I've set up winbind according to the instructions at http://www.flatmtn.com/article/setting-samba However, I disabled the 'winbind [ug]id' and 'winbind enum {users|groups}' config settings, and the part in nsswitch.conf. I don't know how many hours it's acceptable for a simple 'id' command to take, but I wasn't willing to wait that long. I only really care about a single user anyway -- so I created a local user with that name, and it mostly seems to work. I've enabled 'cached credentials' in smb.conf (winbind offline login) and pam_winbind.conf: [global] debug = yes debug_state = yes cached_login = yes krb5_auth = yes krb5_ccache_type = FILE I can log in as user 'dwoodhou', and I get a Kerberos ticket and everything seems happy... until I run ntlm_auth, and it still asks me for a password: ntlm_auth --domain GER --username dwoodhou --helper-protocol ntlmssp-client-1 --use-cached-creds -d10 YR PW This seems to happen because we're caching the credentials with the bare username, but ntlm_auth is looking them up with the string DOMAIN\username and thus failing to find them. That seems to be 'fixed' by this patch: --- source3/winbindd/winbindd_pam.c~ 2010-06-18 13:01:04.000000000 +0100 +++ source3/winbindd/winbindd_pam.c 2010-07-26 12:11:23.657507372 +0100 @@ -1489,7 +1489,7 @@ enum winbindd_result winbindd_dual_pam_a parse_domain_user(mapped_user, name_domain, name_user); - if ( mapped_user != state->request->data.auth.user ) { + if ( 1 || mapped_user != state->request->data.auth.user ) { fstr_sprintf( domain_user, "%s\\%s", name_domain, name_user ); safe_strcpy( state->request->data.auth.user, domain_user, sizeof(state->request->data.auth.user)-1 ); However, it's only working while I'm online. If I kill winbindd, disconnect from the VPN and restart it (simulating a reboot), I can no longer log in. It seems that the disk cache is missing. I see this in winbindd output... winbindd_validate_cache: replacing panic function tdb_validate_open called for tdb '/var/lib/samba/winbindd_cache.tdb' tdb_validate called for tdb '/var/lib/samba/winbindd_cache.tdb' tdb_validate: forking to let child do validation. tdb_validate: fork succeeded, child PID = 10213 tdb_validate: waiting for child to finish... tdb_validate (validation child): created tdb_validate (validation child): calling tdb_validate_child tdb_validate_child: summary of validation status: * tdb error: yes * bad freelist: no * bad entry: no * unknown key: no => overall success: no tdb_validate: validating child returned. tdb_validate: child exited, code 255. tdb_validate returning code '255' for tdb '/var/lib/samba/winbindd_cache.tdb' tdb '/var/lib/samba/winbindd_cache.tdb' is invalid Could not stat '/var/lib/samba/winbindd_cache.tdb.bak': No such file or directory No backup found. moved '/var/lib/samba/winbindd_cache.tdb' to '/var/lib/samba/winbindd_cache.tdb.corrupt' Corrupt tdb stored as '/var/lib/samba/winbindd_cache.tdb.corrupt' winbindd_validate_cache: validation not successful. removing tdb /var/lib/samba/winbindd_cache.tdb. winbindd_validate_cache: restoring panic function winbindd cache tdb corrupt and no backup could be restored. initialize_winbindd_cache: clearing cache and re-creating with version number 1 This is entirely repeatable -- every time I restart winbindd it declares that its previous cache database is corrupt and creates a new one. Furthermore, even if I *connect* to the VPN I still can't log in; I have to restart winbindd after reconnecting to the VPN before it'll let me log in.
OK, so I exaggerated a little -- it wasn't hours for 'id' to complete; it was only 10½ minutes. [dwoodhou@i7 ews-sync]$ time id uid=10000(dwoodhou) gid=10000(domain users) groups=10000(domain users),10001,10002,10003,10004,10005,10006,10007,10008,10009,10010,10011,10012,10013,10014,10015,10016,10017,10018,10019,10020,10021,10022,10023,10024,10025,10026,10027,10028,10029,10030,10031,10032,10033,10034,10035,10036,10037 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 real 10m18.571s This gives me a winbindd_cache.tdb which is about half a gigabyte, to be discarded next time winbindd starts up. As for the validation failure -- it looks like tdb_check() will always return failure without *any* log output if invoked on a read-only database. tdb_lockall() fails.
Progress... now I can log in even when the VPN is down (although I have to wait a while after restarting winbindd; it's not instant). --- source3/lib/tdb_validate.c~ 2010-06-18 13:01:04.000000000 +0100 +++ source3/lib/tdb_validate.c 2010-07-26 14:39:48.304324895 +0100 @@ -50,6 +50,7 @@ static int tdb_validate_child(struct tdb */ ret = tdb_check(tdb, NULL, NULL); if (ret == -1) { + DEBUG(1, ("tdb_check failed\n")); v_status.tdb_error = True; v_status.success = False; goto out; @@ -192,7 +193,7 @@ int tdb_validate_open(const char *tdb_pa DEBUG(5, ("tdb_validate_open called for tdb '%s'\n", tdb_path)); - tdb = tdb_open_log(tdb_path, 0, TDB_DEFAULT, O_RDONLY, 0); + tdb = tdb_open_log(tdb_path, 0, TDB_DEFAULT, O_RDWR, 0); if (!tdb) { DEBUG(1, ("Error opening tdb %s\n", tdb_path)); return ret; Now, is there anything we ship that actually *uses* ntlm_auth to handle NTLM authentication? Firefox should, but it doesn't seem to work. Curl and libsoup don't, Evolution doesn't, ...
Hm, even with the above patches it's not working correctly for SSH logins with key authentication (and therefore presumably won't work for gdm-autologin either). If we don't use a password to authenticate, then nothing ever calls add_ccache_to_list() at login time and winbindd never actually refreshes the Kerberos tickets as it's supposed to.
This looks like something we should report upstream.
*** Bug 592055 has been marked as a duplicate of this bug. ***
samba-3.5.4-64.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/samba-3.5.4-64.fc13
Please include this too: https://bugzilla.samba.org/show_bug.cgi?id=7589#c2
samba-3.5.4-65.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/samba-3.5.4-65.fc13
samba-3.5.4-65.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update samba'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/samba-3.5.4-65.fc13
I crashed the update, but I'm not sure if it's a *new* crash. https://bugzilla.samba.org/show_bug.cgi?id=7636
samba-3.5.4-67.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/samba-3.5.4-67.fc13
samba-3.5.5-68.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/samba-3.5.5-68.fc13
samba-3.5.5-68.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.