samba - Sep 2020 - Winbind offline cache and strangeness...

I've setup a portable system (ubuntu 16.04) joined to my AD domain,
that in their primary network works as expected.

But in this 'COVID time', the portable start to roam around, and users
say me that, suddenly after some days of use, get incredibly
sloooowww... after that users reboot, and cannot get back in, login
refused.

I've setup a VPN, but clearly if users cannot login back, they cannot
also fire up the VPN.

Some question:

1) i know about:
	https://bugzilla.samba.org/show_bug.cgi?id=14074
 but this seems not the case: users reboot the portable without
trouble, it is only after some days of use that 'cache expire'
(i suppose).

2) there's some way, supposing to found a way to fire up the VPN, to
 force a reload of winbind cache? A full samba restart is needed?


As a first 'countermeasure' we have created a local user to be able to
refresh up the winbind cache, but simply firing up the VPN seems does
not suffices.

Next week i will be able to put my hand on the portable, so i will look
at logs.


In the meantime, thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 11 september 2020 12:29
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Winbind offline cache and strangeness...
> 
> 
> I've setup a portable system (ubuntu 16.04) joined to my AD domain,
> that in their primary network works as expected.
> 
> But in this 'COVID time', the portable start to roam around, and
users
> say me that, suddenly after some days of use, get incredibly
> sloooowww... after that users reboot, and cannot get back in, login
> refused.
You checked the time offsets? 
> 
> I've setup a VPN, but clearly if users cannot login back, they cannot
> also fire up the VPN.
> 
> Some question:
> 
> 1) i know about:
> 	https://bugzilla.samba.org/show_bug.cgi?id=14074
>  but this seems not the case: users reboot the portable without
> trouble, it is only after some days of use that 'cache expire'
> (i suppose).
I think also. 
Run : klist where it stopped working. 
Verify it. 
> 
> 2) there's some way, supposing to found a way to fire up the VPN, to
>  force a reload of winbind cache? A full samba restart is needed?
How about, make a "pc" client cert for the VPN. That allows to setup
and run the vpn tunnel.
And then re-auth agains samba to update the kerberos ticket. 
Also, in this case it might be usefull to change krb5.conf 
And here you might want add the realm part. 
Because, VPN, routing, splittunneling things like that. 

There a lot of options here, bit hard to tell..
> 
> 
> As a first 'countermeasure' we have created a local user to be able
to
> refresh up the winbind cache, but simply firing up the VPN seems does
> not suffices.
> 
> Next week i will be able to put my hand on the portable, so i 
> will look at logs.
> 
> 
> In the meantime, thanks.
Your welkom, i hope you can use it. 
Have a greet weekend..

P.s. Showing some configs might help a lot. ;-) 


Greetz, 

Louis

The version of samba that comes with Ubuntu 16.04 is very old (4.3.11) and
the offline login feature for winbind simply doesn't work.  I'm not sure
if
it's fixed in newer versions or not as I'm still on Ubuntu 18.04 (samba
4.7.6) which also doesn't work.  If you are only using it to authenticate
to an AD controller, you should switch to using sssd.  I have multiple
clients that can be offline from a server for months at a time, and sssd
has never let me down.  Winbind unfortunately isn't up to that task (at
least not with older versions).

On Fri, Sep 11, 2020 at 6:29 AM Marco Gaiarin via samba <
samba at lists.samba.org> wrote:
>
> I've setup a portable system (ubuntu 16.04) joined to my AD domain,
> that in their primary network works as expected.
>
> But in this 'COVID time', the portable start to roam around, and
users
> say me that, suddenly after some days of use, get incredibly
> sloooowww... after that users reboot, and cannot get back in, login
> refused.
>
> I've setup a VPN, but clearly if users cannot login back, they cannot
> also fire up the VPN.
>
> Some question:
>
> 1) i know about:
>         https://bugzilla.samba.org/show_bug.cgi?id=14074
>  but this seems not the case: users reboot the portable without
> trouble, it is only after some days of use that 'cache expire'
> (i suppose).
>
> 2) there's some way, supposing to found a way to fire up the VPN, to
>  force a reload of winbind cache? A full samba restart is needed?
>
>
> As a first 'countermeasure' we have created a local user to be able
to
> refresh up the winbind cache, but simply firing up the VPN seems does
> not suffices.
>
> Next week i will be able to put my hand on the portable, so i will look
> at logs.
>
>
> In the meantime, thanks.
>
> --
> dott. Marco Gaiarin                                     GNUPG Key ID:
> 240A3D66
>   Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento
> (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f
> +39-0434-842797
>
>                 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
>         (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> You checked the time offsets? 
No, but i've seen in logs that network scripts correctly sync time, so i
suppose this is not a problem.

> How about, make a "pc" client cert for the VPN. That allows to
setup and run the vpn tunnel.
You mean a VPN in 'P2P mode'?

> P.s. Showing some configs might help a lot. ;-) 
Samba config on client, pretty standard:

 root at dane:~# samba-tool testparm
 Press enter to see a dump of your service definitions
 # Global parameters
 [global]
	workgroup = LNFFVG
	realm = AD.FVG.LNF.IT
	security = ADS
	map to guest = Bad User
	username map = /etc/samba/user.map
	log level = 0
	log file = /var/log/samba/log.%M
	max log size = 5000
	printcap name = /dev/null
	disable spoolss = Yes
	panic action = /usr/share/samba/panic-action %d
	winbind use default domain = Yes
	winbind nss info = rfc2307
	winbind offline logon = Yes
	idmap config lnffvg : unix_nss_info = yes
	idmap config lnffvg : range = 10000-49999
	idmap config lnffvg : backend = ad
	idmap config * : range = 5000-9999
	idmap config * : backend = tdb
	include = /etc/samba/smb.conf.%M

A correct logon:

 Sep  9 13:46:12 dane lightdm: pam_succeed_if(lightdm:auth): requirement
"user ingroup nopasswdlogin" not met by user "elisac"
 Sep  9 13:46:16 dane lightdm: pam_unix(lightdm:auth): authentication failure;
logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=elisac
 Sep  9 13:46:16 dane lightdm: pam_winbind(lightdm:auth): getting password
(0x00000388)
 Sep  9 13:46:16 dane lightdm: pam_winbind(lightdm:auth): pam_get_item returned
a password
 Sep  9 13:46:16 dane lightdm: pam_winbind(lightdm:auth): user 'elisac'
granted access
 Sep  9 13:46:17 dane lightdm: pam_unix(lightdm-greeter:session): session closed
for user lightdm
 Sep  9 13:46:29 dane lightdm: pam_unix(lightdm:session): session opened for
user elisac by (uid=0)
 Sep  9 13:46:29 dane systemd-logind[1128]: New session c2 of user elisac.
 Sep  9 13:46:29 dane systemd: pam_unix(systemd-user:session): session opened
for user elisac by (uid=0)

a faulty logon:

 Sep  9 14:35:27 dane lightdm: pam_succeed_if(lightdm:auth): requirement
"user ingroup nopasswdlogin" not met by user "elisac"
 Sep  9 14:35:27 dane lightdm: pam_unix(lightdm:auth): conversation failed
 Sep  9 14:35:27 dane lightdm: pam_unix(lightdm:auth): auth could not identify
password for [elisac]
 Sep  9 14:35:27 dane lightdm: pam_winbind(lightdm:auth): getting password
(0x00000388)
 Sep  9 14:35:27 dane lightdm: pam_winbind(lightdm:auth): Could not retrieve
user's password

and even a stranger faulty logon:

 Sep  9 14:35:38 dane lightdm: pam_succeed_if(lightdm:auth): requirement
"user ingroup nopasswdlogin" not met by user "elisac"
 Sep  9 14:35:42 dane lightdm: pam_unix(lightdm:auth): authentication failure;
logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=elisac
 Sep  9 14:35:42 dane lightdm: pam_winbind(lightdm:auth): getting password
(0x00000388)
 Sep  9 14:35:42 dane lightdm: pam_winbind(lightdm:auth): pam_get_item returned
a password
 Sep  9 14:35:42 dane lightdm: pam_winbind(lightdm:auth): user 'elisac'
granted access
 Sep  9 14:35:44 dane lightdm: pam_unix(lightdm-greeter:session): session closed
for user lightdm
 Sep  9 14:35:44 dane compiz: pam_unix(unity:auth): conversation failed
 Sep  9 14:35:44 dane compiz: pam_unix(unity:auth): auth could not identify
password for [elisac]
 Sep  9 14:35:44 dane compiz: pam_winbind(unity:auth): getting password
(0x00000388)
 Sep  9 14:35:45 dane compiz: pam_winbind(unity:auth): Could not retrieve
user's password

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Mandi! Data Control Systems - Mike Elkevizth via samba
  In chel di` si favelave...
> 4.7.6) which also doesn't work.  If you are only using it to
authenticate
> to an AD controller, you should switch to using sssd.  I have multiple
Some hints on docs to follow? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)