Martin Krämer
2019-Apr-15 18:26 UTC
[Samba] winbind offline login - NT_STATUS_NO_SUCH_USER (0xc0000064)
Hello All, I am at the switch from sssd to winbind based samba domain members (Debian 9 stretch). I am using Samba 4.10.2 packages from Louis ( http://apt.van-belle.nl/ ) and rid backend for idmap. *My problem:* I am able to logon to my domain members using winbind_pam as long as my client is connected to a network where a domain controller is reachable. As soon as I shutdown and connect a client to a network without domain controller reachable and try to login again using a user used for previous logon, I recieve error: *lightdm[1109]: pam_winbind(lightdm:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: The specified account does not exist.* *What I have done already ( I added a ping at the end of every command list to show you if I was "online" or "offiline"):* 1. I read the wiki :) - https://wiki.samba.org/index.php/PAM_Offline_Authentication Based on this I found that I can test offline authentication as follows with "switch winbindd to offline mode by hand": *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser* *Enter EXAMPLE.CORP\faiuser's password: * *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser] succeeded (requesting cctype: FILE)* *credentials were put in: FILE:/tmp/krb5cc_0* *root at cd2bd668e00c7:~# smbcontrol winbind offline* *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser* *Enter EXAMPLE.CORP\faiuser's password: * *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser] succeeded (requesting cctype: FILE)* *user_flgs: NETLOGON_CACHED_ACCOUNT* *credentials were put in: FILE:/tmp/krb5cc_0* *root at cd2bd668e00c7:~# ping -c1 EXAMPLE.CORP* *PING EXAMPLE.CORP (192.168.33.251) 56(84) bytes of data.* *64 bytes from location-000001.example.corp (192.168.33.251): icmp_seq=1 ttl=64 time=0.122 ms* *--- EXAMPLE.CORP ping statistics ---* *1 packets transmitted, 1 received, 0% packet loss, time 0ms* *rtt min/avg/max/mdev = 0.122/0.122/0.122/0.000 ms* *root at cd2bd668e00c7:~#* --> seems everything fine ....BUT 2. I shutdown machine and did the same test again on offline/different network: *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser* *Enter EXAMPLE.CORP\faiuser's password: * *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser] failed (requesting cctype: FILE)* *wbcLogonUser(EXAMPLE.CORP\faiuser): error code was NT_STATUS_NO_SUCH_USER (0xc0000064)* *error message was: The specified account does not exist.* *Could not authenticate user [EXAMPLE.CORP\faiuser] with Kerberos (ccache: FILE)* *root at cd2bd668e00c7:~# smbcontrol winbind offline* *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser* *Enter EXAMPLE.CORP\faiuser's password: * *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser] failed (requesting cctype: FILE)* *wbcLogonUser(EXAMPLE.CORP\faiuser): error code was NT_STATUS_NO_SUCH_USER (0xc0000064)* *error message was: The specified account does not exist.* *Could not authenticate user [EXAMPLE.CORP\faiuser] with Kerberos (ccache: FILE)* *root at cd2bd668e00c7:~# ping -c1 EXAMPLE.CORP* *ping: EXAMPLE.CORP: Name or service not known* *root at cd2bd668e00c7:~#* --> hm..same command different result in different network! 3. I read the wiki article again from beginning :P - https://wiki.samba.org/index.php/PAM_Offline_Authentication I verified "winbind offline logon = yes" is defined in smb.conf --> yep (full file below) I checked if /etc/security/pam_winbind.conf contains "cached_login yes" --> nope - even worse...file does not exist at all. Only /etc/security/pam_env.conf exists .. but this is only full of comments - no values at all in it. So I created pam_winbind.conf and did tests of topic 1 & 2 again. Same result - so I deleted pam_winbind.conf again. 4. I searched the web and "lists.samba.org" archive and found: https://lists.samba.org/archive/samba/2019-February/221224.html Based on this I changed following values of my smb.conf (initially based on: https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt) according to rowlands suggestion: local master = no server string = Samba 4 Client %h Once again I did tests of 1, 2 & 3 but ended up with the same results (I even deleted pam_winbind.conf again as described within 3) What I did NOT do was changing the the value of "krb5_ccache_type=FILE" to "krb5_ccache_type" within /etc/pam.d/common-auth as described as "workaround" within https://lists.samba.org/archive/samba/2019-February/221157.html since from conversation there I understood that this seems not to be correct way to handle the error. *My configuration:* *root at cd2bd668e00c7:~# cat /etc/samba/smb.conf* *[global]* * server string = Samba 4 Client %h* * local master = no* * store dos attributes = yes* * map acl inherit = yes* * vfs objects = acl_xattr* * log level = 0* * realm = EXAMPLE.CORP* * workgroup = EXAMPLE* * dedicated keytab file = /etc/krb5.keytab* * kerberos method = secrets and keytab* * winbind refresh tickets = yes* * winbind offline logon = yes* * winbind use default domain = yes* * winbind enum users = no* * winbind enum groups = no* * winbind expand groups = 4* * template shell = /bin/bash* * preferred master = no* * domain master = no* * security = ADS* * idmap config * : backend = tdb* * idmap config * : range = 3000-7000* * idmap config EXAMPLE : backend = rid* * idmap config EXAMPLE : range = 10000-999999* * username map = /etc/samba/samba_usermapping* * usershare path = * * load printers = no* * printing = bsd* * printcap name = /dev/null* * disable spoolss = yes* *root at cd2bd668e00c7:~# cat /etc/krb5.conf* *[libdefaults]* * permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5* * default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5* * default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5* * proxiable = true* * forwardable = true* * dns_lookup_kdc = true* * dns_lookup_realm = false* * default_realm = EXAMPLE.CORP* *root at cd2bd668e00c7:~# cat /etc/pam.d/common-auth | egrep -v "^#"* *auth [success=2 default=ignore] pam_unix.so nullok_secure* *auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass* *auth requisite pam_deny.so* *auth required pam_permit.so* *auth optional pam_cap.so * Thank you for any help & hints in advance. Kind Regards Martin
Martin Krämer
2019-Apr-19 05:50 UTC
[Samba] winbind offline login - NT_STATUS_NO_SUCH_USER (0xc0000064)
Hi All, I tried multiple topics and did some further analyzing regarding this. I found that described error below only appears if I restart the device when connecting from "online" to "offline". If I keep my device running winbind caches the users correctly. Based this I found the following bug report: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461 There the error was tracked down to /var/run/samba/gencache.tdb being stored on a temporary file system and due to this being deleted with every restart. I was able to find that "gencache.tdb" on my Debian 9 systems is stored at /run/samba/gencache.tdb being "run" a tempfs, too. In the bug report it is described that after changing/adding a new setting "lock directory = /var/cache/samba/" in smb.conf everything worked again as expected. So I did the same and voila ...caching is working even after restarts. Never the less I am still not sure if this is a correct fix. With changing the value for "lock directory" parameter multiple files were created and I am not sure if some of them store critical information causing a security problem. Below is my /var/cache/samba folder previously and after changing "lock directory" value as described above. Maybe it is possible one of the samba experts here can tell me if this is a good way to go: Prevously to changing "lock directory": *root at cd2bd668e00c7:~# ls -la /var/cache/samba/* *total 24* *drwxr-xr-x 2 root root 4096 Apr 19 07:45 .* *drwxr-xr-x 12 root root 4096 Apr 19 07:46 ..* *-rw------- 1 root root 12288 Apr 19 07:45 netsamlogon_cache.tdb* *root at cd2bd668e00c7:~#* After changing the "lock directory": *root at cd2bd668e00c7:~# ls -la /var/cache/samba/* *total 1480* *drwxr-xr-x 4 root root 4096 Apr 19 07:49 .* *drwxr-xr-x 12 root root 4096 Apr 19 07:46 ..* *-rw-r--r-- 1 root root 441608 Apr 19 07:49 brlock.tdb* *-rw-r--r-- 1 root root 150 Apr 19 07:46 browse.dat* *-rw-r--r-- 1 root root 454656 Apr 19 07:49 gencache.tdb* *-rw------- 1 root root 24576 Apr 19 07:49 g_lock.tdb* *-rw-r--r-- 1 root root 8888 Apr 19 07:49 leases.tdb* *-rw-r--r-- 1 root root 441608 Apr 19 07:49 locking.tdb* *drwxr-xr-x 2 root root 4096 Apr 19 07:49 msg.lock* *-rw------- 1 root root 696 Apr 19 07:49 mutex.tdb* *-rw-rw---- 1 root root 12288 Apr 19 07:49 names.tdb* *-rw------- 1 root root 12288 Apr 19 07:49 netsamlogon_cache.tdb* *drwxr-xr-x 2 root root 4096 Apr 19 07:49 smb_krb5* *-rw------- 1 root root 8888 Apr 19 07:49 smbXsrv_client_global.tdb* *-rw------- 1 root root 8888 Apr 19 07:49 smbXsrv_open_global.tdb* *-rw------- 1 root root 8888 Apr 19 07:49 smbXsrv_session_global.tdb* *-rw------- 1 root root 8888 Apr 19 07:49 smbXsrv_tcon_global.tdb* *-rw------- 1 root root 24576 Apr 19 07:49 smbXsrv_version_global.tdb* *root at cd2bd668e00c7:~# * Thanks for your help and thoughts. Kind Regrads Martin Am Mo., 15. Apr. 2019 um 20:26 Uhr schrieb Martin Krämer < mk.maddin at gmail.com>:> Hello All, > > I am at the switch from sssd to winbind based samba domain members (Debian > 9 stretch). > I am using Samba 4.10.2 packages from Louis ( http://apt.van-belle.nl/ ) > and rid backend for idmap. > > *My problem:* > I am able to logon to my domain members using winbind_pam as long as my > client is connected to a network where a domain controller is reachable. > As soon as I shutdown and connect a client to a network without domain > controller reachable and try to login again using a user used for previous > logon, I recieve error: > > *lightdm[1109]: pam_winbind(lightdm:auth): request wbcLogonUser failed: > WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: > NT_STATUS_NO_SUCH_USER, Error message was: The specified account does not > exist.* > > *What I have done already ( I added a ping at the end of every command > list to show you if I was "online" or "offiline"):* > 1. I read the wiki :) - > https://wiki.samba.org/index.php/PAM_Offline_Authentication > Based on this I found that I can test offline authentication as > follows with "switch winbindd to offline mode by hand": > > *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser* > *Enter EXAMPLE.CORP\faiuser's password: * > *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser] > succeeded (requesting cctype: FILE)* > *credentials were put in: FILE:/tmp/krb5cc_0* > *root at cd2bd668e00c7:~# smbcontrol winbind offline* > *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser* > *Enter EXAMPLE.CORP\faiuser's password: * > *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser] > succeeded (requesting cctype: FILE)* > *user_flgs: NETLOGON_CACHED_ACCOUNT* > *credentials were put in: FILE:/tmp/krb5cc_0* > *root at cd2bd668e00c7:~# ping -c1 EXAMPLE.CORP* > *PING EXAMPLE.CORP (192.168.33.251) 56(84) bytes of data.* > *64 bytes from location-000001.example.corp (192.168.33.251): icmp_seq=1 > ttl=64 time=0.122 ms* > *--- EXAMPLE.CORP ping statistics ---* > *1 packets transmitted, 1 received, 0% packet loss, time 0ms* > *rtt min/avg/max/mdev = 0.122/0.122/0.122/0.000 ms* > *root at cd2bd668e00c7:~#* > --> seems everything fine ....BUT > > 2. I shutdown machine and did the same test again on offline/different > network: > > *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser* > *Enter EXAMPLE.CORP\faiuser's password: * > *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser] > failed (requesting cctype: FILE)* > *wbcLogonUser(EXAMPLE.CORP\faiuser): error code was NT_STATUS_NO_SUCH_USER > (0xc0000064)* > *error message was: The specified account does not exist.* > *Could not authenticate user [EXAMPLE.CORP\faiuser] with Kerberos (ccache: > FILE)* > *root at cd2bd668e00c7:~# smbcontrol winbind offline* > *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser* > *Enter EXAMPLE.CORP\faiuser's password: * > *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser] > failed (requesting cctype: FILE)* > *wbcLogonUser(EXAMPLE.CORP\faiuser): error code was NT_STATUS_NO_SUCH_USER > (0xc0000064)* > *error message was: The specified account does not exist.* > *Could not authenticate user [EXAMPLE.CORP\faiuser] with Kerberos (ccache: > FILE)* > > *root at cd2bd668e00c7:~# ping -c1 EXAMPLE.CORP* > *ping: EXAMPLE.CORP: Name or service not known* > *root at cd2bd668e00c7:~#* > --> hm..same command different result in different network! > > 3. I read the wiki article again from beginning :P - > https://wiki.samba.org/index.php/PAM_Offline_Authentication > I verified "winbind offline logon = yes" is defined in smb.conf --> > yep (full file below) > I checked if /etc/security/pam_winbind.conf contains "cached_login > yes" --> nope - even worse...file does not exist at all. > Only /etc/security/pam_env.conf exists .. but this is only full of > comments - no values at all in it. > So I created pam_winbind.conf and did tests of topic 1 & 2 again. > Same result - so I deleted pam_winbind.conf again. > > 4. I searched the web and "lists.samba.org" archive and found: > https://lists.samba.org/archive/samba/2019-February/221224.html > Based on this I changed following values of my smb.conf (initially > based on: > https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt) > according to rowlands suggestion: > local master = no > server string = Samba 4 Client %h > Once again I did tests of 1, 2 & 3 but ended up with the same results > (I even deleted pam_winbind.conf again as described within 3) > What I did NOT do was changing the the value of "krb5_ccache_type=FILE" > to "krb5_ccache_type" within /etc/pam.d/common-auth as described as > "workaround" within > https://lists.samba.org/archive/samba/2019-February/221157.html > since from conversation there I understood that this seems not to be > correct way to handle the error. > > *My configuration:* > *root at cd2bd668e00c7:~# cat /etc/samba/smb.conf* > *[global]* > * server string = Samba 4 Client %h* > * local master = no* > * store dos attributes = yes* > * map acl inherit = yes* > * vfs objects = acl_xattr* > * log level = 0* > * realm = EXAMPLE.CORP* > * workgroup = EXAMPLE* > * dedicated keytab file = /etc/krb5.keytab* > * kerberos method = secrets and keytab* > * winbind refresh tickets = yes* > * winbind offline logon = yes* > * winbind use default domain = yes* > * winbind enum users = no* > * winbind enum groups = no* > * winbind expand groups = 4* > * template shell = /bin/bash* > * preferred master = no* > * domain master = no* > * security = ADS* > * idmap config * : backend = tdb* > * idmap config * : range = 3000-7000* > * idmap config EXAMPLE : backend = rid* > * idmap config EXAMPLE : range = 10000-999999* > * username map = /etc/samba/samba_usermapping* > * usershare path = * > * load printers = no* > * printing = bsd* > * printcap name = /dev/null* > * disable spoolss = yes* > > *root at cd2bd668e00c7:~# cat /etc/krb5.conf* > *[libdefaults]* > * permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > rc4-hmac des-cbc-crc des-cbc-md5* > * default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > rc4-hmac des-cbc-crc des-cbc-md5* > * default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > rc4-hmac des-cbc-crc des-cbc-md5* > * proxiable = true* > * forwardable = true* > * dns_lookup_kdc = true* > * dns_lookup_realm = false* > * default_realm = EXAMPLE.CORP* > > *root at cd2bd668e00c7:~# cat /etc/pam.d/common-auth | egrep -v "^#"* > > *auth [success=2 default=ignore] pam_unix.so nullok_secure* > *auth [success=1 default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass* > *auth requisite pam_deny.so* > *auth required pam_permit.so* > *auth optional pam_cap.so * > > Thank you for any help & hints in advance. > > Kind Regards > > Martin > > >
Rowland Penny
2019-Apr-19 08:26 UTC
[Samba] winbind offline login - NT_STATUS_NO_SUCH_USER (0xc0000064)
On Fri, 19 Apr 2019 07:50:28 +0200 Martin Krämer via samba <samba at lists.samba.org> wrote:> Hi All, > > I tried multiple topics and did some further analyzing regarding this. > I found that described error below only appears if I restart the > device when connecting from "online" to "offline". > If I keep my device running winbind caches the users correctly. > > Based this I found the following bug report: > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461 > There the error was tracked down to /var/run/samba/gencache.tdb being > stored on a temporary file system and due to this being deleted with > every restart. > I was able to find that "gencache.tdb" on my Debian 9 systems is > stored at /run/samba/gencache.tdb being "run" a tempfs, too. > In the bug report it is described that after changing/adding a new > setting "lock directory = /var/cache/samba/" in smb.conf everything > worked again as expected. > So I did the same and voila ...caching is working even after restarts.I haven't upgraded to 4.10 yet, but on 4.9.6 (Louis's packages) gencache.tdb is in /var/cache/samba, has something changed ? I personally would have used 'cache directory =' , see 'man smb.conf' for the difference. Rowland
Reasonably Related Threads
- winbind offline login - NT_STATUS_NO_SUCH_USER (0xc0000064)
- winbind offline login - NT_STATUS_NO_SUCH_USER (0xc0000064)
- winbind offline login - NT_STATUS_NO_SUCH_USER (0xc0000064)
- winbind offline login - NT_STATUS_NO_SUCH_USER (0xc0000064)
- winbind question. (challenge/response password authentication)