samba - Jun 2023 - Fwd: PAM Offline Authentication in Ubuntu 22.04...

On 03-06-2023 13:06, Rowland Penny via samba wrote:
>
>
> On 03/06/2023 10:56, Kees van Vloten via samba wrote:
>>
>>
>>
>>
>> Hi Team,
>>
>> Probably helpful is the config on my test machine:
>>
>> /etc/samba/smb.conf
>> [global]
>> ???????? interfaces = lo
>> ???????? bind interfaces only = yes
>> ???????? netbios name = TESTVM
>> ???????? security = ADS
>> ???????? dedicated keytab file = /etc/krb5.keytab
>> ???????? realm = SAMDOM.COM
>> ???????? workgroup = COMPOSERS
>> ???????? min domain uid = 0
>> ???????? username map = /etc/samba/user.map
>> ???????? log level = 3
>> ???????? lock directory = /var/cache/samba
>> ???????? idmap config samdom:backend = ad
>> ???????? idmap config samdom:schema_mode = rfc2307
>> ???????? idmap config samdom:unix_primary_group = yes
>> ???????? idmap config samdom:unix_nss_info = yes
>> ???????? idmap config samdom:range = 1001-100000
>> ???????? idmap config *:backend = tdb
>> ???????? idmap config *:range = 1000000-1999999
>> ???????? winbind cache time = 300
>> ???????? winbind offline logon = yes
>> ???????? winbind nss info = rfc2307
>> ???????? winbind enum groups = no
>> ???????? winbind enum users = no
>> ???????? winbind nested groups = yes
>> ???????? winbind expand groups = 10
>> ???????? winbind normalize names = no
>> ???????? winbind refresh tickets = yes
>> ???????? winbind scan trusted domains = no
>> ???????? winbind use default domain = yes
>> ???????? kerberos method = secrets and keytab
>> ???????? kerberos encryption types = strong
>> ???????? rpc server dynamic port range = 50000-55000
>> ???????? ntlm auth = mschapv2-and-ntlmv2-only
>> ???????? disable netbios = yes
>> ???????? template homedir = /home/%U
>> ???????? template shell = /bin/bash
>> ???????? tls enabled = yes
>> ???????? tls priority = 
>> NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>> ???????? tls cafile = /etc/ssl/certs/ca.pem
>>
>> /etc/security/pam_winbind.conf
>> [global]
>> warn_pwd_expire = 30
>> cached_login = yes
>> krb5_auth = yes
>> krb5_ccache_type = FILE
>> require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1934
>>
>> /etc/nsswitch.conf
>> passwd: files systemd winbind
>> group:????????? files systemd winbind
>> shadow:???????? files
>> gshadow:??????? files
>>
>> hosts:????????? files mdns4_minimal [NOTFOUND=return] dns
>> networks:?????? files
>>
>> protocols:????? db files
>> services:?????? db files
>> ethers:???????? db files
>> rpc:??????????? db files
>>
>>
>>
>> I have setup a test machine unfornately not a real laptop (it is in 
>> use for other things) but a virtualbox VM with Debian 10, KDE (sddm) 
>> and Samba 4.17.8.
>>
>> The test scenario is quite simple.
>>
>> 1. Login with root on the (text) console (tty2)
>> 2. wbinfo --ping-dc
>> 3. time id testuser
>> 4. Disconnect network in virtualbox
>> 5. wbinfo --ping-dc
>> 6. time id testuser
>> 7. Connect network in virtualbox + wait 10 secs (for dhcp etc.)
>> 8. wbinfo --ping-dc
>> 9. time id testuser
>>
>> Results:
>>
>> 2. output: 'checking the NETLOGON for domain[SAMDOM] dc connection
to
>> "dc1.samdom.com" succeeded'
>> 3. output in 0.037s
>> 5. output: 'checking the NETLOGON for domain[SAMDOM] dc connection
to
>> "" failed'
>> 6. output in 63.120s
>> 8. output: 'checking the NETLOGON for domain[SAMDOM] dc connection
to
>> "dc1.samdom.com" succeeded'
>> 9. output in 0.191s
>>
>> Now when I logging in on the graphical interface (sddm) fails when 
>> disconnected, probably due t the fact that a response in 63s is too 
>> long for sddm, it gives up before that.
>>
>> When I login while connected on sddm, then disconnect and I lock the 
>> screen, I am unable to unlock, likely due to the same (short) timeout 
>> in sddm.
>>
>> Now the question is why it takes winbind so long (63s) to do a simple 
>> user and group lookup when it knows that is disconnected.
>>
>> - Kees.
>>
>>
>> On 01-06-2023 16:38, Rowland Penny via samba wrote:
>>>
>>>
>>> On 01/06/2023 15:11, Eduardo Moraes via samba wrote:
>>>>> ? OK, but... further investigation in what direction?!
>>>>
>>>> Greetings, friends!
>>>>
>>>> Sorry for butting in on the discussion, but I'm also
interested in
>>>> solving
>>>> this problem, as users of my project (CID -
>>>> https://sourceforge.net/projects/c-i-d/) have also been
reporting
>>>> the same
>>>> difficulty.
>>>>
>>>> I've been researching it and it looks like the problem has
been
>>>> around for
>>>> a long time and is specific to Debian-like distributions, as
these
>>>> two bug
>>>> reports suggest:
>>>>
>>>> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461
>>>> https://bugzilla.samba.org/show_bug.cgi?id=14618
>>>>
>>>> I tried to make the suggested changes to the "lock
directory" and even
>>>> adapted it to my scripts, but according to reports the users,
it
>>>> doesn't
>>>> always work.
>>>>
>>>> I've tested other distributions, like Fedora and OpenSuse,
and
>>>> everything
>>>> seems to work just fine.
>>>>
>>>> I stopped researching some time ago, so I can't contribute
more
>>>> than that,
>>>> but I hope that at least I helped them to find a way to a
solution.
>>>>
>>>> Good luck!
>>>
>>> The plot thickens, I am testing using an Oracle VM with a bridged 
>>> adapter, which can connect to either wifi or ethernet. Whilst doing
>>> further testing I just discovered something. If I logon as a domain
>>> user with the bridged adapter connected to wifi (wlan0), the user 
>>> gets logged in. If I then log out and switch the bridged adapter to
>>> eth0 with the cable disconnected, the user can still logon and 
>>> quickly. However if the cable isn't disconnected, then the user
can
>>> still logon, but after a considerable amount of time and there is a
>>> similar pause when the user logs out.
>>>
>>> I am surmising that the pause is coming from something searching
for
>>> the network and then, finally, giving up.
>>>
>>> Now to try and find the 'something' and stop it doing it.
>>>
>>> Rowland
>>>
>>
>
>
> My test machine is in a virtualbox VM with Ubuntu 22.04, MATE 
> (lightdm) and Samba 4.17.8.
> I have tried Debian with similar results, but without the timings.
>
> The Computer it is running on uses wifi (wlan0) but it also has an 
> ethernet port (eth0), but there is no cable plugged into it.
> The VM Network is set to use a Bridged Adapter connected to wlan0.
>
> I followed Kees's test scenario with a few changes.
>
> 1. Login with a local Unix user that can use sudo
> 1a open a (text) console
> 2. wbinfo --ping-dc
> 3. time id rowland
> 4. Change network device from wlan0 to eth0 and disconnect cable in 
> virtualbox
> 5. wbinfo --ping-dc
> 6. time id rowland
> 6a. reconnect cable in virtualbox, still using eth0
> 6b.? wbinfo --ping-dc
> 6c. time id rowland
> 7. Connect network in virtualbox (switched back to wlan0) + wait 10 secs
> 8. wbinfo --ping-dc
> 9. time id testuser
>
> Results:
>
> 2. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to 
> "rpidc2.samdom.example.com" succeeded'
> 3. output
> ????real 0m0.551s
> ????user 0m0.008s
> ????sys? 0m0.000s
> 5. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to 
> "" failed'
> ?????? 'failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND'
> 6. output
> ????real 0m0.022s
> ????user 0m0.007s
> ????sys? 0m0.001s
> 6b. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to 
> "" failed'
> ?????? 'failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND'
> ??????? NOTE: This was after a long delay,
> ????????????? so I ran the command again with 'time' and got this:
> ??????? real 1m2.580s
> ??????? user 0m0.005s
> ??????? sys? 0m0.009s
> 6c. output
> ????real 0m0.005s
> ????user 0m0.002s
> ????sys? 0m0.001s
> 8. output: 'checking the NETLOGON for domain[SAMDOM] dc connection to 
> "rpidc2.samdom.example.com" succeeded'
> 9. output
> ????real 0m0.494s
> ????user 0m0.000s
> ????sys? 0m0.008s
>
> If I attempt to logon as a domain user when the network is 
> disconnected but the 'cable' is connected in Virtualbox, there is a
> short pause, then I get logged in. There is a similar pause when I log 
> out.
> However just disconnecting the 'cable' (but not connecting to the 
> network) in Virtualbox removes the pauses, logon and logout are 
> virtually instantaneous.
>
> This is the smb.conf file I am using:
>
> [global]
> ? workgroup = SAMDOM
> ? security = ADS
> ? realm = SAMDOM.EXAMPLE.COM
>
> ? dedicated keytab file = /etc/krb5.keytab
> ? kerberos method = secrets and keytab
> ? server string = Samba Client %h
>
> ? winbind use default domain = yes
> ? winbind expand groups = 2
> ? winbind refresh tickets = Yes
> ? winbind offline logon = yes
> ? disable netbios = yes
> ? dns proxy = no
>
> ? idmap config * : backend = tdb
> ? idmap config * : range = 3000-7999
> ? idmap config SAMDOM : backend? = rid
> ? idmap config SAMDOM : range = 10000-999999
> ? template shell = /bin/bash
> ? template homedir = /home/%U
>
> ? # user Administrator workaround, without it you are unable to set 
> privileges
> ? username map = /etc/samba/user.map
>
> ? vfs objects = acl_xattr
> ? map acl inherit = Yes
>
> ? # Comment the following 4 lines to act as a print server
> ? printcap name = /dev/null
> ? load printers = no
> ? disable spoolss = yes
> ? printing = bsd
>
> ? # logging
> ? log level = 3
> ? log file = /var/log/samba/%m.log
> ? logging = file
>
> ? min domain uid = 0
>
> [homes]
> ? comment = Home Directories
> ? read only = no
> ? create mask = 0700
> ? directory mask = 0700
> ? valid users = %S
>
> [Demo]
> ? path = /srv/samba/Demo
> ? read only = no
>
> I do not have /etc/security/pam_winbind.conf, Debian based distros do 
> everything through /etc/pam.d/common-auth and this is the relevant 
> line from that file:
>
> auth??? [success=1 default=ignore]??? pam_winbind.so debug krb5_auth 
> krb5_ccache_type=FILE cached_login try_first_pass
>
I have exactly the the same line in /etc/pam.d/common-auth. In addition 
pam_winbind.conf restricts login to a members of specific AD-group, 
indeed all other entries are also set through the line in pam.d/common-auth.

However for a lookup with the command 'id' pam_winbind is irrelevant
> Rowland
>
>
However for a lookup with the command 'id' pam_winbind is irrelevant 
since we only do a user and group lookup, it is nss-winbind that is 
being used.

I don't see any differences between our smb.conf file that could cause 
this issue, do you?

I guess the next thing to try is increase log level to a high value and 
repeat the test, any other ideas?

- Kees.

On 03/06/2023 12:27, Kees van Vloten via samba wrote:
> 
> However for a lookup with the command 'id' pam_winbind is
irrelevant
> since we only do a user and group lookup, it is nss-winbind that is 
> being used.
> 
> I don't see any differences between our smb.conf file that could cause 
> this issue, do you?
> 
> I guess the next thing to try is increase log level to a high value and 
> repeat the test, any other ideas?
> 
> - Kees.
When you logon it is pam_winbind that is used, from my tests there is 
just one line different in /var/log/auth.log between having the network 
connected or not at logon
Without the network, I get this extra line:

May 28 08:20:59 member1 lightdm: pam_winbind(lightdm:auth): User rowland 
logged on using cached credentials

If you use gdm3, you get a similar line.

By all means try a higher log level, but my gut feeling is that it is 
something at the OS level that is creating the wait.

Rowland