Hi, I just upgraded my member (fileserver) server (wheezy) from sernet-4.1 to sernet-4.2, to be ready for tomorrow's badlock outbreak. Under 4.1 we used sssd, and now 4.2 with winbind. Everything seems to be running good: wbinfo (-p, -u, -g, -t) all give the expected results, same for getent (group, passwd, username) File serving works, life is good. :-) Last step: allowing ssh access for AD users with a configured shell into my member server -> PAM I followed the list instructions: created the file /usr/share/pam-configs/winbind with the content taken from the list. Then run pam-auth-update, disabled SSS, enabled winbind. But alas... logging in over ssh does not work, and auth.log tells me:> Apr 11 20:18:32 filehost sshd[4884]: pam_winbind(sshd:auth): getting password (0x00000388) > Apr 11 20:18:32 filehost sshd[4884]: pam_winbind(sshd:auth): pam_get_item returned a password > Apr 11 20:18:32 filehost sshd[4884]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: The transport connection is now disconnected. > Apr 11 20:18:32 filehost sshd[4884]: pam_winbind(sshd:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'username') > Apr 11 20:18:34 filehost sshd[4884]: Failed password for username from x.y.z.88 port 49302 ssh2Internal module error? WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4)? Does anyone have an idea what is going on here? MJ
Seems I cheered too early, and I have some more winbind issues I didn't realise before... here are winbind logs:> [2016/04/11 20:39:01.330107, 1] ../source3/librpc/crypto/gse_krb5.c:416(fill_mem_keytab_from_system_keytab) > ../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (Permission denied) > [2016/04/11 20:39:01.330143, 0] ../lib/util/fault.c:78(fault_report) > ==============================================================> [2016/04/11 20:39:01.330173, 0] ../lib/util/fault.c:79(fault_report) > INTERNAL ERROR: Signal 11 in pid 4899 (4.2.9-SerNet-Debian-8.wheezy) > Please read the Trouble-Shooting section of the Samba HOWTO > [2016/04/11 20:39:01.330199, 0] ../lib/util/fault.c:81(fault_report) > ==============================================================> [2016/04/11 20:39:01.330217, 0] ../source3/lib/util.c:788(smb_panic_s3) > PANIC (pid 4899): internal error > [2016/04/11 20:39:01.330733, 0] ../source3/lib/util.c:899(log_stack_trace) > BACKTRACE: 29 stack frames: > #0 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(log_stack_trace+0x1a) [0x7f64c5f6699b] > #1 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(smb_panic_s3+0x55) [0x7f64c5f66a99] > #2 /usr/lib/x86_64-linux-gnu/samba/libsamba-util.so.0(smb_panic+0x2d) [0x7f64c9883ed3] > #3 /usr/lib/x86_64-linux-gnu/samba/libsamba-util.so.0(+0x231ec) [0x7f64c98841ec] > #4 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf0a0) [0x7f64cb2520a0] > #5 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_storage_free+0x4) [0x7f64c7f0ae4f] > #6 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(+0x3c7cd) [0x7f64c7ef67cd] > #7 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_kt_end_seq_get+0x2a) [0x7f64c7ef5eac] > #8 /usr/lib/x86_64-linux-gnu/samba/libgse-samba4.so(+0xa981) [0x7f64c4aaf981] > #9 /usr/lib/x86_64-linux-gnu/samba/libgse-samba4.so(gse_krb5_get_server_keytab+0x3db) [0x7f64c4aafdaa] > #10 /usr/lib/x86_64-linux-gnu/samba/libgse-samba4.so(+0xc644) [0x7f64c4ab1644] > #11 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech+0x197) [0x7f64c4ce3eaf] > #12 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech_by_oid+0xd9) [0x7f64c4ce4194] > #13 /usr/sbin/winbindd(kerberos_return_pac+0x5b2) [0x7f64cb6a8248] > #14 /usr/sbin/winbindd(winbindd_dual_pam_auth+0x792) [0x7f64cb6c6be5] > #15 /usr/sbin/winbindd(+0x5aa44) [0x7f64cb6dba44] > #16 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x9771) [0x7f64c9001771] > #17 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x7a2b) [0x7f64c8fffa2b] > #18 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(_tevent_loop_once+0x92) [0x7f64c8ffc3b1] > #19 /usr/sbin/winbindd(+0x5daef) [0x7f64cb6deaef] > #20 /usr/sbin/winbindd(+0x5dc57) [0x7f64cb6dec57] > #21 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x4d68) [0x7f64c8ffcd68] > #22 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(tevent_common_loop_immediate+0x128) [0x7f64c8ffcc15] > #23 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x94ba) [0x7f64c90014ba] > #24 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x7a2b) [0x7f64c8fffa2b] > #25 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(_tevent_loop_once+0x92) [0x7f64c8ffc3b1] > #26 /usr/sbin/winbindd(main+0x11d5) [0x7f64cb6b7319] > #27 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f64c3879ead] > #28 /usr/sbin/winbindd(+0x26a09) [0x7f64cb6a7a09] > [2016/04/11 20:39:01.330997, 0] ../source3/lib/dumpcore.c:313(dump_core) > unable to change to /var/log/samba/cores/winbindd > refusing to dump coreThese errors sound serious and scary... A good idea, anyone? MJ
Some other observations in log.winbindd-idmap:> [2016/04/12 08:37:54.028456, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids) > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-133237 > [2016/04/12 08:45:57.051863, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids) > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-133222This happens for 30 different SID's: some with a long last RID:> Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-133237 > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-132270 > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-132722and with shorter RID's like> Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-501 > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-502 > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-517However, and looking at an ldif dump of our CN=Users, I can't find these numbers...? Anyone..? MJ
I just looked over your previous messages. I think the best if that you setup sssd again, so keep the setup as it was. I just upgraded my sernet samba 4.2.7 to latest 4.2.9 And from that point i upped to 4.3.6 ( debian samba, a rebuild from debian sid to jessie ) This was without problems, but im not using sssd. Maybe someone with sssd knowledge can help more why you have sid differendes. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens lists > Verzonden: dinsdag 12 april 2016 9:04 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] winbind pam trouble > > Some other observations in log.winbindd-idmap: > > > [2016/04/12 08:37:54.028456, 1] > ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids) > > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949- > 133237 > > [2016/04/12 08:45:57.051863, 1] > ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids) > > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949- > 133222 > > This happens for 30 different SID's: some with a long last RID: > > > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949- > 133237 > > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949- > 132270 > > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949- > 132722 > > and with shorter RID's like > > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-501 > > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-502 > > Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-517 > > However, and looking at an ldif dump of our CN=Users, I can't find these > numbers...? > > Anyone..? > > MJ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba