[Pkg-samba-maint] Bug#862580: Bug #862580: Winbind crashes on ssh login of a domain user.

Christian Meyer c2h5oh at web.de
Sat Jun 10 21:53:32 UTC 2017

Hello Louis,

> 1) $ cat /etc/hosts
>>	localhost
>You did setup with DHCP, so you remove sambawb, is possible,
>but better is. 
This is because 
tells: "On debian related systems you wil see hostname also
in /etc/hosts remove it before you install samba."

>	sambawb.work.company sambawb
I had it in /etc/hosts before and removed it following wiki.samba.org.
I will put it back.

> ( recommended turn of dhcp, use static ips for the servers )
I will think about it.
But just to be clear: what exactly do you mean with 'server'? My debian
machines are only 'domain members' and are not providing any shares or
printers to the network. I think 'server' is samba terminology meaning
that it is providing services e.g. to PAM on the local machine. Right?

> 2) Setup and enable the username map.
> username map = /etc/samba/samba_usermapping
> ( needs content : !root = WORK\Administrator WORK\administrator )
It's changed.

> # Now here its interresting, this tell me something.
>> Jun 07 21:33:18 sambawb sshd[502]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost= user=domainuser 
>> ^^ Guessing, also correctly rejected, if you did not give root a
password at install or your sshd_config has : PermitRootLogin no (or

> Most interresting part.
>> Jun 07 21:33:18 sambawb sshd[502]: pam_winbind(sshd:auth): getting
password (0x00000388) 
>> Jun 07 21:33:18 sambawb sshd[502]: pam_winbind(sshd:auth):
pam_get_item returned a password 
>> Jun 07 21:33:19 sambawb sshd[502]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7),
NTSTATUS_LOGON_FAILURE, Error message was: Logon failure 
>> Jun 07 21:33:19 sambawb sshd[502]: pam_winbind(sshd:auth): user
'domainuser' denied access (incorrect password or invalid membership) 
>> Jun 07 21:33:20 sambawb sshd[502]: Failed password for invalid user
domainuser from port 54474 ssh2

> Are you are loggin in as user "root" (id=0) or as "Administrator"
> Or you created a users and assigned id 0, in all cases, this is in my
opinion wrong to do.

No, that's not the case. I see 'uid=0' but my username is just an
ordinary domain user. It's neither "root" nor "Administrator". The
domain user isn't a domain admin, too - it's a restricted domain
account. I have several domain accounts to test and whenever it fails I
see 'uid=0', too. Doesn't matter what (unprivilged) account I use.
I remove the homedir on logout and recreate it on logon with

> I recommend not enabling root logins on ssh, but thats your choice.
> You can not, never ever, assign user Administrator an uid, especialy
user Adminsitrator. 
> Uid 0 = root and only root, now this is why you need the username

Okay, I think that is the point:
When it fails I see:
Jun 10 22:21:50 COMPUTERXY sshd[3207]: Invalid user domainuser from
Jun 10 22:21:50 COMPUTERXY sshd[3207]: input_userauth_request: invalid
user domainuser [preauth]
Jun 10 22:21:52 COMPUTERXY sshd[3207]: pam_krb5(sshd:auth):
authentication failure; logname=domainuser uid=0 euid=0 tty=ssh ruser=

and on success it is (same machine, same user, just some time later,
e.g. after a local user logged in):
Jun 10 23:23:22 COMPUTERXY sshd[9459]: pam_krb5(sshd:auth): user
domainuser authenticated as domainuser at WORK.COMPANY
Jun 10 23:23:22 COMPUTERXY pam-script[9459]: can not
stat /usr/share/libpam-script/pam_script_acct
Jun 10 23:23:22 COMPUTERXY sshd[9459]: Accepted password for domainuser
from port 43841 ssh2

I will have a look at it with changed username mapping.

> Now where did it go wrong. You have a few options to check. 
> First, check the time sync on the DC's and the member servers. 
> A common problem with login problems. Check this first. 
# net ads info -P
LDAP server:
LDAP server name: ADDC.WORK.company
Bind Path: dc=WORK,dc=COMPANY
LDAP port: 389
Server time: Sa, 10 Jun 2017 23:37:11 CEST
KDC server:
Server time offset: 0

# grep server /etc/ntp.conf
server iburst

# grep GSS /etc/ssh/sshd_config 
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

I will change it to:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

> And if you use groups member checks in sshd_conf, test if all these
groups have GID. 
# grep -i group /etc/ssh/sshd_config

>> I also noticed that in this cases 'wbinfo -u' or 'kinit 
>> domainuser' succeeds, but 'getent passwd' only shows local users.
>> And yes, libpam-winbind and libnss-winbind are installed and 
>> nsswitch.conf has 'passwd:         compat winbind'
> Yes, this is confusing..  ;-) 
> wbinfo -u shows all you users. 
>getent passwd not, but `getent passwd username`, should show your
No, it isn't. 'getent passwd' shows domainusers, too, but I tested
'getent passwd domainuser' as well:
I'm logged in as root and testing 'getent passwd' or 'getent passwd
When 'getent passwd' (or 'getent passwd domainuser') shows 'domainuser'
then I can log in as domainuser, too.
When 'getent passwd' (or 'getent passwd domainuser') does not show
'domainuser' then I can't log in as domainuser.

Thank you for your help,


More information about the Pkg-samba-maint mailing list