samba - Apr 2019 - winbind offline login - NT_STATUS_NO_SUCH_USER (0xc0000064)

Hello All,

I am at the switch from sssd to winbind based samba domain members (Debian
9 stretch).
I am using Samba 4.10.2 packages from Louis ( http://apt.van-belle.nl/ )
and rid backend for idmap.

*My problem:*
I am able to logon to my domain members using winbind_pam as long as my
client is connected to a network where a domain controller is reachable.
As soon as I shutdown and connect a client to a network without domain
controller reachable and try to login again using a user used for previous
logon, I recieve error:

*lightdm[1109]: pam_winbind(lightdm:auth): request wbcLogonUser failed:
WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS:
NT_STATUS_NO_SUCH_USER, Error message was: The specified account does not
exist.*

*What I have done already ( I added a ping at the end of every command list
to show you if I was "online" or "offiline"):*
1.  I read the wiki :) -
https://wiki.samba.org/index.php/PAM_Offline_Authentication
    Based on this I found that I can test offline authentication as follows
with "switch winbindd to offline mode by hand":

*root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser*
*Enter EXAMPLE.CORP\faiuser's password: *
*plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser]
succeeded (requesting cctype: FILE)*
*credentials were put in: FILE:/tmp/krb5cc_0*
*root at cd2bd668e00c7:~# smbcontrol winbind offline*
*root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser*
*Enter EXAMPLE.CORP\faiuser's password: *
*plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser]
succeeded (requesting cctype: FILE)*
*user_flgs: NETLOGON_CACHED_ACCOUNT*
*credentials were put in: FILE:/tmp/krb5cc_0*
*root at cd2bd668e00c7:~# ping -c1 EXAMPLE.CORP*
*PING EXAMPLE.CORP (192.168.33.251) 56(84) bytes of data.*
*64 bytes from location-000001.example.corp (192.168.33.251): icmp_seq=1
ttl=64 time=0.122 ms*
*--- EXAMPLE.CORP ping statistics ---*
*1 packets transmitted, 1 received, 0% packet loss, time 0ms*
*rtt min/avg/max/mdev = 0.122/0.122/0.122/0.000 ms*
*root at cd2bd668e00c7:~#*
--> seems everything fine ....BUT

2. I shutdown machine and did the same test again on offline/different
network:

*root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser*
*Enter EXAMPLE.CORP\faiuser's password: *
*plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser]
failed (requesting cctype: FILE)*
*wbcLogonUser(EXAMPLE.CORP\faiuser): error code was NT_STATUS_NO_SUCH_USER
(0xc0000064)*
*error message was: The specified account does not exist.*
*Could not authenticate user [EXAMPLE.CORP\faiuser] with Kerberos (ccache:
FILE)*
*root at cd2bd668e00c7:~# smbcontrol winbind offline*
*root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser*
*Enter EXAMPLE.CORP\faiuser's password: *
*plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser]
failed (requesting cctype: FILE)*
*wbcLogonUser(EXAMPLE.CORP\faiuser): error code was NT_STATUS_NO_SUCH_USER
(0xc0000064)*
*error message was: The specified account does not exist.*
*Could not authenticate user [EXAMPLE.CORP\faiuser] with Kerberos (ccache:
FILE)*

*root at cd2bd668e00c7:~# ping -c1 EXAMPLE.CORP*
*ping: EXAMPLE.CORP: Name or service not known*
*root at cd2bd668e00c7:~#*
--> hm..same command different result in different network!

3. I read the wiki article again from beginning :P -
https://wiki.samba.org/index.php/PAM_Offline_Authentication
    I verified "winbind offline logon = yes" is defined in smb.conf
--> yep
(full file below)
    I checked if /etc/security/pam_winbind.conf contains "cached_login
yes" --> nope - even worse...file does not exist at all.
    Only /etc/security/pam_env.conf exists .. but this is only full of
comments - no values at all in it.
    So I created pam_winbind.conf and did tests of topic 1 & 2 again.
    Same result - so I deleted pam_winbind.conf again.

4. I searched the web and "lists.samba.org" archive and found:
https://lists.samba.org/archive/samba/2019-February/221224.html
    Based on this I changed following values of my smb.conf (initially
based on:
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt)
according to rowlands suggestion:
    local master = no
    server string = Samba 4 Client %h
    Once again I did tests of 1, 2 & 3 but ended up with the same results
(I even deleted pam_winbind.conf again as described within 3)
    What I did NOT do was changing the the value of
"krb5_ccache_type=FILE"
to "krb5_ccache_type" within /etc/pam.d/common-auth as described as
"workaround" within
https://lists.samba.org/archive/samba/2019-February/221157.html
    since from conversation there I understood that this seems not to be
correct way to handle the error.

*My configuration:*
*root at cd2bd668e00c7:~# cat /etc/samba/smb.conf*
*[global]*
* server string = Samba 4 Client %h*
* local master = no*
* store dos attributes = yes*
* map acl inherit = yes*
* vfs objects = acl_xattr*
* log level = 0*
* realm = EXAMPLE.CORP*
* workgroup = EXAMPLE*
* dedicated keytab file = /etc/krb5.keytab*
* kerberos method = secrets and keytab*
* winbind refresh tickets = yes*
* winbind offline logon = yes*
* winbind use default domain = yes*
* winbind enum users = no*
* winbind enum groups = no*
* winbind expand groups = 4*
* template shell = /bin/bash*
* preferred master = no*
* domain master = no*
* security = ADS*
* idmap config * : backend = tdb*
* idmap config * : range = 3000-7000*
* idmap config EXAMPLE : backend = rid*
* idmap config EXAMPLE : range = 10000-999999*
* username map = /etc/samba/samba_usermapping*
* usershare path =  *
* load printers = no*
* printing = bsd*
* printcap name = /dev/null*
* disable spoolss = yes*

*root at cd2bd668e00c7:~# cat /etc/krb5.conf*
*[libdefaults]*
* permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5*
* default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5*
* default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5*
* proxiable = true*
* forwardable = true*
* dns_lookup_kdc = true*
* dns_lookup_realm = false*
* default_realm = EXAMPLE.CORP*

*root at cd2bd668e00c7:~# cat /etc/pam.d/common-auth | egrep -v "^#"*

*auth [success=2 default=ignore] pam_unix.so nullok_secure*
*auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass*
*auth requisite pam_deny.so*
*auth required pam_permit.so*
*auth optional pam_cap.so *

Thank you for any help & hints in advance.

Kind Regards

Martin

Hi All,

I tried multiple topics and did some further analyzing regarding this.
I found that described error below only appears if I restart the device
when connecting from "online" to "offline".
If I keep my device running winbind caches the users correctly.

Based this I found the following bug report:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461
There the error was tracked down to /var/run/samba/gencache.tdb being
stored on a temporary file system and due to this being deleted with every
restart.
I was able to find that "gencache.tdb" on my Debian 9 systems is
stored at
/run/samba/gencache.tdb being "run" a tempfs, too.
In the bug report it is described that after changing/adding a new setting
"lock directory = /var/cache/samba/" in smb.conf everything worked
again as
expected.
So I did the same and voila ...caching is working even after restarts.

Never the less I am still not sure if this is a correct fix.
With changing the value for "lock directory" parameter multiple files
were
created and I am not sure if some of them store critical information
causing a security problem.
Below is my /var/cache/samba folder previously and after changing "lock
directory" value as described above.
Maybe it is possible one of the samba experts here can tell me if this is a
good way to go:

Prevously to changing "lock directory":
*root at cd2bd668e00c7:~# ls -la /var/cache/samba/*
*total 24*
*drwxr-xr-x  2 root root  4096 Apr 19 07:45 .*
*drwxr-xr-x 12 root root  4096 Apr 19 07:46 ..*
*-rw-------  1 root root 12288 Apr 19 07:45 netsamlogon_cache.tdb*
*root at cd2bd668e00c7:~#*

After changing the "lock directory":
*root at cd2bd668e00c7:~# ls -la /var/cache/samba/*
*total 1480*
*drwxr-xr-x  4 root root   4096 Apr 19 07:49 .*
*drwxr-xr-x 12 root root   4096 Apr 19 07:46 ..*
*-rw-r--r--  1 root root 441608 Apr 19 07:49 brlock.tdb*
*-rw-r--r--  1 root root    150 Apr 19 07:46 browse.dat*
*-rw-r--r--  1 root root 454656 Apr 19 07:49 gencache.tdb*
*-rw-------  1 root root  24576 Apr 19 07:49 g_lock.tdb*
*-rw-r--r--  1 root root   8888 Apr 19 07:49 leases.tdb*
*-rw-r--r--  1 root root 441608 Apr 19 07:49 locking.tdb*
*drwxr-xr-x  2 root root   4096 Apr 19 07:49 msg.lock*
*-rw-------  1 root root    696 Apr 19 07:49 mutex.tdb*
*-rw-rw----  1 root root  12288 Apr 19 07:49 names.tdb*
*-rw-------  1 root root  12288 Apr 19 07:49 netsamlogon_cache.tdb*
*drwxr-xr-x  2 root root   4096 Apr 19 07:49 smb_krb5*
*-rw-------  1 root root   8888 Apr 19 07:49 smbXsrv_client_global.tdb*
*-rw-------  1 root root   8888 Apr 19 07:49 smbXsrv_open_global.tdb*
*-rw-------  1 root root   8888 Apr 19 07:49 smbXsrv_session_global.tdb*
*-rw-------  1 root root   8888 Apr 19 07:49 smbXsrv_tcon_global.tdb*
*-rw-------  1 root root  24576 Apr 19 07:49 smbXsrv_version_global.tdb*
*root at cd2bd668e00c7:~# *

Thanks for your help and thoughts.

Kind Regrads

Martin


Am Mo., 15. Apr. 2019 um 20:26 Uhr schrieb Martin Krämer <
mk.maddin at gmail.com>:
> Hello All,
>
> I am at the switch from sssd to winbind based samba domain members (Debian
> 9 stretch).
> I am using Samba 4.10.2 packages from Louis ( http://apt.van-belle.nl/ )
> and rid backend for idmap.
>
> *My problem:*
> I am able to logon to my domain members using winbind_pam as long as my
> client is connected to a network where a domain controller is reachable.
> As soon as I shutdown and connect a client to a network without domain
> controller reachable and try to login again using a user used for previous
> logon, I recieve error:
>
> *lightdm[1109]: pam_winbind(lightdm:auth): request wbcLogonUser failed:
> WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS:
> NT_STATUS_NO_SUCH_USER, Error message was: The specified account does not
> exist.*
>
> *What I have done already ( I added a ping at the end of every command
> list to show you if I was "online" or "offiline"):*
> 1.  I read the wiki :) -
> https://wiki.samba.org/index.php/PAM_Offline_Authentication
>     Based on this I found that I can test offline authentication as
> follows with "switch winbindd to offline mode by hand":
>
> *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser*
> *Enter EXAMPLE.CORP\faiuser's password: *
> *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser]
> succeeded (requesting cctype: FILE)*
> *credentials were put in: FILE:/tmp/krb5cc_0*
> *root at cd2bd668e00c7:~# smbcontrol winbind offline*
> *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser*
> *Enter EXAMPLE.CORP\faiuser's password: *
> *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser]
> succeeded (requesting cctype: FILE)*
> *user_flgs: NETLOGON_CACHED_ACCOUNT*
> *credentials were put in: FILE:/tmp/krb5cc_0*
> *root at cd2bd668e00c7:~# ping -c1 EXAMPLE.CORP*
> *PING EXAMPLE.CORP (192.168.33.251) 56(84) bytes of data.*
> *64 bytes from location-000001.example.corp (192.168.33.251): icmp_seq=1
> ttl=64 time=0.122 ms*
> *--- EXAMPLE.CORP ping statistics ---*
> *1 packets transmitted, 1 received, 0% packet loss, time 0ms*
> *rtt min/avg/max/mdev = 0.122/0.122/0.122/0.000 ms*
> *root at cd2bd668e00c7:~#*
> --> seems everything fine ....BUT
>
> 2. I shutdown machine and did the same test again on offline/different
> network:
>
> *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser*
> *Enter EXAMPLE.CORP\faiuser's password: *
> *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser]
> failed (requesting cctype: FILE)*
> *wbcLogonUser(EXAMPLE.CORP\faiuser): error code was NT_STATUS_NO_SUCH_USER
> (0xc0000064)*
> *error message was: The specified account does not exist.*
> *Could not authenticate user [EXAMPLE.CORP\faiuser] with Kerberos (ccache:
> FILE)*
> *root at cd2bd668e00c7:~# smbcontrol winbind offline*
> *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser*
> *Enter EXAMPLE.CORP\faiuser's password: *
> *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser]
> failed (requesting cctype: FILE)*
> *wbcLogonUser(EXAMPLE.CORP\faiuser): error code was NT_STATUS_NO_SUCH_USER
> (0xc0000064)*
> *error message was: The specified account does not exist.*
> *Could not authenticate user [EXAMPLE.CORP\faiuser] with Kerberos (ccache:
> FILE)*
>
> *root at cd2bd668e00c7:~# ping -c1 EXAMPLE.CORP*
> *ping: EXAMPLE.CORP: Name or service not known*
> *root at cd2bd668e00c7:~#*
> --> hm..same command different result in different network!
>
> 3. I read the wiki article again from beginning :P -
> https://wiki.samba.org/index.php/PAM_Offline_Authentication
>     I verified "winbind offline logon = yes" is defined in
smb.conf -->
> yep (full file below)
>     I checked if /etc/security/pam_winbind.conf contains "cached_login
> yes" --> nope - even worse...file does not exist at all.
>     Only /etc/security/pam_env.conf exists .. but this is only full of
> comments - no values at all in it.
>     So I created pam_winbind.conf and did tests of topic 1 & 2 again.
>     Same result - so I deleted pam_winbind.conf again.
>
> 4. I searched the web and "lists.samba.org" archive and found:
> https://lists.samba.org/archive/samba/2019-February/221224.html
>     Based on this I changed following values of my smb.conf (initially
> based on:
>
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt)
> according to rowlands suggestion:
>     local master = no
>     server string = Samba 4 Client %h
>     Once again I did tests of 1, 2 & 3 but ended up with the same
results
> (I even deleted pam_winbind.conf again as described within 3)
>     What I did NOT do was changing the the value of
"krb5_ccache_type=FILE"
> to "krb5_ccache_type" within /etc/pam.d/common-auth as described
as
> "workaround" within
> https://lists.samba.org/archive/samba/2019-February/221157.html
>     since from conversation there I understood that this seems not to be
> correct way to handle the error.
>
> *My configuration:*
> *root at cd2bd668e00c7:~# cat /etc/samba/smb.conf*
> *[global]*
> * server string = Samba 4 Client %h*
> * local master = no*
> * store dos attributes = yes*
> * map acl inherit = yes*
> * vfs objects = acl_xattr*
> * log level = 0*
> * realm = EXAMPLE.CORP*
> * workgroup = EXAMPLE*
> * dedicated keytab file = /etc/krb5.keytab*
> * kerberos method = secrets and keytab*
> * winbind refresh tickets = yes*
> * winbind offline logon = yes*
> * winbind use default domain = yes*
> * winbind enum users = no*
> * winbind enum groups = no*
> * winbind expand groups = 4*
> * template shell = /bin/bash*
> * preferred master = no*
> * domain master = no*
> * security = ADS*
> * idmap config * : backend = tdb*
> * idmap config * : range = 3000-7000*
> * idmap config EXAMPLE : backend = rid*
> * idmap config EXAMPLE : range = 10000-999999*
> * username map = /etc/samba/samba_usermapping*
> * usershare path =  *
> * load printers = no*
> * printing = bsd*
> * printcap name = /dev/null*
> * disable spoolss = yes*
>
> *root at cd2bd668e00c7:~# cat /etc/krb5.conf*
> *[libdefaults]*
> * permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5*
> * default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5*
> * default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5*
> * proxiable = true*
> * forwardable = true*
> * dns_lookup_kdc = true*
> * dns_lookup_realm = false*
> * default_realm = EXAMPLE.CORP*
>
> *root at cd2bd668e00c7:~# cat /etc/pam.d/common-auth | egrep -v
"^#"*
>
> *auth [success=2 default=ignore] pam_unix.so nullok_secure*
> *auth [success=1 default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass*
> *auth requisite pam_deny.so*
> *auth required pam_permit.so*
> *auth optional pam_cap.so *
>
> Thank you for any help & hints in advance.
>
> Kind Regards
>
> Martin
>
>
>

On Fri, 19 Apr 2019 07:50:28 +0200
Martin Krämer via samba <samba at lists.samba.org> wrote:
> Hi All,
> 
> I tried multiple topics and did some further analyzing regarding this.
> I found that described error below only appears if I restart the
> device when connecting from "online" to "offline".
> If I keep my device running winbind caches the users correctly.
> 
> Based this I found the following bug report:
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461
> There the error was tracked down to /var/run/samba/gencache.tdb being
> stored on a temporary file system and due to this being deleted with
> every restart.
> I was able to find that "gencache.tdb" on my Debian 9 systems is
> stored at /run/samba/gencache.tdb being "run" a tempfs, too.
> In the bug report it is described that after changing/adding a new
> setting "lock directory = /var/cache/samba/" in smb.conf
everything
> worked again as expected.
> So I did the same and voila ...caching is working even after restarts.
I haven't upgraded to 4.10 yet, but on 4.9.6 (Louis's packages)
gencache.tdb is in /var/cache/samba, has something changed ?

I personally would have used 'cache directory =' , see 'man
smb.conf'
for the difference.

Rowland