Hans-Kristian Bakke
2014-Jan-04 03:24 UTC
[Samba] sudo issues after upgrading to samba/winbind 4.0.13 on Debian Wheezy
Hi
I have upgraded from samba 3.6.19 to samba 4.0.13 on Debian Wheezy
64-bit with Samba 4.0.13 from wheezy-backports. I use winbind to
authenticate against a two-server AD domain on Server 2012 functional
level and forced LDAPS.
After upgrading from 3.6.19 to 4.0.13 everything still works for me as
usual. That is samba shares authentication, all things relying on the
keytab, SSO logins with SSH using GSSAPI and so on. But strangely sudo
for winbind users do not work anymore. The sudo package was not
updated, but i installed a newer version just to check (1.8.8) but no
success.
wbinfo, getent, id, groups and su - work perfectly with all users and
group memberships listed.
When trying sudo in any form, like sudo -i, I get the password
question, but after inputting the password sudo just hangs, not
responding to anything and somethimes timing out, other times I kill
it from another root session.
It is like this on all my Wheezy servers after upgrading to 4.0.13
(and installing libpam-winbind and libnss-winbind). I have not messed
with the sudo configuration or pam.d configuration on any of the
servers, other than adding the user to sudoers (adduser xxx sudo).
Local users works perfectly with sudo. Wheezy servers that I have not
upgraded to 4.0.13 is working correctly and the pam.d configs seem
identical.
I have purged everything related to samba/winbind and reinstalled,
including leaving and joining the domain with no success for sudo.
I have straced the issue and it seems to be looping trying to pull
data from /var/lib/samba/winbindd_privileged/pipe.
The strace had to be started via pid after initiating sudo -i and
waiting for input as I got som setuid error trying to run the command
it self with strace.
---
lstat("/var/run/samba/winbindd", {st_mode=S_IFDIR|0755, st_size=60,
...}) = 0
lstat("/var/run/samba/winbindd/pipe", {st_mode=S_IFSOCK|0777,
st_size=0, ...}) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0
fcntl(4, F_GETFD) = 0
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
connect(4, {sa_family=AF_FILE, path="/var/run/samba/winbindd/pipe"},
110) = 0
poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4,
revents=POLLOUT}])
write(4,
"0\10\0\0\0\0\0\0\0\0\0\0\17\34\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
2096) = 2096
poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
read(4,
"\250\r\0\0\2\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
3496) = 3496
poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4,
revents=POLLOUT}])
write(4,
"0\10\0\0/\0\0\0\0\0\0\0\17\34\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
2096) = 2096
poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
read(4,
"\313\r\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
3496) = 3496
poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
read(4, "/var/lib/samba/winbindd_privileg"..., 35) = 35
lstat("/var/lib/samba/winbindd_privileged", {st_mode=S_IFDIR|0750,
st_size=4096, ...}) = 0
lstat("/var/lib/samba/winbindd_privileged/pipe",
{st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 10
fcntl(10, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(10, F_SETFL, O_RDWR|O_NONBLOCK) = 0
fcntl(10, F_GETFD) = 0
fcntl(10, F_SETFD, FD_CLOEXEC) = 0
connect(10, {sa_family=AF_FILE,
path="/var/lib/samba/winbindd_privileged/pipe"}, 110) = 0
close(4) = 0
poll([{fd=10, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=10,
revents=POLLOUT}])
write(10,
"0\10\0\0\r\0\0\0\0\0\0\0\17\34\0\0\0\0\0\0\236\360\0\0\0\0\0\0\0\0\0\0"...,
2096) = 2096
poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
close(10)
---
Regards
Hans-Kristian
Hans-Kristian Bakke
2014-Jan-04 20:27 UTC
[Samba] sudo issues after upgrading to samba/winbind 4.0.13 on Debian Wheezy
Actullay, when disabling gssapi for SSH login also fails for SSH. It
is in other words a general issue when using winbind for logins and
not kerberos tickets. I also did a completely clean netinstall of
Debian jessie, just installing openssh-server, bash-completion, vim,
less, winbind, libpam-winbind and libnss-winbind, adding the machine
to the domain, updating the nsswitch.conf with ldconfig -v | grep
winbind verified and adding mkhomedir to /usr/share/pam-config/ like
usual. Changing nothing else!
Output from /var/log/auth.log when trying to authenticate as the user
"hk":
...
Jan 4 21:15:13 test sshd[1765]: debug1: userauth-request for user hk
service ssh-connection method password [preauth]
Jan 4 21:15:13 test sshd[1765]: debug1: attempt 2 failures 1 [preauth]
Jan 4 21:15:13 test sshd[1765]: debug2: input_userauth_request: try
method password [preauth]
Jan 4 21:15:13 test sshd[1765]: debug3: mm_auth_password entering [preauth]
Jan 4 21:15:13 test sshd[1765]: debug3: mm_request_send entering:
type 12 [preauth]
Jan 4 21:15:13 test sshd[1765]: debug3: mm_auth_password: waiting for
MONITOR_ANS_AUTHPASSWORD [preauth]
Jan 4 21:15:13 test sshd[1765]: debug3: mm_request_receive_expect
entering: type 13 [preauth]
Jan 4 21:15:13 test sshd[1765]: debug3: mm_request_receive entering [preauth]
Jan 4 21:15:13 test sshd[1765]: debug3: mm_request_receive entering
Jan 4 21:15:13 test sshd[1765]: debug3: monitor_read: checking request 12
Jan 4 21:15:13 test sshd[1765]: debug3: PAM: sshpam_passwd_conv
called with 1 messages
Jan 4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): getting
password (0x00000388)
Jan 4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): pam_get_item
returned a password
Jan 4 21:15:13 test sshd[1713]: debug1: server_input_channel_req:
channel 0 request winadj at putty.projects.tartarus.org reply 1
Jan 4 21:15:13 test sshd[1713]: debug1: session_by_channel: session 0 channel 0
Jan 4 21:15:13 test sshd[1713]: debug1: session_input_channel_req:
session 0 req winadj at putty.projects.tartarus.org
Jan 4 21:15:13 test sshd[1713]: debug2: channel 0: rcvd adjust 8740
Jan 4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ER
R (4), NTSTATUS:
NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
NT_STATUS_CONNECTION_DISCONNECTED
Jan 4 21:15:13 test sshd[1765]: pam_winbind(sshd:auth): internal
module error (retval = PAM_SYSTEM_ERR(4), user = 'hk')
Jan 4 21:15:15 test sshd[1765]: debug1: PAM: password authentication
failed for hk: Authentication failure
...
My smb.conf (remember samba is not used or installed, but it makes no
difference with samba installed):
[global]
server string = %h server
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
disable netbios = yes
# Active directory integration
workgroup = PROIKT
server role = member server
security = ads
realm = ad.proikt.com
client ldap sasl wrapping = seal
kerberos method = secrets and keytab
winbind cache time = 300
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 5
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
template shell = /bin/bash
template homedir = /home/%U@%D
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config PROIKT : backend = rid
idmap config PROIKT : range = 300000-499999
---
This exact configuration worked perfectly on 3.6.X, but do not work on
4.0.13 (wheezy-backports on wheezy) or 4.1.3 (jessie). sudo and
non-GSSAPI SSH logins are currently not working.
Any ideas?
I do enforce LDAPS with valid certificates on my domain controllers
(clean Server 2012 and Server 2012 R2). DNS seems to be working
perfectly, allthough I did see some seemingly unrelated ipv6
DNS-lookups from the same host in my tcpdumps, but I have no
indication if that is related to this issue as I do not use IPv6 in my
network (although it is enabled by default in Debian)
Regards,
Hans-Kristian
On 4 January 2014 04:24, Hans-Kristian Bakke <hkbakke at gmail.com>
wrote:> Hi
>
> I have upgraded from samba 3.6.19 to samba 4.0.13 on Debian Wheezy
> 64-bit with Samba 4.0.13 from wheezy-backports. I use winbind to
> authenticate against a two-server AD domain on Server 2012 functional
> level and forced LDAPS.
>
> After upgrading from 3.6.19 to 4.0.13 everything still works for me as
> usual. That is samba shares authentication, all things relying on the
> keytab, SSO logins with SSH using GSSAPI and so on. But strangely sudo
> for winbind users do not work anymore. The sudo package was not
> updated, but i installed a newer version just to check (1.8.8) but no
> success.
>
> wbinfo, getent, id, groups and su - work perfectly with all users and
> group memberships listed.
>
> When trying sudo in any form, like sudo -i, I get the password
> question, but after inputting the password sudo just hangs, not
> responding to anything and somethimes timing out, other times I kill
> it from another root session.
>
> It is like this on all my Wheezy servers after upgrading to 4.0.13
> (and installing libpam-winbind and libnss-winbind). I have not messed
> with the sudo configuration or pam.d configuration on any of the
> servers, other than adding the user to sudoers (adduser xxx sudo).
> Local users works perfectly with sudo. Wheezy servers that I have not
> upgraded to 4.0.13 is working correctly and the pam.d configs seem
> identical.
>
> I have purged everything related to samba/winbind and reinstalled,
> including leaving and joining the domain with no success for sudo.
>
> I have straced the issue and it seems to be looping trying to pull
> data from /var/lib/samba/winbindd_privileged/pipe.
>
> The strace had to be started via pid after initiating sudo -i and
> waiting for input as I got som setuid error trying to run the command
> it self with strace.
>
> ---
> lstat("/var/run/samba/winbindd", {st_mode=S_IFDIR|0755,
st_size=60, ...}) = 0
> lstat("/var/run/samba/winbindd/pipe", {st_mode=S_IFSOCK|0777,
> st_size=0, ...}) = 0
> socket(PF_FILE, SOCK_STREAM, 0) = 4
> fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
> fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> fcntl(4, F_GETFD) = 0
> fcntl(4, F_SETFD, FD_CLOEXEC) = 0
> connect(4, {sa_family=AF_FILE,
path="/var/run/samba/winbindd/pipe"}, 110) = 0
> poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4,
> revents=POLLOUT}])
> write(4,
"0\10\0\0\0\0\0\0\0\0\0\0\17\34\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 2096) = 2096
> poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4,
revents=POLLIN}])
> read(4,
"\250\r\0\0\2\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 3496) = 3496
> poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4,
> revents=POLLOUT}])
> write(4,
"0\10\0\0/\0\0\0\0\0\0\0\17\34\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 2096) = 2096
> poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4,
revents=POLLIN}])
> read(4,
"\313\r\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 3496) = 3496
> poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4,
revents=POLLIN}])
> read(4, "/var/lib/samba/winbindd_privileg"..., 35) = 35
> lstat("/var/lib/samba/winbindd_privileged",
{st_mode=S_IFDIR|0750,
> st_size=4096, ...}) = 0
> lstat("/var/lib/samba/winbindd_privileged/pipe",
> {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
> socket(PF_FILE, SOCK_STREAM, 0) = 10
> fcntl(10, F_GETFL) = 0x2 (flags O_RDWR)
> fcntl(10, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> fcntl(10, F_GETFD) = 0
> fcntl(10, F_SETFD, FD_CLOEXEC) = 0
> connect(10, {sa_family=AF_FILE,
> path="/var/lib/samba/winbindd_privileged/pipe"}, 110) = 0
> close(4) = 0
> poll([{fd=10, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=10,
> revents=POLLOUT}])
> write(10,
"0\10\0\0\r\0\0\0\0\0\0\0\17\34\0\0\0\0\0\0\236\360\0\0\0\0\0\0\0\0\0\0"...,
> 2096) = 2096
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> poll([{fd=10, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
> close(10)
> ---
>
> Regards
> Hans-Kristian