Description of problem: When I'm offline I can not connect via ssh and pam blocking the verification cache How reproducible: Always Steps to Reproduce: 1. smbcontrol winbind offline 2. ssh DOMAIN\\username@localhost Actual results: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable Connection closed by 127.0.0.1 Expected results: Last login: Wed Jul 30 16:17:22 2014 Additional info: Winbind : Version 4.1.9 Samba : Version 4.1.9 #--------------------------------------------------------------------------- smb.conf : [global] #--authconfig--start-line-- workgroup = xxxx netbios name = xxxx server string = xxxx realm = xxxx security = ads password server = xxxx idmap uid = 500-1000000 idmap gid = 500-1000000 idmap backend = tdb encrypt password = yes idmap config xxxx:backend = rid idmap config xxxx:base_rid = 500 idmap config xxxx:range = 500-1000000 socket options = SO_REUSEADDR TCP_NODELAY SO_RCVBUF=16383 SO_SNDBUF=16384 template homedir = /home/xxxx/%U template shell = /bin/bash winbind uid = 500-1000000 winbind gid = 500-1000000 winbind use default domain = true winbind offline logon = yes winbind refresh tickets = true winbind cache time = 86400 winbind reconnect delay = 3600 winbind enum users = yes winbind enum groups = yes allow trusted domains = yes lock directory = /var/cache/samba/ #--------------------------------------------------------------------------- system-auth : auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_krb5.so use_first_pass auth sufficient pam_winbind.so use_first_pass auth sufficient pam_winbind.so cached_login krb5_auth krb5_ccache_type=FILE use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so cached_login use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_winbind.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 #--------------------------------------------------------------------------- pam_winbind.conf : [global] # turn on debugging debug = yes # turn on extended PAM state debugging debug_state = yes # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) cached_login = yes # authenticate using kerberos krb5_auth = yes # when using kerberos, request a "FILE" krb5 credential cache type # (leave empty to just do krb5 authentication but not have a ticket # afterwards) krb5_ccache_type = FILE # create homedirectory on the fly mkhomedir = yes #--------------------------------------------------------------------------- /var/log/secure : Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_krb5[6340]: pam_authenticate returning 9 (Authentication service cannot retrieve authentication info) Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] ENTER: pam_sm_authenticate (flags: 0x0000) Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_SERVICE) = "kdm" (0x7f30082a52e0) Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_USER) = "xxxx" (0x7f3008272900) Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_TTY) = ":0" (0x7f300828ab50) Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_AUTHTOK) = 0x7f300828fe30 Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_USER_PROMPT) = "Username:" (0x7f3008295910) Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_CONV) = 0x7f30082728e0 Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_FAIL_DELAY) = 0x7f3007b0f610 Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): getting password (0x00005391) Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): pam_get_item returned a password Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): Verify user 'xxxx' Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): CONFIG file: krb5_ccache_type 'FILE' Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): enabling krb5 login flag Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): enabling cached login flag Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): enabling request for a FILE krb5 ccache Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_OBJECT_NAME_NOT_FOUND, Error message was: NT_STATUS_OBJECT_NAME_NOT_FOUND Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'xxxx') Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] LEAVE: pam_sm_authenticate returning 4 (PAM_SYSTEM_ERR) Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_SERVICE) = "kdm" (0x7f30082a52e0) Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_USER) = "xxxx" (0x7f3008272900) Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_TTY) = ":0" (0x7f300828ab50) Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_AUTHTOK) = 0x7f300828fe30 Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_USER_PROMPT) = "Username:" (0x7f3008295910) Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_CONV) = 0x7f30082728e0 Jul 30 14:49:15 rmxbur01 kdm: :0[6340]: pam_winbind(kdm:auth): [pamh: 0x7f3008293a40] STATE: ITEM(PAM_FAIL_DELAY) = 0x7f3007b0f610 Jul 30 14:49:24 rmxbur01 kdm: :0[6340]: pam_unix(kdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=xxxx
Could you please make an answer to this request ?
This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.