Web lists-archives.com

[Samba] winbind offline login - NT_STATUS_NO_SUCH_USER (0xc0000064)




Hello All,

I am at the switch from sssd to winbind based samba domain members (Debian
9 stretch).
I am using Samba 4.10.2 packages from Louis ( http://apt.van-belle.nl/ )
and rid backend for idmap.

*My problem:*
I am able to logon to my domain members using winbind_pam as long as my
client is connected to a network where a domain controller is reachable.
As soon as I shutdown and connect a client to a network without domain
controller reachable and try to login again using a user used for previous
logon, I recieve error:

*lightdm[1109]: pam_winbind(lightdm:auth): request wbcLogonUser failed:
WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS:
NT_STATUS_NO_SUCH_USER, Error message was: The specified account does not
exist.*

*What I have done already ( I added a ping at the end of every command list
to show you if I was "online" or "offiline"):*
1.  I read the wiki :) -
https://wiki.samba.org/index.php/PAM_Offline_Authentication
    Based on this I found that I can test offline authentication as follows
with "switch winbindd to offline mode by hand":

*root@cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser*
*Enter EXAMPLE.CORP\faiuser's password: *
*plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser]
succeeded (requesting cctype: FILE)*
*credentials were put in: FILE:/tmp/krb5cc_0*
*root@cd2bd668e00c7:~# smbcontrol winbind offline*
*root@cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser*
*Enter EXAMPLE.CORP\faiuser's password: *
*plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser]
succeeded (requesting cctype: FILE)*
*user_flgs: NETLOGON_CACHED_ACCOUNT*
*credentials were put in: FILE:/tmp/krb5cc_0*
*root@cd2bd668e00c7:~# ping -c1 EXAMPLE.CORP*
*PING EXAMPLE.CORP (192.168.33.251) 56(84) bytes of data.*
*64 bytes from location-000001.example.corp (192.168.33.251): icmp_seq=1
ttl=64 time=0.122 ms*
*--- EXAMPLE.CORP ping statistics ---*
*1 packets transmitted, 1 received, 0% packet loss, time 0ms*
*rtt min/avg/max/mdev = 0.122/0.122/0.122/0.000 ms*
*root@cd2bd668e00c7:~#*
--> seems everything fine ....BUT

2. I shutdown machine and did the same test again on offline/different
network:

*root@cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser*
*Enter EXAMPLE.CORP\faiuser's password: *
*plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser]
failed (requesting cctype: FILE)*
*wbcLogonUser(EXAMPLE.CORP\faiuser): error code was NT_STATUS_NO_SUCH_USER
(0xc0000064)*
*error message was: The specified account does not exist.*
*Could not authenticate user [EXAMPLE.CORP\faiuser] with Kerberos (ccache:
FILE)*
*root@cd2bd668e00c7:~# smbcontrol winbind offline*
*root@cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser*
*Enter EXAMPLE.CORP\faiuser's password: *
*plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser]
failed (requesting cctype: FILE)*
*wbcLogonUser(EXAMPLE.CORP\faiuser): error code was NT_STATUS_NO_SUCH_USER
(0xc0000064)*
*error message was: The specified account does not exist.*
*Could not authenticate user [EXAMPLE.CORP\faiuser] with Kerberos (ccache:
FILE)*

*root@cd2bd668e00c7:~# ping -c1 EXAMPLE.CORP*
*ping: EXAMPLE.CORP: Name or service not known*
*root@cd2bd668e00c7:~#*
--> hm..same command different result in different network!

3. I read the wiki article again from beginning :P -
https://wiki.samba.org/index.php/PAM_Offline_Authentication
    I verified "winbind offline logon = yes" is defined in smb.conf --> yep
(full file below)
    I checked if /etc/security/pam_winbind.conf contains "cached_login =
yes" --> nope - even worse...file does not exist at all.
    Only /etc/security/pam_env.conf exists .. but this is only full of
comments - no values at all in it.
    So I created pam_winbind.conf and did tests of topic 1 & 2 again.
    Same result - so I deleted pam_winbind.conf again.

4. I searched the web and "lists.samba.org" archive and found:
https://lists.samba.org/archive/samba/2019-February/221224.html
    Based on this I changed following values of my smb.conf (initially
based on:
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt)
according to rowlands suggestion:
    local master = no
    server string = Samba 4 Client %h
    Once again I did tests of 1, 2 & 3 but ended up with the same results
(I even deleted pam_winbind.conf again as described within 3)
    What I did NOT do was changing the the value of "krb5_ccache_type=FILE"
to "krb5_ccache_type" within /etc/pam.d/common-auth as described as
"workaround" within
https://lists.samba.org/archive/samba/2019-February/221157.html
    since from conversation there I understood that this seems not to be
correct way to handle the error.

*My configuration:*
*root@cd2bd668e00c7:~# cat /etc/samba/smb.conf*
*[global]*
* server string = Samba 4 Client %h*
* local master = no*
* store dos attributes = yes*
* map acl inherit = yes*
* vfs objects = acl_xattr*
* log level = 0*
* realm = EXAMPLE.CORP*
* workgroup = EXAMPLE*
* dedicated keytab file = /etc/krb5.keytab*
* kerberos method = secrets and keytab*
* winbind refresh tickets = yes*
* winbind offline logon = yes*
* winbind use default domain = yes*
* winbind enum users = no*
* winbind enum groups = no*
* winbind expand groups = 4*
* template shell = /bin/bash*
* preferred master = no*
* domain master = no*
* security = ADS*
* idmap config * : backend = tdb*
* idmap config * : range = 3000-7000*
* idmap config EXAMPLE : backend = rid*
* idmap config EXAMPLE : range = 10000-999999*
* username map = /etc/samba/samba_usermapping*
* usershare path =  *
* load printers = no*
* printing = bsd*
* printcap name = /dev/null*
* disable spoolss = yes*

*root@cd2bd668e00c7:~# cat /etc/krb5.conf*
*[libdefaults]*
* permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5*
* default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5*
* default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5*
* proxiable = true*
* forwardable = true*
* dns_lookup_kdc = true*
* dns_lookup_realm = false*
* default_realm = EXAMPLE.CORP*

*root@cd2bd668e00c7:~# cat /etc/pam.d/common-auth | egrep -v "^#"*

*auth [success=2 default=ignore] pam_unix.so nullok_secure*
*auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass*
*auth requisite pam_deny.so*
*auth required pam_permit.so*
*auth optional pam_cap.so *

Thank you for any help & hints in advance.

Kind Regards

Martin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba