[Bug 1764853] Re: winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

msaxl 1764853 at bugs.launchpad.net
Sun Apr 22 08:42:01 UTC 2018 

i guess I found the problem.

winbindd somewhere does change its uid to the target uid to create the users kerberos cache.
If keytab method contains system keytab (it does in my configuration), in gse_krb5.c fill_mem_keytab_from_system_keytab there is a call to name_to_fqdn. This function uses getaddrinfo to get the machines fqdn. This in turn connects to system dbus (not as uid 0!). system dbus has not cached this uid's "credentials" (there seems to be a hash table, see dbus-userdb.c line 148), so it uses nsswitch configuration to get it. system dbus now connects to winbind. But winbind seems to be blocking in this case (and system dbus now is blocked to).
As soon as pam_winbind times out, the deadlock is broken, the needed information is returned to system dbus, the info is put into the hashtable, dbus is not blocked anymore.

The second time the info is in dbus's hashtable, so the deadlock does
not happen (this also explains why the second time I get the systems
fqdn but not the first time).

Keep in mind that this means calling getaddrinfo in winbind is only save
as uid 0, but I suggest the following (maybe better to be discussed
upstream):

insert a if(getuid()==0){ .. } around line 597 and 602 in gee_krb5.c
(https://git.samba.org/?p=samba.git;a=blob;f=source3/librpc/crypto/gse_krb5.c;h=4dd39eaf08d8f492b6b332cfb5b2f30e4c1ab575;hb=4dd39eaf08d8f492b6b332cfb5b2f30e4c1ab575#l597)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1764853

Title:
  winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

Status in samba package in Ubuntu:
  Incomplete

Bug description:
  The following issue exists only on Ubuntu 18.04

  I've upgraded ubuntu from 17.10 and noticed that winbind does not work well.
  90% of the time I reboot my system I'm getting PAM_AUTHINFO_UNAVAIL when trying to log in with a domain account.
  clicking login again on the login screen most of the time succeeds (so the password is correct)

  I've checked if it works if I wait 10 minutes before logging in, no success, so it is not a timing issue.
  Also I've checked if winbind is working (log in with ssh using a local account)
  getent passwd xy and wbinfo -K user%pwd both work always.

  Now my workaround is putting
  winbind request timeout = 3
  in smb.conf, since the PAM_AUTHINFO_UNAVAIL is returned about 60sec after trying to login. This workaround solves nothing, it only makes logging in faster. (But now it fails mostly two times, but waiting 6 seconds is better than 60)

  To me it seems like deadlock, but I was unable to track it since it
  happens only on the first login. Then I would have to reboot
  (restarting winbind does not trigger it twice, also removing all
  caches in /run/samba does not trigger it twice)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+subscriptions

More information about the foundations-bugs mailing list