Rowland Penny
2023-Jun-03 11:06 UTC
[Samba] Fwd: PAM Offline Authentication in Ubuntu 22.04...
On 03/06/2023 10:56, Kees van Vloten via samba wrote:> > > > > Hi Team, > > Probably helpful is the config on my test machine: > > /etc/samba/smb.conf > [global] > ??????? interfaces = lo > ??????? bind interfaces only = yes > ??????? netbios name = TESTVM > ??????? security = ADS > ??????? dedicated keytab file = /etc/krb5.keytab > ??????? realm = SAMDOM.COM > ??????? workgroup = COMPOSERS > ??????? min domain uid = 0 > ??????? username map = /etc/samba/user.map > ??????? log level = 3 > ??????? lock directory = /var/cache/samba > ??????? idmap config samdom:backend = ad > ??????? idmap config samdom:schema_mode = rfc2307 > ??????? idmap config samdom:unix_primary_group = yes > ??????? idmap config samdom:unix_nss_info = yes > ??????? idmap config samdom:range = 1001-100000 > ??????? idmap config *:backend = tdb > ??????? idmap config *:range = 1000000-1999999 > ??????? winbind cache time = 300 > ??????? winbind offline logon = yes > ??????? winbind nss info = rfc2307 > ??????? winbind enum groups = no > ??????? winbind enum users = no > ??????? winbind nested groups = yes > ??????? winbind expand groups = 10 > ??????? winbind normalize names = no > ??????? winbind refresh tickets = yes > ??????? winbind scan trusted domains = no > ??????? winbind use default domain = yes > ??????? kerberos method = secrets and keytab > ??????? kerberos encryption types = strong > ??????? rpc server dynamic port range = 50000-55000 > ??????? ntlm auth = mschapv2-and-ntlmv2-only > ??????? disable netbios = yes > ??????? template homedir = /home/%U > ??????? template shell = /bin/bash > ??????? tls enabled = yes > ??????? tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 > ??????? tls cafile = /etc/ssl/certs/ca.pem > > /etc/security/pam_winbind.conf > [global] > warn_pwd_expire = 30 > cached_login = yes > krb5_auth = yes > krb5_ccache_type = FILE > require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1934 > > /etc/nsswitch.conf > passwd: files systemd winbind > group:????????? files systemd winbind > shadow:???????? files > gshadow:??????? files > > hosts:????????? files mdns4_minimal [NOTFOUND=return] dns > networks:?????? files > > protocols:????? db files > services:?????? db files > ethers:???????? db files > rpc:??????????? db files > > > > I have setup a test machine unfornately not a real laptop (it is in use > for other things) but a virtualbox VM with Debian 10, KDE (sddm) and > Samba 4.17.8. > > The test scenario is quite simple. > > 1. Login with root on the (text) console (tty2) > 2. wbinfo --ping-dc > 3. time id testuser > 4. Disconnect network in virtualbox > 5. wbinfo --ping-dc > 6. time id testuser > 7. Connect network in virtualbox + wait 10 secs (for dhcp etc.) > 8. wbinfo --ping-dc > 9. time id testuser > > Results: > > 2. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to > "dc1.samdom.com" succeeded' > 3. output in 0.037s > 5. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to "" > failed' > 6. output in 63.120s > 8. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to > "dc1.samdom.com" succeeded' > 9. output in 0.191s > > Now when I logging in on the graphical interface (sddm) fails when > disconnected, probably due t the fact that a response in 63s is too long > for sddm, it gives up before that. > > When I login while connected on sddm, then disconnect and I lock the > screen, I am unable to unlock, likely due to the same (short) timeout in > sddm. > > Now the question is why it takes winbind so long (63s) to do a simple > user and group lookup when it knows that is disconnected. > > - Kees. > > > On 01-06-2023 16:38, Rowland Penny via samba wrote: >> >> >> On 01/06/2023 15:11, Eduardo Moraes via samba wrote: >>>> ? OK, but... further investigation in what direction?! >>> >>> Greetings, friends! >>> >>> Sorry for butting in on the discussion, but I'm also interested in >>> solving >>> this problem, as users of my project (CID - >>> https://sourceforge.net/projects/c-i-d/) have also been reporting the >>> same >>> difficulty. >>> >>> I've been researching it and it looks like the problem has been >>> around for >>> a long time and is specific to Debian-like distributions, as these >>> two bug >>> reports suggest: >>> >>> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461 >>> https://bugzilla.samba.org/show_bug.cgi?id=14618 >>> >>> I tried to make the suggested changes to the "lock directory" and even >>> adapted it to my scripts, but according to reports the users, it doesn't >>> always work. >>> >>> I've tested other distributions, like Fedora and OpenSuse, and >>> everything >>> seems to work just fine. >>> >>> I stopped researching some time ago, so I can't contribute more than >>> that, >>> but I hope that at least I helped them to find a way to a solution. >>> >>> Good luck! >> >> The plot thickens, I am testing using an Oracle VM with a bridged >> adapter, which can connect to either wifi or ethernet. Whilst doing >> further testing I just discovered something. If I logon as a domain >> user with the bridged adapter connected to wifi (wlan0), the user gets >> logged in. If I then log out and switch the bridged adapter to eth0 >> with the cable disconnected, the user can still logon and quickly. >> However if the cable isn't disconnected, then the user can still >> logon, but after a considerable amount of time and there is a similar >> pause when the user logs out. >> >> I am surmising that the pause is coming from something searching for >> the network and then, finally, giving up. >> >> Now to try and find the 'something' and stop it doing it. >> >> Rowland >> >My test machine is in a virtualbox VM with Ubuntu 22.04, MATE (lightdm) and Samba 4.17.8. I have tried Debian with similar results, but without the timings. The Computer it is running on uses wifi (wlan0) but it also has an ethernet port (eth0), but there is no cable plugged into it. The VM Network is set to use a Bridged Adapter connected to wlan0. I followed Kees's test scenario with a few changes. 1. Login with a local Unix user that can use sudo 1a open a (text) console 2. wbinfo --ping-dc 3. time id rowland 4. Change network device from wlan0 to eth0 and disconnect cable in virtualbox 5. wbinfo --ping-dc 6. time id rowland 6a. reconnect cable in virtualbox, still using eth0 6b. wbinfo --ping-dc 6c. time id rowland 7. Connect network in virtualbox (switched back to wlan0) + wait 10 secs 8. wbinfo --ping-dc 9. time id testuser Results: 2. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to "rpidc2.samdom.example.com" succeeded' 3. output real 0m0.551s user 0m0.008s sys 0m0.000s 5. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to "" failed' 'failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND' 6. output real 0m0.022s user 0m0.007s sys 0m0.001s 6b. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to "" failed' 'failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND' NOTE: This was after a long delay, so I ran the command again with 'time' and got this: real 1m2.580s user 0m0.005s sys 0m0.009s 6c. output real 0m0.005s user 0m0.002s sys 0m0.001s 8. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to "rpidc2.samdom.example.com" succeeded' 9. output real 0m0.494s user 0m0.000s sys 0m0.008s If I attempt to logon as a domain user when the network is disconnected but the 'cable' is connected in Virtualbox, there is a short pause, then I get logged in. There is a similar pause when I log out. However just disconnecting the 'cable' (but not connecting to the network) in Virtualbox removes the pauses, logon and logout are virtually instantaneous. This is the smb.conf file I am using: [global] workgroup = SAMDOM security = ADS realm = SAMDOM.EXAMPLE.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba Client %h winbind use default domain = yes winbind expand groups = 2 winbind refresh tickets = Yes winbind offline logon = yes disable netbios = yes dns proxy = no idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999 template shell = /bin/bash template homedir = /home/%U # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/user.map vfs objects = acl_xattr map acl inherit = Yes # Comment the following 4 lines to act as a print server printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd # logging log level = 3 log file = /var/log/samba/%m.log logging = file min domain uid = 0 [homes] comment = Home Directories read only = no create mask = 0700 directory mask = 0700 valid users = %S [Demo] path = /srv/samba/Demo read only = no I do not have /etc/security/pam_winbind.conf, Debian based distros do everything through /etc/pam.d/common-auth and this is the relevant line from that file: auth [success=1 default=ignore] pam_winbind.so debug krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Rowland
Kees van Vloten
2023-Jun-03 11:27 UTC
[Samba] Fwd: PAM Offline Authentication in Ubuntu 22.04...
On 03-06-2023 13:06, Rowland Penny via samba wrote:> > > On 03/06/2023 10:56, Kees van Vloten via samba wrote: >> >> >> >> >> Hi Team, >> >> Probably helpful is the config on my test machine: >> >> /etc/samba/smb.conf >> [global] >> ???????? interfaces = lo >> ???????? bind interfaces only = yes >> ???????? netbios name = TESTVM >> ???????? security = ADS >> ???????? dedicated keytab file = /etc/krb5.keytab >> ???????? realm = SAMDOM.COM >> ???????? workgroup = COMPOSERS >> ???????? min domain uid = 0 >> ???????? username map = /etc/samba/user.map >> ???????? log level = 3 >> ???????? lock directory = /var/cache/samba >> ???????? idmap config samdom:backend = ad >> ???????? idmap config samdom:schema_mode = rfc2307 >> ???????? idmap config samdom:unix_primary_group = yes >> ???????? idmap config samdom:unix_nss_info = yes >> ???????? idmap config samdom:range = 1001-100000 >> ???????? idmap config *:backend = tdb >> ???????? idmap config *:range = 1000000-1999999 >> ???????? winbind cache time = 300 >> ???????? winbind offline logon = yes >> ???????? winbind nss info = rfc2307 >> ???????? winbind enum groups = no >> ???????? winbind enum users = no >> ???????? winbind nested groups = yes >> ???????? winbind expand groups = 10 >> ???????? winbind normalize names = no >> ???????? winbind refresh tickets = yes >> ???????? winbind scan trusted domains = no >> ???????? winbind use default domain = yes >> ???????? kerberos method = secrets and keytab >> ???????? kerberos encryption types = strong >> ???????? rpc server dynamic port range = 50000-55000 >> ???????? ntlm auth = mschapv2-and-ntlmv2-only >> ???????? disable netbios = yes >> ???????? template homedir = /home/%U >> ???????? template shell = /bin/bash >> ???????? tls enabled = yes >> ???????? tls priority = >> NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 >> ???????? tls cafile = /etc/ssl/certs/ca.pem >> >> /etc/security/pam_winbind.conf >> [global] >> warn_pwd_expire = 30 >> cached_login = yes >> krb5_auth = yes >> krb5_ccache_type = FILE >> require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1934 >> >> /etc/nsswitch.conf >> passwd: files systemd winbind >> group:????????? files systemd winbind >> shadow:???????? files >> gshadow:??????? files >> >> hosts:????????? files mdns4_minimal [NOTFOUND=return] dns >> networks:?????? files >> >> protocols:????? db files >> services:?????? db files >> ethers:???????? db files >> rpc:??????????? db files >> >> >> >> I have setup a test machine unfornately not a real laptop (it is in >> use for other things) but a virtualbox VM with Debian 10, KDE (sddm) >> and Samba 4.17.8. >> >> The test scenario is quite simple. >> >> 1. Login with root on the (text) console (tty2) >> 2. wbinfo --ping-dc >> 3. time id testuser >> 4. Disconnect network in virtualbox >> 5. wbinfo --ping-dc >> 6. time id testuser >> 7. Connect network in virtualbox + wait 10 secs (for dhcp etc.) >> 8. wbinfo --ping-dc >> 9. time id testuser >> >> Results: >> >> 2. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to >> "dc1.samdom.com" succeeded' >> 3. output in 0.037s >> 5. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to >> "" failed' >> 6. output in 63.120s >> 8. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to >> "dc1.samdom.com" succeeded' >> 9. output in 0.191s >> >> Now when I logging in on the graphical interface (sddm) fails when >> disconnected, probably due t the fact that a response in 63s is too >> long for sddm, it gives up before that. >> >> When I login while connected on sddm, then disconnect and I lock the >> screen, I am unable to unlock, likely due to the same (short) timeout >> in sddm. >> >> Now the question is why it takes winbind so long (63s) to do a simple >> user and group lookup when it knows that is disconnected. >> >> - Kees. >> >> >> On 01-06-2023 16:38, Rowland Penny via samba wrote: >>> >>> >>> On 01/06/2023 15:11, Eduardo Moraes via samba wrote: >>>>> ? OK, but... further investigation in what direction?! >>>> >>>> Greetings, friends! >>>> >>>> Sorry for butting in on the discussion, but I'm also interested in >>>> solving >>>> this problem, as users of my project (CID - >>>> https://sourceforge.net/projects/c-i-d/) have also been reporting >>>> the same >>>> difficulty. >>>> >>>> I've been researching it and it looks like the problem has been >>>> around for >>>> a long time and is specific to Debian-like distributions, as these >>>> two bug >>>> reports suggest: >>>> >>>> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461 >>>> https://bugzilla.samba.org/show_bug.cgi?id=14618 >>>> >>>> I tried to make the suggested changes to the "lock directory" and even >>>> adapted it to my scripts, but according to reports the users, it >>>> doesn't >>>> always work. >>>> >>>> I've tested other distributions, like Fedora and OpenSuse, and >>>> everything >>>> seems to work just fine. >>>> >>>> I stopped researching some time ago, so I can't contribute more >>>> than that, >>>> but I hope that at least I helped them to find a way to a solution. >>>> >>>> Good luck! >>> >>> The plot thickens, I am testing using an Oracle VM with a bridged >>> adapter, which can connect to either wifi or ethernet. Whilst doing >>> further testing I just discovered something. If I logon as a domain >>> user with the bridged adapter connected to wifi (wlan0), the user >>> gets logged in. If I then log out and switch the bridged adapter to >>> eth0 with the cable disconnected, the user can still logon and >>> quickly. However if the cable isn't disconnected, then the user can >>> still logon, but after a considerable amount of time and there is a >>> similar pause when the user logs out. >>> >>> I am surmising that the pause is coming from something searching for >>> the network and then, finally, giving up. >>> >>> Now to try and find the 'something' and stop it doing it. >>> >>> Rowland >>> >> > > > My test machine is in a virtualbox VM with Ubuntu 22.04, MATE > (lightdm) and Samba 4.17.8. > I have tried Debian with similar results, but without the timings. > > The Computer it is running on uses wifi (wlan0) but it also has an > ethernet port (eth0), but there is no cable plugged into it. > The VM Network is set to use a Bridged Adapter connected to wlan0. > > I followed Kees's test scenario with a few changes. > > 1. Login with a local Unix user that can use sudo > 1a open a (text) console > 2. wbinfo --ping-dc > 3. time id rowland > 4. Change network device from wlan0 to eth0 and disconnect cable in > virtualbox > 5. wbinfo --ping-dc > 6. time id rowland > 6a. reconnect cable in virtualbox, still using eth0 > 6b.? wbinfo --ping-dc > 6c. time id rowland > 7. Connect network in virtualbox (switched back to wlan0) + wait 10 secs > 8. wbinfo --ping-dc > 9. time id testuser > > Results: > > 2. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to > "rpidc2.samdom.example.com" succeeded' > 3. output > ????real 0m0.551s > ????user 0m0.008s > ????sys? 0m0.000s > 5. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to > "" failed' > ?????? 'failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND' > 6. output > ????real 0m0.022s > ????user 0m0.007s > ????sys? 0m0.001s > 6b. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to > "" failed' > ?????? 'failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND' > ??????? NOTE: This was after a long delay, > ????????????? so I ran the command again with 'time' and got this: > ??????? real 1m2.580s > ??????? user 0m0.005s > ??????? sys? 0m0.009s > 6c. output > ????real 0m0.005s > ????user 0m0.002s > ????sys? 0m0.001s > 8. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to > "rpidc2.samdom.example.com" succeeded' > 9. output > ????real 0m0.494s > ????user 0m0.000s > ????sys? 0m0.008s > > If I attempt to logon as a domain user when the network is > disconnected but the 'cable' is connected in Virtualbox, there is a > short pause, then I get logged in. There is a similar pause when I log > out. > However just disconnecting the 'cable' (but not connecting to the > network) in Virtualbox removes the pauses, logon and logout are > virtually instantaneous. > > This is the smb.conf file I am using: > > [global] > ? workgroup = SAMDOM > ? security = ADS > ? realm = SAMDOM.EXAMPLE.COM > > ? dedicated keytab file = /etc/krb5.keytab > ? kerberos method = secrets and keytab > ? server string = Samba Client %h > > ? winbind use default domain = yes > ? winbind expand groups = 2 > ? winbind refresh tickets = Yes > ? winbind offline logon = yes > ? disable netbios = yes > ? dns proxy = no > > ? idmap config * : backend = tdb > ? idmap config * : range = 3000-7999 > ? idmap config SAMDOM : backend? = rid > ? idmap config SAMDOM : range = 10000-999999 > ? template shell = /bin/bash > ? template homedir = /home/%U > > ? # user Administrator workaround, without it you are unable to set > privileges > ? username map = /etc/samba/user.map > > ? vfs objects = acl_xattr > ? map acl inherit = Yes > > ? # Comment the following 4 lines to act as a print server > ? printcap name = /dev/null > ? load printers = no > ? disable spoolss = yes > ? printing = bsd > > ? # logging > ? log level = 3 > ? log file = /var/log/samba/%m.log > ? logging = file > > ? min domain uid = 0 > > [homes] > ? comment = Home Directories > ? read only = no > ? create mask = 0700 > ? directory mask = 0700 > ? valid users = %S > > [Demo] > ? path = /srv/samba/Demo > ? read only = no > > I do not have /etc/security/pam_winbind.conf, Debian based distros do > everything through /etc/pam.d/common-auth and this is the relevant > line from that file: > > auth??? [success=1 default=ignore]??? pam_winbind.so debug krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass >I have exactly the the same line in /etc/pam.d/common-auth. In addition pam_winbind.conf restricts login to a members of specific AD-group, indeed all other entries are also set through the line in pam.d/common-auth. However for a lookup with the command 'id' pam_winbind is irrelevant> Rowland > >However for a lookup with the command 'id' pam_winbind is irrelevant since we only do a user and group lookup, it is nss-winbind that is being used. I don't see any differences between our smb.conf file that could cause this issue, do you? I guess the next thing to try is increase log level to a high value and repeat the test, any other ideas? - Kees.