samba - Aug 2004 - 3.0.6 and pam_winbind problems (sernet)?

Recently I upgraded a server from samba 3.0.2a to 3.0.6, and now apache
won't authenticate properly with pam_winbind.  Winbind's been restarted,
apache has been restarted, for grins I even rebooted the server.
>From /var/log/messages:
Aug 26 10:24:51 linps2 pam_winbind[654]: user 'jarboed' granted acces
>From apache's error log:
[Thu Aug 26 10:24:51 2004] [error] (2)No such file or directory: access
to /cgi-bin/print/modify/modify.py failed for 10.176.156.41, reason:
User not known to the underlying authentication module

This is on SLES8 s390 using the sernet srpms.  To break it, I upgrade to
the new rpms, to fix it, I rpm -Uhv --oldpackage to the old ones.  I can
go back and forth, and it breaks/fixes.

The apache behavior is kind of strange too, it doesn't prompt for
another password, just immediately returns the 401 Authentication
Required.

/etc/pam.d/httpd is only:
auth            required        /lib/security/pam_winbind.so
account         required        /lib/security/pam_winbind.so

Since the only thing changing is the version of samba installed, does
anyone have any ideas?

Thanks,
~ Daniel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

daniel.jarboe@custserv.com wrote:

| [Thu Aug 26 10:24:51 2004] [error] (2)No such file
| or directory: access to /cgi-bin/print/modify/modify.py
| failed for 10.176.156.41, reason:
| User not known to the underlying authentication module

Did the libnss_winbind.so.2 get updated via the RPM
upgrade ?  That would be the first place I would look.
You can run winbindd at level 10 and see if ther request
sizes match up with what the daemon expects.




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBLfXnIR7qMdg1EfYRAiXzAKCJ50dYhRJaPkpfAbNf7Uy+YEP9GwCg3JKk
KsmZANVf6AE5y+OalKg/W3w=Cyul
-----END PGP SIGNATURE-----

Hi Daniel!

I experienced the same problem after upgrading on Debian, so I stopped
daemons, again, deleted *.tdb files under /var/cache/samba/ (also
printers/) and started the daemons and everything got fixed. I hope it
helps.

Regards,

Juan Rey Saura

daniel.jarboe@custserv.com wrote:
>Recently I upgraded a server from samba 3.0.2a to 3.0.6, and now apache
>won't authenticate properly with pam_winbind.  Winbind's been
restarted,
>apache has been restarted, for grins I even rebooted the server.
>
>>From /var/log/messages:
>Aug 26 10:24:51 linps2 pam_winbind[654]: user 'jarboed' granted
acces
>
>>From apache's error log:
>[Thu Aug 26 10:24:51 2004] [error] (2)No such file or directory: access
>to /cgi-bin/print/modify/modify.py failed for 10.176.156.41, reason:
>User not known to the underlying authentication module
>
>This is on SLES8 s390 using the sernet srpms.  To break it, I upgrade to
>the new rpms, to fix it, I rpm -Uhv --oldpackage to the old ones.  I can
>go back and forth, and it breaks/fixes.
>
>The apache behavior is kind of strange too, it doesn't prompt for
>another password, just immediately returns the 401 Authentication
>Required.
>
>/etc/pam.d/httpd is only:
>auth            required        /lib/security/pam_winbind.so
>account         required        /lib/security/pam_winbind.so
>
>Since the only thing changing is the version of samba installed, does
>anyone have any ideas?
>
>Thanks,
>~ Daniel
>
>
>
>
>
>
>
>
>
>
>
>
>  
>

Hi Juan!

On Thu, 26 Aug 2004 17:05:11 +0200 Juan Rey Saura <juanrey@inicia.es>
wrote:
> I experienced the same problem after upgrading on Debian, so I stopped
> daemons, again, deleted *.tdb files under /var/cache/samba/ (also
> printers/) and started the daemons and everything got fixed. 
Yepp - that was the solution to my (similar) problems, too. Too simple
so I did not think of that one either.

Maybe the Debian package maintainer (is he listening?) could put a 
one-liner into the restart-scripts, doing the remove automatically?

Thanks a lot

Volker Tanger
ITK Security

> | [Thu Aug 26 10:24:51 2004] [error] (2)No such file
> | or directory: access to /cgi-bin/print/modify/modify.py
> | failed for 10.176.156.41, reason:
> | User not known to the underlying authentication module
> 
> Did the libnss_winbind.so.2 get updated via the RPM
> upgrade ?  That would be the first place I would look.
> You can run winbindd at level 10 and see if ther request
> sizes match up with what the daemon expects.

Yes, /lib/libnss_winbind.so.2 is the one that was
packaged with the new rpm.  The libnss_winbind.so symlink
is still there, too.  There's none of the "Invalid request
size" messages that happen when different versions of the
libnss_winbind.so are used.  

Per some other suggestions, I backed up the tdb's and
saved file ownership information, then removed tdb files
and started fresh to see if it made any difference... it
did not for me.

Comparing the two winbindd.log's, I notice the new version
never reports a getgrnam.  The .htaccess file requires group
"Domain Print Ops"

Debug level 5...

both:

nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  request location of privileged pipe
nsswitch/winbindd_pam.c:winbindd_pam_auth(88)
  pam auth jarboed
nsswitch/winbindd_cm.c:cm_get_ipc_userpass(107)
  IPC$ connections done anonymously
nsswitch/winbindd_cm.c:cm_open_connection(221)
  anonymous connection attempt to TCS_MAIN_PDC from LINPS1
nsswitch/winbindd_pam.c:winbindd_pam_auth(212)
  Plain-text authentication for user jarboed returned NT_STATUS_OK (PAM:
0)
nsswitch/winbindd.c:winbind_client_read(465)
  read failed on sock 20, pid 536: EOF


old version does this:

nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  request interface version
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  request location of privileged pipe

then they both pick up again:

nsswitch/winbindd_user.c:winbindd_getpwnam(122)
  getpwnam jarboed
nsswitch/winbindd_rpc.c:name_to_sid(290)
  rpc: name_to_sid name=jarboed
nsswitch/winbindd_rpc.c:name_to_sid(299)
  name_to_sid [rpc] jarboed for domain TCS_MAIN_DOM
nsswitch/winbindd_rpc.c:query_user(382)
  rpc: query_user rid=S-1-5-21-2020293289-429224891-1907648334-21755
nsswitch/winbindd_rpc.c:query_user(393)
  query_user: Cache lookup succeeded for
S-1-5-21-2020293289-429224891-1907648334-21755

the old version continues, while the new version has stopped...

nsswitch/winbindd_user.c:winbindd_getpwnam(122)
  getpwnam jarboed
nsswitch/winbindd_rpc.c:name_to_sid(290)
  rpc: name_to_sid name=jarboed
nsswitch/winbindd_rpc.c:name_to_sid(299)
  name_to_sid [rpc] jarboed for domain TCS_MAIN_DOM
nsswitch/winbindd_group.c:winbindd_getgrnam(232)
  getgrnam Domain Print Ops
nsswitch/winbindd_rpc.c:name_to_sid(290)
  rpc: name_to_sid name=Domain Print Ops
nsswitch/winbindd_rpc.c:name_to_sid(299)
  name_to_sid [rpc] Domain Print Ops for domain TCS_MAIN_DOM
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  request interface version
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  request location of privileged pipe
nsswitch/winbindd.c:winbind_client_read(465)
  read failed on sock 20, pid 572: EOF

Any ideas?
Thanks,
~ Daniel

> > | [Thu Aug 26 10:24:51 2004] [error] (2)No such file
> > | or directory: access to /cgi-bin/print/modify/modify.py
> > | failed for 10.176.156.41, reason:
> > | User not known to the underlying authentication module
> >
> > Did the libnss_winbind.so.2 get updated via the RPM
> > upgrade ?  That would be the first place I would look.
> > You can run winbindd at level 10 and see if ther request
> > sizes match up with what the daemon expects.
> 
The winbind patch at http://samba.org/~jerry/patches/post-3.0.6/ 
fixed it, thanks

~ Daniel