samba - Sep 2006 - pam_winbind causing local user login failures on 3.0.23c ... and a couple of other things

All,

I'm currently running a CentOS 4.4 x86_64 server and wanted to have
single-signon for Active Directory users on my domain.  CentOS 4.4 comes
with Samba 3.0.10-1.4E.9, which ends up filling my logs with messages
related to the BUILTIN users/groups.  I have a few local user accounts on
the server for testing, etc.

Since issues related to winbind and BUILTIN users/groups have recently been
resolved, I decided to update Samba.  I downloaded the Fedora Core RPM for
3.0.23c, rebuilt it on my server and installed it.  In order to have a
"fresh start", I moved the /var/cache/samba directory elsewhere.  I
successfully completed the following steps:

- kinit Administrator@DOMAIN
- net ads join -Uadministrator
- service winbind start
- service smb start
- wbinfo -u
- wbinfo -g
- wbinfo -t
- wbinfo -n userid


I've listed 3 issues ... the first I've solved, but I don't
understand why
it behaves as it does, the second is more of a question on lower/mixed case
group/user ids, but the third issue is related to pam_winbind not allowing
local users to login and is causing me lots of grief ...

ISSUE #1
=======
I had a problem with "getent passwd userid" ... it did not print
anything to
my screen.  My logs were full of messages such as:

Sep 28 16:42:01 computer1 winbindd[6372]: [2006/09/28 16:42:01, 0]
sam/idmap_rid.c:rid_idmap_get_id_from_sid(491)
Sep 28 16:42:01 computer1 winbindd[6372]:   rid_idmap_get_id_from_sid: no
suitable range available for sid: S-xxxxxxxxxxxxxxxxxxxxxxxxxx

Obviously the SIDS were not getting mapped to the UID/GID.   My smb.conf
file is below:

[global]
        workgroup = DOMAIN
        realm = DOMAIN.EXAMPLE.COM
        server string = computer1
        interfaces = eth0
        security = ADS
        allow trusted domains = No
        password server = kdc1.example.com
        log file = /var/log/samba/%m.log
        max log size = 1024
        smb ports = 445
        name resolve order = host
        deadtime = 15
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        idmap uid = 1000000-10000000
        idmap gid = 1000000-10000000
        idmap backend = rid:BUILTIN=1000000-4999999,DOMAIN=5000000-10000000
        template homedir = /data/domain/%U
        template shell = /bin/bash
        winbind use default domain = Yes
        winbind nested groups = Yes
#       winbind refresh tickets = Yes
#       winbind offline logon = Yes
        winbind enum users = No
        winbind enum groups = No
        load printers = Yes
        cups options = raw

I decided to rearrange the line "idmap backend" to the following:

        idmap backend
rid:"DOMAIN=5000000-10000000,BUILTIN=1000000-4999999"

and now "getent passwd userid" WORKED!  The
"rid_idmap_get_id_from_sid"
error messages are gone.  I don't understand why the order of DOMAIN/BUILTIN
should make a difference in winbind being able to map a RID to a SID.
Please explain, or is this a bug?


ISSUE #2
=======
I decided to also change "winbind use default domain" to
"No".  I restarted
winbind and smb and doing a "wbinfo -g" resulted in lowercase group
names,
whereas leaving it as "Yes" returned mixed case group names, such as:

With "winbind use default domain = Yes"
# wbinfo -g
.....
WaterGroup
.....

With "winbind use default domain = No"
# wbinfo -g
.....
DOMAIN\watergroup
.....

Is this significant?  is WaterGroup interpretted the same as
DOMAIN\watergroup?  It appears case is ignored for user and group names.  Is
this correct?  What is the proper way to specify user and group names in
smb.conf?


ISSUE #3
=======
At this point I am able to login using ADS credentials and all is good,
HOWEVER, I CANNOT login using a LOCAL user account.  If I comment out the
pam_winbind lines in /etc/pam.d/system-auth, I can login, but now I have no
ADS authenticated logins.

/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
require_membership_of=WaterGroup
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel
umask=0077
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

/var/log/messages is as follows:
........
Sep 28 18:31:09 computer1 sshd(pam_unix)[13565]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=computer2.example.com
user=adsuser
Sep 28 18:31:09 computer1 pam_winbind[13565]: user 'adsuser' OK
Sep 28 18:31:09 computer1 pam_winbind[13565]: user 'adsuser' granted
access
Sep 28 18:31:09 computer1 pam_winbind[13565]: user 'adsuser' OK
Sep 28 18:31:09 computer1 pam_winbind[13565]: user 'adsuser' granted
access
Sep 28 18:31:09 computer1 sshd(pam_unix)[13582]: session opened for user
adsuser by (uid=0)
Sep 28 18:31:28 computer1 sshd(pam_unix)[13582]: session closed for user
adsuser
.........
Sep 28 18:32:07 computer1 pam_winbind[13636]: request failed, but PAM error
0!
Sep 28 18:32:07 computer1 pam_winbind[13636]: internal module error (retval
= 3, user = `localuser')
..........

As you can see, the domain user has no trouble logging in, but the
"localuser" is denied.  This worked under 3.0.10.  Also, the domain
user
(adsuser) is granted access twice!  

I need a local user login because I use FreeNX, which uses the nx user
(which is local to the machine) to authenticate the connection prior to
submitting the user's credentials.  

I would very much appreciate any help / comments on the above.  Please let
me know if I need to provide additional info to help resolve this issue.


Sincerely,

Stefano