admins aixtema
2019-Jun-04 14:27 UTC
[Samba] Password failure with xscreensaver when using winbind
Hi, since some weeks i have a strange bug / problem at our gentoo linux clients sometimes the user is unable to unlock the xscreensaver via pam / winbindd if i restart the winbindd, the unlock works. winbindd log https://pastebin.com/qVzenH47 it makes no diffrence witch of our ad/dcs respond to the client. net ads info LDAP server name: 1 or 2 or 3 (our rodc) around 40 days ago "16:00:32 up 37 days, 20:17" exact time :) i upgraded our AD/DC to net-fs/samba-4.10.2 since then i have this feature :( Clients have net-fs/samba-4.8.4 nothing changed in smb.conf at server or client side an updatet test client with net-fs/samba-4.10.2 dont have the problems (cant upgrade all clients at moment, cause not full testet envoirment, but its comming soon) what i tryed: leave / join the domain winbind use default domain = Yes / No what works: restart client restart winbindd does anyone have an idea or is this maybe an incompatibility with the samba versions? Mit freundlichen Grüßen, Eure IT -- *********************************************** aixtema GmbH René Fuchs Philipsstr. 8, 52068 Aachen, Germany Tel.: +49 241 70515-1323, Fax: +49 241 70515-15 mailto:admins at aixtema.de WWW: http://www.aixtema.de Shop: http://shop.aixtema.de Geschaeftsfuehrer: Oliver Rossbruch HRB 8201, Amtsgericht Aachen USt.-Id-Nr. DE 210 906 744 St.-Nr. 201/5942/3737, Finanzamt Aachen Stadt ***********************************************
Rowland penny
2019-Jun-04 14:42 UTC
[Samba] Password failure with xscreensaver when using winbind
On 04/06/2019 15:27, admins aixtema via samba wrote:> Hi, > since some weeks i have a strange bug / problem at our gentoo linux > clients > > sometimes the user is unable to unlock the xscreensaver via pam / > winbindd if i restart the winbindd, the unlock works. > > winbindd log > https://pastebin.com/qVzenH47Not a Gentoo user, but this looks like a possible PAM error, can you post your PAM stack ? Rowland
Rowland penny
2019-Jun-04 15:43 UTC
[Samba] Password failure with xscreensaver when using winbind
On 04/06/2019 15:53, admins aixtema wrote:> this one?Yes ;-)> > auth required pam_env.so > auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE > auth sufficient pam_unix.so likeauth nullok try_first_pass > auth sufficient pam_winbind.so use_first_pass > auth required pam_deny.so > > account sufficient pam_winbind.so > account required pam_unix.so >I use Devuan and I also have /etc/pam.d/xscreensaver which contains: # # /etc/pam.d/xscreensaver - PAM behavior for xscreensaver # @include common-auth @include common-account Which gives me lines similar to yours: auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account required pam_permit.so The big difference is that there is only one 'pam_winbind' line in 'auth', you have two Can I suggest you ask your question on a Gentoo list, I know what I would try, but it would be better to get help from a Gentoo PAM expert. Rowland