cache issue
Summary: winbind offline cache issue
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 20
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-31 08:01 UTC by Guillaume
Modified: 2015-06-29 21:52 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-29 21:52:11 UTC


Attachments (Terms of Use)

Description Guillaume 2014-07-31 08:01:42 UTC
Description of problem:
When I'm offline I can not connect via ssh and pam blocking the verification cache

How reproducible:
Always

Steps to Reproduce:
1. smbcontrol winbind offline
2. ssh DOMAIN\\username@localhost

Actual results:
Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable
Connection closed by 127.0.0.1


Expected results:
Last login: Wed Jul 30 16:17:22 2014


Additional info:

Winbind : Version 4.1.9
Samba : Version 4.1.9


#---------------------------------------------------------------------------
smb.conf :

[global]
#--authconfig--start-line--

   workgroup = xxxx
   netbios name = xxxx
   server string = xxxx
   realm = xxxx
   security = ads

   password server = xxxx
   idmap uid = 500-1000000
   idmap gid = 500-1000000
   idmap backend = tdb
   encrypt password = yes
   idmap config xxxx:backend = rid
   idmap config xxxx:base_rid = 500
   idmap config xxxx:range = 500-1000000

   socket options = SO_REUSEADDR TCP_NODELAY SO_RCVBUF=16383 SO_SNDBUF=16384

   template homedir = /home/xxxx/%U
   template shell = /bin/bash

   winbind uid = 500-1000000
   winbind gid = 500-1000000
   winbind use default domain = true
   winbind offline logon = yes
   winbind refresh tickets = true
   winbind cache time = 86400
   winbind reconnect delay = 3600
   winbind enum users = yes
   winbind enum groups = yes
   allow trusted domains = yes

   lock directory = /var/cache/samba/

#---------------------------------------------------------------------------
system-auth : 

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        sufficient    pam_winbind.so cached_login krb5_auth krb5_ccache_type=FILE use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so cached_login use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_winbind.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022

#---------------------------------------------------------------------------
pam_winbind.conf :

[global]

# turn on debugging
debug = yes

# turn on extended PAM state debugging
debug_state = yes

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

# authenticate using kerberos
krb5_auth = yes

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
krb5_ccache_type = FILE

# create homedirectory on the fly
mkhomedir = yes

#---------------------------------------------------------------------------
/var/log/secure :

Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_krb5[6340]: pam_authenticate returning 9 (Authentication service cannot retrieve authentication info)
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] ENTER: pam_sm_authenticate (flags: 0x0000)
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_SERVICE) = "kdm" (0x7f30082a52e0)
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_USER) = "xxxx" (0x7f3008272900)
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_TTY) = ":0" (0x7f300828ab50)
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_AUTHTOK) = 0x7f300828fe30
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_USER_PROMPT) = "Username:" (0x7f3008295910)
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_CONV) = 0x7f30082728e0
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_FAIL_DELAY) = 0x7f3007b0f610
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): getting password (0x00005391)
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): pam_get_item returned a password
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): Verify user 'xxxx'
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): CONFIG file: krb5_ccache_type 'FILE'
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): enabling krb5 login flag
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): enabling cached login flag
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): enabling request for a FILE krb5 ccache
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_OBJECT_NAME_NOT_FOUND, Error message was: NT_STATUS_OBJECT_NAME_NOT_FOUND
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'xxxx')
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] LEAVE: pam_sm_authenticate returning 4 (PAM_SYSTEM_ERR)
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_SERVICE) = "kdm" (0x7f30082a52e0)
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_USER) = "xxxx" (0x7f3008272900)
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_TTY) = ":0" (0x7f300828ab50)
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_AUTHTOK) = 0x7f300828fe30
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_USER_PROMPT) = "Username:" (0x7f3008295910)
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_CONV) = 0x7f30082728e0
Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_FAIL_DELAY) = 0x7f3007b0f610
Jul 30 14:49:24 rmxbur01 kdm: :0[6340]: pam_unix(kdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=xxxx

Comment 1 Guillaume 2014-08-08 11:09:09 UTC
Could you please make an answer to this request ?

Comment 2 Fedora End Of Life 2015-05-29 12:31:31 UTC
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 3 Fedora End Of Life 2015-06-29 21:52:11 UTC
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.