samba - Jan 2006 - Linux/AD authentication stops working after ~5 minutes

I'm trying to do something fairly simple: login to a Linux box using a
Windows AD-based account. I've followed the various recipes available
online for configuring Linux (winbind, PAM, etc.) to this send, and I've
got it working ... almost.

I'm able to authenticate an AD-based user immediately after bringing up
the Linux box, but a short time later (roughly 5 minutes, but it varies)
I can no longer authenticate. Running 'wbinfo -u' fixes the problem
temporarily, although I'm not sure how or why. The 'winbind cache
time'
param in smb.conf has no effect on the problem.

Any ideas as to what's going on? Is this more likely to be a
misconfiguration or an issue with my version of Samba? Thanks in advance
for any insight.

System configuration info follows:

AD server is Windows Server 2003 SP1. There is only one AD domain, named
"DOMAIN.LOCAL", and it is small (for testing purposes).

Linux box is Fedora Core 3. Kernel is 2.6.9-1.667. It is joined to the
AD server domain only.

Win2k3 is running as a guest OS in VMware and Fedora is the host OS. (I
doubt this config has anything to do with the problem.)

Samba packages:
samba-common-3.0.10-1.fc3
samba-swat-3.0.10-1.fc3
samba-3.0.10-1.fc3
samba-client-3.0.10-1.fc3

I'm running winbind, but not smbd or nmbd. The latter doesn't seem to be
necessary, nor is it sufficient to solve my problem.

smb.conf:
[global]
         workgroup = DOMAIN
         realm = DOMAIN.LOCAL
         server string = Samba Server
         security = ADS
         password server = vmdc1.domain.local
         log level = 1 ads:10 auth:10 sam:10 rpc:10 winbind:5
         log file = /var/log/samba/%m.log
         max log size = 50
         name resolve order = lmhosts bcast
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         printcap name = /etc/printcap
         dns proxy = No
         idmap uid = 16777216-33554431
         idmap gid = 16777216-33554431
         template shell = /bin/bash
         winbind cache time = 10
         winbind enum users = No
         winbind enum groups = No
         winbind use default domain = Yes
         cups options = raw

[homes]
         comment = Home Directories
         read only = No
         browseable = No

[printers]
         comment = All Printers
         path = /var/spool/samba
         printable = Yes
         browseable = No

PAM packages:
pam-0.77-65
pam_passwdqc-0.7.5-2
pam-devel-0.77-65
pam_smb-1.1.7-5
pam_krb5-2.1.2-1
pam_ccreds-1-3

/etc/pam.d/system-auth (used by /etc/pam.d/sshd, etc.):
#auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
#account
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so
#password
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
#session
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

Relevant nsswitch.conf lines:
passwd:     files winbind
shadow:     files winbind
group:      files winbind

EOM

>          password server = vmdc1.domain.local
AFAIK this option is only required for security = DOMAIN - if you're
using security = ADS then when you join the domain Samba/winbind will
find out which server to use for passwords.  I also think you will need
Samba running to 'maintain' the connection to the domain - although if
you can run "net ads testjoin" without smbd running then I guess it
shouldn't matter.

Cheers,
Adam.

Try running just nmbd and winbind. WIthout nmbd running, wins resolution of
the linux host is not going to work and maybe that is what is hindering the
authentication.

Good luck,
Vijay Avarachen

On 1/18/06, McGlorfin <mcglorfin@yahoo.com> wrote:
>
> I'm trying to do something fairly simple: login to a Linux box using a
> Windows AD-based account. I've followed the various recipes available
> online for configuring Linux (winbind, PAM, etc.) to this send, and
I've
> got it working ... almost.
>
> I'm able to authenticate an AD-based user immediately after bringing up
> the Linux box, but a short time later (roughly 5 minutes, but it varies)
> I can no longer authenticate. Running 'wbinfo -u' fixes the problem
> temporarily, although I'm not sure how or why. The 'winbind cache
time'
> param in smb.conf has no effect on the problem.
>
> Any ideas as to what's going on? Is this more likely to be a
> misconfiguration or an issue with my version of Samba? Thanks in advance
> for any insight.
>
> System configuration info follows:
>
> AD server is Windows Server 2003 SP1. There is only one AD domain, named
> "DOMAIN.LOCAL", and it is small (for testing purposes).
>
> Linux box is Fedora Core 3. Kernel is 2.6.9-1.667. It is joined to the
> AD server domain only.
>
> Win2k3 is running as a guest OS in VMware and Fedora is the host OS. (I
> doubt this config has anything to do with the problem.)
>
> Samba packages:
> samba-common-3.0.10-1.fc3
> samba-swat-3.0.10-1.fc3
> samba-3.0.10-1.fc3
> samba-client-3.0.10-1.fc3
>
> I'm running winbind, but not smbd or nmbd. The latter doesn't seem
to be
> necessary, nor is it sufficient to solve my problem.
>
> smb.conf:
> [global]
>          workgroup = DOMAIN
>          realm = DOMAIN.LOCAL
>          server string = Samba Server
>          security = ADS
>          password server = vmdc1.domain.local
>          log level = 1 ads:10 auth:10 sam:10 rpc:10 winbind:5
>          log file = /var/log/samba/%m.log
>          max log size = 50
>          name resolve order = lmhosts bcast
>          socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>          printcap name = /etc/printcap
>          dns proxy = No
>          idmap uid = 16777216-33554431
>          idmap gid = 16777216-33554431
>          template shell = /bin/bash
>          winbind cache time = 10
>          winbind enum users = No
>          winbind enum groups = No
>          winbind use default domain = Yes
>          cups options = raw
>
> [homes]
>          comment = Home Directories
>          read only = No
>          browseable = No
>
> [printers]
>          comment = All Printers
>          path = /var/spool/samba
>          printable = Yes
>          browseable = No
>
> PAM packages:
> pam-0.77-65
> pam_passwdqc-0.7.5-2
> pam-devel-0.77-65
> pam_smb-1.1.7-5
> pam_krb5-2.1.2-1
> pam_ccreds-1-3
>
> /etc/pam.d/system-auth (used by /etc/pam.d/sshd, etc.):
> #auth
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
> #account
> account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet
> account     [default=bad success=ok user_unknown=ignore]
> /lib/security/$ISA/pam_winbind.so
> account     required      /lib/security/$ISA/pam_permit.so
> #password
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
> #session
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
>
> Relevant nsswitch.conf lines:
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
>
> EOM
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


--
"Knowledge is the only wealth that grows as you spend it, and diminishes as
you save it."
-- ancient Sanskrit saying

Vijay Avarachen wrote:
> Try running just nmbd and winbind. WIthout nmbd running, wins resolution of
> the linux host is not going to work and maybe that is what is hindering the
> authentication.
Thanks for the reply, but running nmbd has no effect on the problem.

-McG

McGlorfin wrote:
> I'm trying to do something fairly simple: login to a Linux box using a
> Windows AD-based account. [...]
> [...] Is this more likely to be a
> misconfiguration or an issue with my version of Samba? 
After upgrading to version 3.0.21a, my problems have disappeared. The 
WHATSNEW file gives a hint as to the source of the problem:

   Common bugs fixed in 3.0.14a include:

     o Compatibility issues between Winbind and Windows 2003 SP1
       domain controllers (*2k3sp1*).

-McG