[Pkg-samba-maint] Bug#862580: Bug #862580: Winbind crashes on ssh login of a domain user.
Christian Meyer
c2h5oh at web.de
Wed Jun 7 20:55:38 UTC 2017
Hello Louis
and thank you for your very long tutorial.
I tried to fix my 'wrong' smb.conf on my existing machine but that gave
trouble.
So I tried to setup a fresh stretch box step by step (had to change some
things but I had a look at
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member,
too) but after some days and a reboot I see the problem again, it just
appears less often till now.
CONFIG
======
> Setup jessie:
I did stretch.
> # Choose expert install, and at taskselect choose only ssh server.
I did so and used dhcp:
$ cat /etc/hosts
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
$ cat /etc/resolv.conf
domain WORK.COMPANY
search WORK.COMPANY
nameserver 172.16.0.2
$ cat /etc/network/interfaces.
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug enp0s25
iface enp0s25 inet dhcp
> # Check all these.
$ hostname -s
sambawb
$ hostname -d
WORK.COMPANY
$ hostname -f
sambawb.WORK.COMPANY
$ hostname -i
172.16.0.209
> # install samba winbind and needed extras.
> apt-get install samba smbclient samba-dsdb-modules samba-vfs-modules
winbind libpam-winbind libnss-winbind krb5-user ntp bind9-host
libpam-krb5
I did so.
> When questions come, fill in :
No questions came.
> # AD DC ipnumbers at ntp questions
added 'server 172.16.0.2 iburst' to /etc/ntp.conf (thats my AD DC
ipnumber)
> # krb5-user fill in your REALM in CAPS. ! CAPS YES !
$ cat /etc/krb5.conf
[libdefaults]
default_realm = WORK.COMPANY
> # Change your /etc/nsswitch.conf
$ cat /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
# kinit administrator
worked great.
> Setup a "correct smb.conf" like this one.
I don't know whats "correct" in your sense. I did:
## ---------- START AD MEMBER SMB.CONF --------- ##
# /etc/samba/smb.conf
[global]
security = ads
realm = WORK.COMPANY
workgroup = WORK
netbios name = sambawb
preferred master = no
domain master = no
host msdfs = no
# speeds up name resolving, (WINS), through dns.
dns proxy = yes
# local master = no
# I left out bind interfaces
#bind interfaces only = yes
#interfaces = enp0s25 127.0.0.1
# I've added these, mustly same as the defaults, but this explains things for others
# if they have auth problems.
# mandatory will still require SMB2 clients to use signing
server signing = mandatory
# if ntlm and lanman auth are both disabled, then only NTLMv2 logins will be permited
ntlm auth = no
lanman auth = no
# TODO: I skipped TLS keys!
name resolve order = lmhosts host bcast
idmap config * : backend = tdb
idmap config * : range = 2000-9999
# https://wiki.samba.org/index.php/Idmap_config_rid
idmap config WORK : backend = rid
idmap config WORK : range = 10000-999999
template homedir = /home/%D/%U
template shell = /bin/bash
winbind nss info = template
# renew the kerberos ticket
winbind refresh tickets = yes
# Changed to not use winbind trusted domains only
winbind trusted domains only = no
# and to use default domain
winbind use default domain = yes
winbind enum groups = yes
winbind enum users = yes
# Enable offline logins, if needed. I don't want it.
winbind offline logon = no
# left out: winbind max domain connections = 10
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind expand groups = 4
# User Administrator workaround, without it you are unable to set
# username map = /etc/samba/samba_usermapping
# disable usershares creating, no log errors.
usershare path =
# Disable printing completely, no log errors.
# Disable printing completely, no log errors.
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For ACL support on member servers with shares (oblicated member
setting)
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
# From debian default config:
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# Do something sensible when Samba crashes: mail the admin
panic action = /usr/share/samba/panic-action %d
## ---------- END AD MEMBER SMB.CONF --------- ##
> net ads join -S hostname-DC.work.company -k
successfull
> # Setup pam configs for ssh krb5 and winbind, needed for your ssh logins.
> pam-auth-update --force
> # setup the SePrivileges then reboot the server.
I tried to but I didn't really understand. So I think for my problem its not neccessary.
> net cache flush
> systemctl restart samba
Failed to restart samba.service: Unit samba.service is masked.
so I did:
systemctl restart nmbd; systemctl restart smbd
> systemctl restart winbind
RESULT
======
Sometimes. Caught just after a reboot:
FYI: 172.16.0.1 is the ssh tunnel exit point in my companys network.
Jun 07 21:33:14 sambawb nmbd[469]: STATUS=daemon 'nmbd' finished starting up and ready to serve connections
...
Jun 07 21:33:14 sambawb winbindd[519]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Jun 07 21:33:14 sambawb systemd[1]: Started Samba Winbind Daemon.
Jun 07 21:33:14 sambawb systemd[1]: Reached target Multi-User System.
Jun 07 21:33:14 sambawb systemd[1]: Reached target Graphical Interface.
Jun 07 21:33:14 sambawb systemd[1]: Starting Update UTMP about System Runlevel Changes...
Jun 07 21:33:14 sambawb systemd[1]: Started Update UTMP about System Runlevel Changes.
Jun 07 21:33:14 sambawb systemd[1]: Startup finished in 3.973s (kernel) + 15.752s (userspace) = 19.725s.
Jun 07 21:33:18 sambawb sshd[502]: pam_krb5(sshd:auth): authentication failure; logname=domainuser uid=0 euid=0 tty=ssh ruser= rhost=172.16.0.1
Jun 07 21:33:18 sambawb sshd[502]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.0.1 user=domainuser
Jun 07 21:33:18 sambawb sshd[502]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun 07 21:33:18 sambawb sshd[502]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 07 21:33:19 sambawb sshd[502]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS_LOGON_FAILURE, Error message was: Logon failure
Jun 07 21:33:19 sambawb sshd[502]: pam_winbind(sshd:auth): user 'domainuser' denied access (incorrect password or invalid membership)
Jun 07 21:33:20 sambawb sshd[502]: Failed password for invalid user domainuser from 172.16.0.1 port 54474 ssh2
I also noticed that in this cases 'wbinfo -u' or 'kinit domainuser' succeeds, but 'getent passwd' only shows local users.
And yes, libpam-winbind and libnss-winbind are installed and nsswitch.conf has 'passwd: compat winbind'
Interestingly my fresh installed sambawb shows less bugs than my reconfigured elderly but config updated FAI-Clients.
What else do you need? sambalog at loglevel xyz?
Christian
PS: I don't know if it's related but sometimes I see error messages like:
Jun 07 09:31:58 fai-server winbindd[18389]: [2017/06/07 09:31:58.322153, 0] ../source3/winbindd/winbindd.c:279(winbindd_sig_term_handler)
Jun 07 09:31:58 fai-server winbindd[18389]: Got sig[15] terminate (is_parent=0)
Jun 07 09:31:58 fai-server winbindd[18387]: [2017/06/07 09:31:58.322378, 0] ../source3/winbindd/winbindd.c:279(winbindd_sig_term_handler)
Jun 07 09:31:58 fai-server winbindd[18387]: Got sig[15] terminate (is_parent=1)
More information about the Pkg-samba-maint
mailing list