Mandi! Rowland Penny via samba In chel di` si favelave...> I didn't try turning the last one off, but at least you are getting > somewhere :-)With very little steps... ;-)> When you say 'back to login screen', do you mean that you cannot just > click the screen, enter your password and close the screensaver ? From > what you posted, it sounds like you are taken right back to the intial > login screen.I've done some more test; before if i shut off the wireless, winbind stop immediately responding. Now, it worked for some minutes, then stop responding and seems behave badly as my first test (eg, loooooon gelay for everything, machine totally unusable, ...). So still it is not a solution....> I would suggest that 'does not work fully in rfc2307 mode' is nearer the > truth. It sounds like the ID's are being pulled from the cache, but it > is falling over trying to get the homedir, shell etc.Look at my other post: i can have a domain in rfc2307 and a client in rid, if i don't need direct POSIX communication between (eg, NFS for example)?> It certainly sounds that way. Can you please open a bug report.https://bugzilla.samba.org/show_bug.cgi?id=15405 Thanks. -- Qualche saggio scriveva che l'unico sistema economico funzionante gli pareva il libero mercato in cui il governo tiene la pistola puntata alla tempia delle corporations. Peccato che il governo sia pi? solito offrire modiche quantit? di vaselina al consumatore, occasionalmente... (Emanuele Pucciarelli)
Markus Dellermann
2023-Jun-28 19:33 UTC
[Samba] PAM Offline Authentication in Ubuntu 22.04
Hi, Am Mittwoch, 28. Juni 2023, 18:52:04 CEST schrieb Marco Gaiarin via samba:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > I didn't try turning the last one off, but at least you are getting > > somewhere :-) > > With very little steps... ;-) > > > When you say 'back to login screen', do you mean that you cannot just > > click the screen, enter your password and close the screensaver ? From > > what you posted, it sounds like you are taken right back to the intial > > login screen. > > I've done some more test; before if i shut off the wireless, winbind stop > immediately responding. > > Now, it worked for some minutes, then stop responding and seems behave badly > as my first test (eg, loooooon gelay for everything, machine totally > unusable, ...). >Is winbind still offline then? #smbcontrol winbind onlinestatus (sorry if you have already tried ) nscd? i read now apparmor is installed, what says #aa-logprof ?> So still it is not a solution.... > > > I would suggest that 'does not work fully in rfc2307 mode' is nearer the > > truth. It sounds like the ID's are being pulled from the cache, but it > > is falling over trying to get the homedir, shell etc. > > Look at my other post: i can have a domain in rfc2307 and a client in rid, > if i don't need direct POSIX communication between (eg, NFS for example)? >works well for our laptops / vpn-clients since a year or so..> > It certainly sounds that way. Can you please open a bug report. > > https://bugzilla.samba.org/show_bug.cgi?id=15405 > > > Thanks.Markus
On 28/06/2023 17:52, Marco Gaiarin via samba wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > >> I didn't try turning the last one off, but at least you are getting >> somewhere :-) > > With very little steps... ;-) > > >> When you say 'back to login screen', do you mean that you cannot just >> click the screen, enter your password and close the screensaver ? From >> what you posted, it sounds like you are taken right back to the intial >> login screen. > > I've done some more test; before if i shut off the wireless, winbind stop > immediately responding. > > Now, it worked for some minutes, then stop responding and seems behave badly > as my first test (eg, loooooon gelay for everything, machine totally > unusable, ...). > > So still it is not a solution.... >OK, there does seem to be something wrong with the 'ad' idmap backend. I left a VM running overnight, with the network disconnected. This VM was using the 'ad' idmap backend. The following morning, the screensaver had kicked in, but I couldn't unlock it as the domain user, the user seemed to be known, but the password was reported as incorrect. I logged the user out and logged in a local Unix user. When I ran 'getent', I got this: adminuser at ubugdm: $ getent passwd usertest3 usertest3:*:20002:20005::/home/usertest3:/bin/bash Trying to su to the domain user, produced this: adminuser at ubugdm: $ su - usertest3 Password: su: Authentication failure I found this when checking /var/log/auth.log Jun 29 10:45:57 ubugdm su: pam_unix(su-l:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/0 ruser=adminuser rhost= user=usertest3 Jun 29 10:45:57 ubugdm su: pam_winbind(su-l:auth): getting password (0x00000388) Jun 29 10:45:57 ubugdm su: pam_winbind(su-l:auth): pam_get_item returned a password Jun 29 10:45:57 ubugdm su: pam_winbind(su-l:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: The specified account does not exist. Jun 29 10:45:59 ubugdm su: FAILED SU (to usertest3) adminuser on pts/0 So I reconnected the network and tried to su again: adminuser at ubugdm: $ su - usertest3 Password: usertest3 at ubugdm: $ Jun 29 11:03:56 ubugdm su: pam_unix(su-l:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/0 ruser=adminuser rhost= user=usertest3 Jun 29 11:03:56 ubugdm su: pam_winbind(su-l:auth): getting password (0x00000388) Jun 29 11:03:56 ubugdm su: pam_winbind(su-l:auth): pam_get_item returned a password Jun 29 11:03:56 ubugdm su: pam_winbind(su-l:auth): user 'usertest3' granted access Jun 29 11:03:57 ubugdm su: (to usertest3) adminuser on pts/0 Jun 29 11:03:57 ubugdm su: pam_unix(su-l:session): session opened for user usertest3(uid=20002) by (uid=1000) So I exited as the domain user and disconnected the network again. adminuser at ubugdm: $ su - usertest3 Password: <long wait> su: Authentication failure Jun 29 11:07:16 ubugdm su: pam_unix(su-l:session): session closed for user usertest3 Jun 29 11:08:03 ubugdm su: pam_unix(su-l:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/0 ruser=adminuser rhost= user=usertest3 Jun 29 11:08:03 ubugdm su: pam_winbind(su-l:auth): getting password (0x00000388) Jun 29 11:08:03 ubugdm su: pam_winbind(su-l:auth): pam_get_item returned a password Jun 29 11:08:17 ubugdm su: pam_winbind(su-l:auth): request wbcLogonUser failed: WBC_ERR_WINBIND_NOT_AVAILABLE, PAM error: PAM_AUTHINFO_UNAVAIL (9)! Jun 29 11:08:17 ubugdm su: pam_winbind(su-l:auth): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'usertest3') Jun 29 11:08:19 ubugdm su: FAILED SU (to usertest3) adminuser on pts/0 Reconnected the network again and changed to the rid backend and rebooted, logged on as usertest3 I then disconnected from the network and left the VM alone. This was at 11:32 on the 29th of June (yesterday) When I checked at 12:22 it was locked by the screensaver, but I was allowed to unlock the screensaver. Checked at 15:06 today, locked by screensaver, but I could easily unlock it. So put it into short terms, using the 'ad' idmap backend gives nothing but problems when 'winbind offline logon' is used, but (for myself) absolutely no problems if the 'rid' idmap backend is used. Rowland