samba - Jun 2023 - Fwd: PAM Offline Authentication in Ubuntu 22.04...

Hi Team

I have setup a test machine unfornately not a real laptop (it is in use 
for other things) but a virtualbox VM with Debian 10, KDE (sddm) and 
Samba 4.17.8.

The test scenario is quite simple.

1. Login with root on the (text) console (tty2)
2. wbinfo --ping-dc
3. time id testuser
4. Disconnect network in virtualbox
5. wbinfo --ping-dc
6. time id testuser
7. Connect network in virtualbox + wait 10 secs (for dhcp etc.)
8. wbinfo --ping-dc
9. time id testuser

Results:

2. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to 
"dc1.samdom.com" succeeded'
3. output in 0.037s
5. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
""
failed'
6. output in 63.120s
8. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to 
"dc1.samdom.com" succeeded'
9. output in 0.191s

Now when I logging in on the graphical interface (sddm) fails when 
disconnected, probably due t the fact that a response in 63s is too long 
for sddm, it gives up before that.

When I login while connected on sddm, then disconnect and I lock the 
screen, I am unable to unlock, likely due to the same (short) timeout in 
sddm.

Now the question is why it takes winbind so long (63s) to do a simple 
user and group lookup when it knows that is disconnected.

- Kees.


On 01-06-2023 16:38, Rowland Penny via samba wrote:
>
>
> On 01/06/2023 15:11, Eduardo Moraes via samba wrote:
>>> ? OK, but... further investigation in what direction?!
>>
>> Greetings, friends!
>>
>> Sorry for butting in on the discussion, but I'm also interested in 
>> solving
>> this problem, as users of my project (CID -
>> https://sourceforge.net/projects/c-i-d/) have also been reporting the 
>> same
>> difficulty.
>>
>> I've been researching it and it looks like the problem has been 
>> around for
>> a long time and is specific to Debian-like distributions, as these 
>> two bug
>> reports suggest:
>>
>> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461
>> https://bugzilla.samba.org/show_bug.cgi?id=14618
>>
>> I tried to make the suggested changes to the "lock directory"
and even
>> adapted it to my scripts, but according to reports the users, it
doesn't
>> always work.
>>
>> I've tested other distributions, like Fedora and OpenSuse, and 
>> everything
>> seems to work just fine.
>>
>> I stopped researching some time ago, so I can't contribute more
than
>> that,
>> but I hope that at least I helped them to find a way to a solution.
>>
>> Good luck!
>
> The plot thickens, I am testing using an Oracle VM with a bridged 
> adapter, which can connect to either wifi or ethernet. Whilst doing 
> further testing I just discovered something. If I logon as a domain 
> user with the bridged adapter connected to wifi (wlan0), the user gets 
> logged in. If I then log out and switch the bridged adapter to eth0 
> with the cable disconnected, the user can still logon and quickly. 
> However if the cable isn't disconnected, then the user can still 
> logon, but after a considerable amount of time and there is a similar 
> pause when the user logs out.
>
> I am surmising that the pause is coming from something searching for 
> the network and then, finally, giving up.
>
> Now to try and find the 'something' and stop it doing it.
>
> Rowland
>

Hi Team,

Probably helpful is the config on my test machine:

/etc/samba/smb.conf
[global]
 ??????? interfaces = lo
 ??????? bind interfaces only = yes
 ??????? netbios name = TESTVM
 ??????? security = ADS
 ??????? dedicated keytab file = /etc/krb5.keytab
 ??????? realm = SAMDOM.COM
 ??????? workgroup = COMPOSERS
 ??????? min domain uid = 0
 ??????? username map = /etc/samba/user.map
 ??????? log level = 3
 ??????? lock directory = /var/cache/samba
 ??????? idmap config samdom:backend = ad
 ??????? idmap config samdom:schema_mode = rfc2307
 ??????? idmap config samdom:unix_primary_group = yes
 ??????? idmap config samdom:unix_nss_info = yes
 ??????? idmap config samdom:range = 1001-100000
 ??????? idmap config *:backend = tdb
 ??????? idmap config *:range = 1000000-1999999
 ??????? winbind cache time = 300
 ??????? winbind offline logon = yes
 ??????? winbind nss info = rfc2307
 ??????? winbind enum groups = no
 ??????? winbind enum users = no
 ??????? winbind nested groups = yes
 ??????? winbind expand groups = 10
 ??????? winbind normalize names = no
 ??????? winbind refresh tickets = yes
 ??????? winbind scan trusted domains = no
 ??????? winbind use default domain = yes
 ??????? kerberos method = secrets and keytab
 ??????? kerberos encryption types = strong
 ??????? rpc server dynamic port range = 50000-55000
 ??????? ntlm auth = mschapv2-and-ntlmv2-only
 ??????? disable netbios = yes
 ??????? template homedir = /home/%U
 ??????? template shell = /bin/bash
 ??????? tls enabled = yes
 ??????? tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
 ??????? tls cafile = /etc/ssl/certs/ca.pem

/etc/security/pam_winbind.conf
[global]
warn_pwd_expire = 30
cached_login = yes
krb5_auth = yes
krb5_ccache_type = FILE
require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1934

/etc/nsswitch.conf
passwd: files systemd winbind
group:????????? files systemd winbind
shadow:???????? files
gshadow:??????? files

hosts:????????? files mdns4_minimal [NOTFOUND=return] dns
networks:?????? files

protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files



I have setup a test machine unfornately not a real laptop (it is in use 
for other things) but a virtualbox VM with Debian 10, KDE (sddm) and 
Samba 4.17.8.

The test scenario is quite simple.

1. Login with root on the (text) console (tty2)
2. wbinfo --ping-dc
3. time id testuser
4. Disconnect network in virtualbox
5. wbinfo --ping-dc
6. time id testuser
7. Connect network in virtualbox + wait 10 secs (for dhcp etc.)
8. wbinfo --ping-dc
9. time id testuser

Results:

2. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to 
"dc1.samdom.com" succeeded'
3. output in 0.037s
5. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to
""
failed'
6. output in 63.120s
8. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to 
"dc1.samdom.com" succeeded'
9. output in 0.191s

Now when I logging in on the graphical interface (sddm) fails when 
disconnected, probably due t the fact that a response in 63s is too long 
for sddm, it gives up before that.

When I login while connected on sddm, then disconnect and I lock the 
screen, I am unable to unlock, likely due to the same (short) timeout in 
sddm.

Now the question is why it takes winbind so long (63s) to do a simple 
user and group lookup when it knows that is disconnected.

- Kees.


On 01-06-2023 16:38, Rowland Penny via samba wrote:
>
>
> On 01/06/2023 15:11, Eduardo Moraes via samba wrote:
>>> ? OK, but... further investigation in what direction?!
>>
>> Greetings, friends!
>>
>> Sorry for butting in on the discussion, but I'm also interested in 
>> solving
>> this problem, as users of my project (CID -
>> https://sourceforge.net/projects/c-i-d/) have also been reporting the 
>> same
>> difficulty.
>>
>> I've been researching it and it looks like the problem has been 
>> around for
>> a long time and is specific to Debian-like distributions, as these 
>> two bug
>> reports suggest:
>>
>> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461
>> https://bugzilla.samba.org/show_bug.cgi?id=14618
>>
>> I tried to make the suggested changes to the "lock directory"
and even
>> adapted it to my scripts, but according to reports the users, it
doesn't
>> always work.
>>
>> I've tested other distributions, like Fedora and OpenSuse, and
everything
>> seems to work just fine.
>>
>> I stopped researching some time ago, so I can't contribute more
than
>> that,
>> but I hope that at least I helped them to find a way to a solution.
>>
>> Good luck!
>
> The plot thickens, I am testing using an Oracle VM with a bridged 
> adapter, which can connect to either wifi or ethernet. Whilst doing 
> further testing I just discovered something. If I logon as a domain 
> user with the bridged adapter connected to wifi (wlan0), the user gets 
> logged in. If I then log out and switch the bridged adapter to eth0 
> with the cable disconnected, the user can still logon and quickly. 
> However if the cable isn't disconnected, then the user can still 
> logon, but after a considerable amount of time and there is a similar 
> pause when the user logs out.
>
> I am surmising that the pause is coming from something searching for 
> the network and then, finally, giving up.
>
> Now to try and find the 'something' and stop it doing it.
>
> Rowland
>