Bug 618201 - Cached credentials with winbind not working
Summary: Cached credentials with winbind not working
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 13
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Simo Sorce
QA Contact: Fedora Extras Quality Assurance
: 592055 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2010-07-26 11:58 UTC by David Woodhouse
Modified: 2010-09-15 05:22 UTC (History)
4 users (show)

Fixed In Version: samba-3.5.5-68.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-09-15 05:22:06 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Samba Project 7589 None None None Never
Samba Project 7590 None None None Never
Samba Project 7591 None None None Never

Description David Woodhouse 2010-07-26 11:58:23 UTC
I've set up winbind according to the instructions at http://www.flatmtn.com/article/setting-samba

However, I disabled the 'winbind [ug]id' and 'winbind enum {users|groups}' config settings, and the part in nsswitch.conf. I don't know how many hours it's acceptable for a simple 'id' command to take, but I wasn't willing to wait that long. I only really care about a single user anyway -- so I created a local user with that name, and it mostly seems to work.

I've enabled 'cached credentials' in smb.conf (winbind offline login) and pam_winbind.conf:

debug = yes
debug_state = yes
cached_login = yes
krb5_auth = yes
krb5_ccache_type = FILE

I can log in as user 'dwoodhou', and I get a Kerberos ticket and everything seems happy... until I run ntlm_auth, and it still asks me for a password:
ntlm_auth --domain GER --username dwoodhou --helper-protocol ntlmssp-client-1 --use-cached-creds -d10

This seems to happen because we're caching the credentials with the bare username, but ntlm_auth is looking them up with the string DOMAIN\username and thus failing to find them. That seems to be 'fixed' by this patch:

--- source3/winbindd/winbindd_pam.c~	2010-06-18 13:01:04.000000000 +0100
+++ source3/winbindd/winbindd_pam.c	2010-07-26 12:11:23.657507372 +0100
@@ -1489,7 +1489,7 @@ enum winbindd_result winbindd_dual_pam_a
 	parse_domain_user(mapped_user, name_domain, name_user);
-	if ( mapped_user != state->request->data.auth.user ) {
+	if ( 1 || mapped_user != state->request->data.auth.user ) {
 		fstr_sprintf( domain_user, "%s\\%s", name_domain, name_user );
 		safe_strcpy( state->request->data.auth.user, domain_user,
 			     sizeof(state->request->data.auth.user)-1 );

However, it's only working while I'm online. If I kill winbindd, disconnect from the VPN and restart it (simulating a reboot), I can no longer log in. It seems that the disk cache is missing. I see this in winbindd output...

winbindd_validate_cache: replacing panic function
tdb_validate_open called for tdb '/var/lib/samba/winbindd_cache.tdb'
tdb_validate called for tdb '/var/lib/samba/winbindd_cache.tdb'
tdb_validate: forking to let child do validation.
tdb_validate: fork succeeded, child PID = 10213
tdb_validate: waiting for child to finish...
tdb_validate (validation child): created
tdb_validate (validation child): calling tdb_validate_child
tdb_validate_child: summary of validation status:
 * tdb error: yes
 * bad freelist: no
 * bad entry: no
 * unknown key: no
 => overall success: no
tdb_validate: validating child returned.
tdb_validate: child exited, code 255.
tdb_validate returning code '255' for tdb '/var/lib/samba/winbindd_cache.tdb'
tdb '/var/lib/samba/winbindd_cache.tdb' is invalid
Could not stat '/var/lib/samba/winbindd_cache.tdb.bak': No such file or directory
No backup found.
moved '/var/lib/samba/winbindd_cache.tdb' to '/var/lib/samba/winbindd_cache.tdb.corrupt'
Corrupt tdb stored as '/var/lib/samba/winbindd_cache.tdb.corrupt'
winbindd_validate_cache: validation not successful.
removing tdb /var/lib/samba/winbindd_cache.tdb.
winbindd_validate_cache: restoring panic function
winbindd cache tdb corrupt and no backup could be restored.
initialize_winbindd_cache: clearing cache and re-creating with version number 1

This is entirely repeatable -- every time I restart winbindd it declares that its previous cache database is corrupt and creates a new one.

Furthermore, even if I *connect* to the VPN I still can't log in; I have to restart winbindd after reconnecting to the VPN before it'll let me log in.

Comment 1 David Woodhouse 2010-07-26 13:13:15 UTC
OK, so I exaggerated a little -- it wasn't hours for 'id' to complete; it was only 10½ minutes.

[dwoodhou@i7 ews-sync]$ time id
uid=10000(dwoodhou) gid=10000(domain users) groups=10000(domain users),10001,10002,10003,10004,10005,10006,10007,10008,10009,10010,10011,10012,10013,10014,10015,10016,10017,10018,10019,10020,10021,10022,10023,10024,10025,10026,10027,10028,10029,10030,10031,10032,10033,10034,10035,10036,10037 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

real	10m18.571s

This gives me a winbindd_cache.tdb which is about half a gigabyte, to be discarded next time winbindd starts up.

As for the validation failure -- it looks like tdb_check() will always return failure without *any* log output if invoked on a read-only database. tdb_lockall() fails.

Comment 2 David Woodhouse 2010-07-26 14:01:49 UTC
Progress... now I can log in even when the VPN is down (although I have to wait a while after restarting winbindd; it's not instant).

--- source3/lib/tdb_validate.c~	2010-06-18 13:01:04.000000000 +0100
+++ source3/lib/tdb_validate.c	2010-07-26 14:39:48.304324895 +0100
@@ -50,6 +50,7 @@ static int tdb_validate_child(struct tdb
 	ret = tdb_check(tdb, NULL, NULL);
 	if (ret == -1) {
+		DEBUG(1, ("tdb_check failed\n"));
 		v_status.tdb_error = True;
 		v_status.success = False;
 		goto out;
@@ -192,7 +193,7 @@ int tdb_validate_open(const char *tdb_pa
 	DEBUG(5, ("tdb_validate_open called for tdb '%s'\n", tdb_path));
-	tdb = tdb_open_log(tdb_path, 0, TDB_DEFAULT, O_RDONLY, 0);
+	tdb = tdb_open_log(tdb_path, 0, TDB_DEFAULT, O_RDWR, 0);
 	if (!tdb) {
 		DEBUG(1, ("Error opening tdb %s\n", tdb_path));
 		return ret;

Now, is there anything we ship that actually *uses* ntlm_auth to handle NTLM authentication? Firefox should, but it doesn't seem to work. Curl and libsoup don't, Evolution doesn't, ...

Comment 3 David Woodhouse 2010-07-26 15:28:02 UTC
Hm, even with the above patches it's not working correctly for SSH logins with key authentication (and therefore presumably won't work for gdm-autologin either).

If we don't use a password to authenticate, then nothing ever calls add_ccache_to_list() at login time and winbindd never actually refreshes the Kerberos tickets as it's supposed to.

Comment 4 Simo Sorce 2010-07-26 15:42:26 UTC
This looks like something we should report upstream.

Comment 5 Guenther Deschner 2010-08-18 13:52:09 UTC
*** Bug 592055 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2010-08-18 14:11:01 UTC
samba-3.5.4-64.fc13 has been submitted as an update for Fedora 13.

Comment 7 David Woodhouse 2010-08-18 15:05:31 UTC
Please include this too: https://bugzilla.samba.org/show_bug.cgi?id=7589#c2

Comment 8 Fedora Update System 2010-08-19 12:12:35 UTC
samba-3.5.4-65.fc13 has been submitted as an update for Fedora 13.

Comment 9 Fedora Update System 2010-08-20 01:35:49 UTC
samba-3.5.4-65.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update samba'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/samba-3.5.4-65.fc13

Comment 10 David Woodhouse 2010-08-20 10:11:24 UTC
I crashed the update, but I'm not sure if it's a *new* crash.

Comment 11 Fedora Update System 2010-08-30 20:28:22 UTC
samba-3.5.4-67.fc13 has been submitted as an update for Fedora 13.

Comment 12 Fedora Update System 2010-09-14 13:19:12 UTC
samba-3.5.5-68.fc13 has been submitted as an update for Fedora 13.

Comment 13 Fedora Update System 2010-09-15 05:21:56 UTC
samba-3.5.5-68.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.