Bug 834044 - cannot login offline using sssd/winbind
cannot login offline using sssd/winbind
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: samba4 (Show other bugs)
17
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Guenther Deschner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-20 13:36 EDT by birger
Modified: 2013-02-07 11:40 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-07 11:40:27 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
smb.conf (592 bytes, text/plain)
2012-09-05 02:12 EDT, birger
no flags Details

  None (edit)
Description birger 2012-06-20 13:36:38 EDT
Description of problem:
My laptop is set up with winbind so I log on using my AD account. Under Fedora 16 I could log in offline, but after upgrading to Fedora 17 that doesn't work anymore.

The command I used to set up authentication was
authconfig --enablewinbind --enablewinbindauth --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablewinbindoffline --winbindjoin=myadministrator --smbsecurity=ads --smbrealm=mydomain.no --enablesssd --enablecache --enablemkhomedir --smbworkgroup=MYDOMAIN --update

When I have a connection to my AD server it works fine. When I am out of office I can log on using a local user and start my VPN connection. I can then switch user and log on with the AD user.


Version-Release number of selected component (if applicable):
sssd-client-1.8.4-13.fc17.x86_64
sssd-1.8.4-13.fc17.x86_64
sssd-tools-1.8.4-13.fc17.x86_64
samba4-winbind-krb5-locator-4.0.0-47alpha18.fc17.x86_64
samba4-winbind-4.0.0-47alpha18.fc17.x86_64
samba4-winbind-clients-4.0.0-47alpha18.fc17.x86_64


How reproducible:
I have tried rerunning the above command but it does not work.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Stephen Gallagher 2012-06-20 14:16:53 EDT
With that authconfig configuration, SSSD shouldn't be used (and you should remove the --enablesssd piece).

This is most likely a winbind issue, but please include /var/log/secure to confirm.
Comment 2 birger 2012-08-14 07:44:56 EDT
i redid with --disablesssd, and the issue is still there.

this is what i get in /var/log/secure when trying to log in offline:

Aug 13 19:05:33 sch30623-lf gdm-welcome][1076]: pam_unix(gdm-welcome:session): session opened for user gdm by (uid=0)
Aug 13 19:05:34 sch30623-lf polkitd(authority=local): Registered Authentication Agent for unix-session:1 (system bus name :1.31 [gnome-shell --gdm-mode], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Aug 13 19:05:47 sch30623-lf gdm-password][1253]: pam_unix(gdm-password:auth): authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=  user=testuser
Aug 13 19:05:47 sch30623-lf gdm-password][1253]: pam_winbind(gdm-password:auth): getting password (0x00000210)
Aug 13 19:05:47 sch30623-lf gdm-password][1253]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Aug 13 19:05:47 sch30623-lf gdm-password][1253]: pam_winbind(gdm-password:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_OBJECT_NAME_NOT_FOUND, Error message was: NT_STATUS_OBJECT_NAME_NOT_FOUND
Aug 13 19:05:47 sch30623-lf gdm-password][1253]: pam_winbind(gdm-password:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'testuser')

Moving issue to samba4.
Comment 3 Dmitri Pal 2012-08-14 10:34:50 EDT
Let me clarify, you either use winbind or SSSD.
Latest SSSD 1.9 has some major improvements for AD interoperability so you might consider using it before drilling down on the winbind side. SSSD 1.8 might be sufficient for you too.
Comment 4 birger 2012-08-15 02:53:59 EDT
I see sssd 1.9 is in rawhide, but tries to pull in way too many dependencies. I hope it will appear in f17 updates as well.

It would be very nice to know how to correctly set it up for AD. Can authconfig be used? I have a test system I can upgrade to f18 beta so I can play with sssd 1.9.
Comment 5 Jakub Hrozek 2012-08-15 04:41:09 EDT
(In reply to comment #4)
> I see sssd 1.9 is in rawhide, but tries to pull in way too many
> dependencies. I hope it will appear in f17 updates as well.
> 

It will, after it bakes in F-18 and rawhide.

> It would be very nice to know how to correctly set it up for AD. Can
> authconfig be used? I have a test system I can upgrade to f18 beta so I can
> play with sssd 1.9.

There's a HOWTO available on the SSSD wiki for older SSSD releases (up to 1.8):
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
Comment 6 Alexander Bokovoy 2012-08-15 04:52:50 EDT
F-18 should already contain changes to GNOME 3.6 that are described at http://stef.thewalter.net/2012/06/kerberos-and-active-directory-logins.html. In theory, installing F-18 + realmd and using GNOME contorl center's user accounts management should allow you to configure SSSD for AD usage automatically.
Comment 7 birger 2012-08-15 07:42:44 EDT
I will test this as soon as either f18 beta pops up in preupgrade (only a few days, right?) or 1.9 hits f17. I really want to look at the gnome integration in f18.

Should this bug be left as open, since there seems to be a problem with winbind?
Comment 8 Jakub Hrozek 2012-08-15 08:05:57 EDT
(In reply to comment #7)
> I will test this as soon as either f18 beta pops up in preupgrade (only a
> few days, right?) or 1.9 hits f17. I really want to look at the gnome
> integration in f18.
> 

According to http://fedoraproject.org/wiki/Releases/18/Schedule Alpha will be released on 2012-08-28, Beta is still far ahead, the schedule page says  2012-10-02 

> Should this bug be left as open, since there seems to be a problem with
> winbind?

Judging by comment #2 I still think that this looks like a winbind bug.
Comment 9 Dmitri Pal 2012-08-15 09:01:49 EDT
(In reply to comment #6)
> F-18 should already contain changes to GNOME 3.6 that are described at
> http://stef.thewalter.net/2012/06/kerberos-and-active-directory-logins.html.
> In theory, installing F-18 + realmd and using GNOME contorl center's user
> accounts management should allow you to configure SSSD for AD usage
> automatically.

It is yet not fully baked but will be in upcoming months.
Comment 10 Sumit Bose 2012-08-15 09:11:13 EDT
(In reply to comment #7)
> 
> Should this bug be left as open, since there seems to be a problem with
> winbind?

To be able to investigate what winbind is doing here it would be helpful if you can attach your sanitized smb.conf and the winbind log file with debug level set to 10.
Comment 11 birger 2012-09-05 02:12:42 EDT
Created attachment 609875 [details]
smb.conf
Comment 12 Allen Hewes 2012-10-21 00:00:20 EDT
I created an issue without being able to find this one, I did search before I created a new ticket.

So "linking" here so they both can be found:
https://bugzilla.redhat.com/show_bug.cgi?id=868457

Basically it's failing on computing the MD5 of the cached salt + nt_hash.
Comment 13 Andreas Schneider 2013-02-07 11:40:27 EST
This should be fixed with samba 4.0 in F18. Please reopen if not.

Note You need to log in before you can comment on or make changes to this bug.