[Bug 904346] New: Can't login using Active Directory account for about 5 to 10 minutes after boot
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 Bug ID: 904346 Summary: Can't login using Active Directory account for about 5 to 10 minutes after boot Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Samba Assignee: samba-maintainers@SuSE.de Reporter: robin.roevens@uza.be QA Contact: samba-maintainers@SuSE.de Found By: --- Blocker: --- On a new installation of openSUSE 13.2 I joined an Active Directory domain and enabled linux authentication using YaST2. AD Login worked imediatly. However when the system reboots or starts, I can't login using an AD account. Only after about 5 to 10 minutes, it suddenly is possible to login using an AD account. During the period that AD login is not possible I also can't query the user using getent passwd <AD userid> which does work as soon as I can log in with an AD account. wbinfo -u however displays all AD users, also during the period that I can't log in. When examining journalctl I only see winbind starting up correctly during boot and no related error messages besides the actual authentication failure, telling that it can't find the user: --- gnome-session[2435]: (gnome-shell:2476): AccountsService-WARNING **: ActUserManager: user (null) has no username (uid: 0) gnome-session[2435]: Gjs-Message: JS LOG: Ignored exception from dbus method: Gio.DBusError: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.realmd was not provided by any .service files gdm-session-worker[2565]: <5>AccountsService: ActUserManager: user (null) has no username (uid: 0) gdm-password][2565]: gkr-pam: error looking up user information gdm-password][2565]: pam_unix(gdm-password:auth): check pass; user unknown nov 07 09:10:16 uzaws0531 gdm-password][2565]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= gdm-password][2565]: pam_winbind(gdm-password:auth): getting password (0x00000190) gdm-password][2565]: pam_winbind(gdm-password:auth): pam_get_item returned a password gdm-session-worker[2568]: <5>AccountsService: ActUserManager: user (null) has no username (uid: 0) gdm-password][2568]: gkr-pam: error looking up user information --- I have absolutely no clue where or how I can find more information about this problem, and what component is causing it. Winbind itself seems to be working correctly. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ddiss@suse.com, | |robin.roevens@uza.be Flags| |needinfo?(robin.roevens@uza | |.be) --- Comment #1 from David Disseldorp <ddiss@suse.com> --- Thanks for the report Robin. Please configure "log level = 10" in smb.conf, remove or backup the contents of /var/log/samba/log.* and rerun your reboot + login test case. After doing so, please attach the smb.conf config file and generated winbind logs (in /var/log/samba/) to this bug. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 --- Comment #2 from Robin Roevens <robin.roevens@uza.be> --- Created attachment 612766 --> http://bugzilla.opensuse.org/attachment.cgi?id=612766&action=edit winbind logfile with log level = 10 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 --- Comment #3 from Robin Roevens <robin.roevens@uza.be> --- Created attachment 612767 --> http://bugzilla.opensuse.org/attachment.cgi?id=612767&action=edit winbind logfile with log level = 10 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 --- Comment #4 from Robin Roevens <robin.roevens@uza.be> --- Created attachment 612768 --> http://bugzilla.opensuse.org/attachment.cgi?id=612768&action=edit winbind logfile with log level = 10 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 --- Comment #5 from Robin Roevens <robin.roevens@uza.be> --- Created attachment 612769 --> http://bugzilla.opensuse.org/attachment.cgi?id=612769&action=edit winbind logfile with log level = 10 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 --- Comment #6 from Robin Roevens <robin.roevens@uza.be> --- Created attachment 612770 --> http://bugzilla.opensuse.org/attachment.cgi?id=612770&action=edit winbind logfile with log level = 10 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 --- Comment #7 from Robin Roevens <robin.roevens@uza.be> --- I attached the requested log files. I have to mention that this time I was able to login about a minute after boot (gdm on screen) Looking at the logfile, it looks like winbind initially can't find the domain servers..until after a while.. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 Robin Roevens <robin.roevens@uza.be> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(robin.roevens@uza | |.be) | --- Comment #8 from Robin Roevens <robin.roevens@uza.be> --- Created attachment 612771 --> http://bugzilla.opensuse.org/attachment.cgi?id=612771&action=edit Samba config -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 --- Comment #9 from David Disseldorp <ddiss@suse.com> --- (In reply to Robin Roevens from comment #7)
I attached the requested log files.
Thanks!
I have to mention that this time I was able to login about a minute after boot (gdm on screen) Looking at the logfile, it looks like winbind initially can't find the domain servers..until after a while..
I expect this is due to Windbind being started before the network is up. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(robin.roevens@uza | |.be) --- Comment #11 from David Disseldorp <ddiss@suse.com> --- Is NetworkManager-wait-online.service enabled? Please provide the output of: # systemctl status NetworkManager-wait-online.service and... # grep NM_ONLINE_TIMEOUT /etc/sysconfig/network/config -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 --- Comment #12 from Robin Roevens <robin.roevens@uza.be> --- Created attachment 612780 --> http://bugzilla.opensuse.org/attachment.cgi?id=612780&action=edit winbind logfiles with log level = 10 - second try New reboot. This time it again took minutes before I could log in. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 Robin Roevens <robin.roevens@uza.be> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(robin.roevens@uza | |.be) | --- Comment #13 from Robin Roevens <robin.roevens@uza.be> --- (In reply to David Disseldorp from comment #11)
Is NetworkManager-wait-online.service enabled?
Please provide the output of: # systemctl status NetworkManager-wait-online.service NetworkManager-wait-online.service - Network Manager Wait Online Loaded: loaded (/usr/lib/systemd/system/NetworkManager-wait-online.service; enabled) Active: inactive (dead)
It was disabled at first, but then I enabled it and rebooted again. But it didn't help.
and... # grep NM_ONLINE_TIMEOUT /etc/sysconfig/network/config
NM_ONLINE_TIMEOUT="30" -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(robin.roevens@uza | |.be) --- Comment #14 from David Disseldorp <ddiss@suse.com> --- Is your network configured with NetworkManager? Could you please enable NetworkManager-wait-online.service, then reboot. After rebooting, plot the service init sequence using `systemd-analyze plot > boot.svg` and attach the generated svg. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 Robin Roevens <robin.roevens@uza.be> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(robin.roevens@uza | |.be) | --- Comment #15 from Robin Roevens <robin.roevens@uza.be> --- Created attachment 612796 --> http://bugzilla.opensuse.org/attachment.cgi?id=612796&action=edit systemd boot analysis now that you mention it, I don't use network-manager. I use the wicked service since I need a bridge for local KVM virtual machines. I tried to copy this configuration to network-manager but I can't seem to properly configure the bridge like it was automatically done by the YaST install hypervisor-wizard. Anyhow, for testing purposes I configured network-manager now, with a single wired interface and verified that the NetworkManager-wait-online.service is enabled. Booting now seems to be even faster, but in GDM I see the NM-applet still trying to connect for a few seconds, then turning to 'connected' But the problem remains. I can't login using an AD account. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 --- Comment #16 from Robin Roevens <robin.roevens@uza.be> --- Created attachment 612798 --> http://bugzilla.opensuse.org/attachment.cgi?id=612798&action=edit systemd boot analysis with wicked enabled For completeness: boot analysis with wicked enabled instead of network-manager -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 --- Comment #17 from Robin Roevens <robin.roevens@uza.be> --- I already mentioned before that while I can't login, I am able to run wbinfo -u which correctly lists all domain users. Now I noticed that AD login always starts working immediately after running this wbinfo -u command. If I don't run this command, it takes much more time before AD login is available.. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(robin.roevens@uza | |.be) --- Comment #18 from David Disseldorp <ddiss@suse.com> --- (In reply to Robin Roevens from comment #15)
Created attachment 612796 [details] systemd boot analysis
Thanks. This graph shows winbind.service starting before NetworkManager-wait-online.service completes. Please provide the contents of /usr/lib/systemd/system/winbind.service . -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 Robin Roevens <robin.roevens@uza.be> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(robin.roevens@uza | |.be) | --- Comment #19 from Robin Roevens <robin.roevens@uza.be> --- (In reply to David Disseldorp from comment #18)
Please provide the contents of /usr/lib/systemd/system/winbind.service .
[Unit] Description=Samba Winbind Daemon After=syslog.target network-online.target nmb.service [Service] Type=notify NotifyAccess=all Environment=KRB5CCNAME=/run/samba/krb5cc_samba Environment=KRB5RCACHEDIR=/var/cache/krb5rcache PIDFile=/run/samba/winbindd.pid EnvironmentFile=-/etc/sysconfig/samba ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS" ExecReload=/usr/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 --- Comment #20 from Robin Roevens <robin.roevens@uza.be> ---
ls -lia /usr/lib/systemd/system/network-online.target.wants/ totaal 4 45521 drwxr-xr-x 1 root root 68 26 okt 10:09 . 9003 drwxr-xr-x 1 root root 12984 5 nov 13:49 .. 62495 lrwxrwxrwx 1 root root 37 26 okt 10:09 NetworkManager-wait-online.service -> ../NetworkManager-wait-online.service
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fcrozat@suse.com Flags| |needinfo?(robin.roevens@uza | |.be) --- Comment #21 from David Disseldorp <ddiss@suse.com> --- (In reply to Robin Roevens from comment #19)
(In reply to David Disseldorp from comment #18)
Please provide the contents of /usr/lib/systemd/system/winbind.service .
[Unit] Description=Samba Winbind Daemon After=syslog.target network-online.target nmb.service
I can't explain why Winbind is being started prior to NetworkManager-wait-online.service completion, despite the above directive. Maybe one of our systemd gurus could shed some light (cc'ing Frederic). For now, I would suggest changing winbind.service to specify: ... [Unit] Description=Samba Winbind Daemon Wants=network-online.target After=network-online.target ... Then generate and provide the `systemd-analyze plot` output once again. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 Robin Roevens <robin.roevens@uza.be> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(robin.roevens@uza | |.be) | --- Comment #22 from Robin Roevens <robin.roevens@uza.be> --- Created attachment 613362 --> http://bugzilla.opensuse.org/attachment.cgi?id=613362&action=edit systemd boot analysis after winbind.service change I added Wants=network-online.target to winbind.service and left After=syslog.target network-online.target nmb.service as is. Systemd analysis now shows winbind starting after network is up. And I could now log-in with an AD account immediately. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fcrozat@suse.com) --- Comment #23 from David Disseldorp <ddiss@suse.com> --- (In reply to Robin Roevens from comment #22)
Created attachment 613362 [details] systemd boot analysis after winbind.service change
I added Wants=network-online.target to winbind.service and left After=syslog.target network-online.target nmb.service as is.
Systemd analysis now shows winbind starting after network is up. And I could now log-in with an AD account immediately.
Great, thanks for the feedback. So it looks as though we need to add the "Wants=network-online.target" directive to the winbind service file. @Frederich: is it invalid to configure a service with "After=X" directives, but without a corresponding "Requires/Wants=X"? This isn't clear from the systemd.unit man page documentation. The iscsi service script appears to match winbind, in specifying "After=network.target network-online.target..." without a corresponding "Wants=/Requires=" directive. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 Frederic Crozat <fcrozat@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fcrozat@suse.com) | --- Comment #24 from Frederic Crozat <fcrozat@suse.com> --- (In reply to David Disseldorp from comment #23)
(In reply to Robin Roevens from comment #22)
Created attachment 613362 [details] systemd boot analysis after winbind.service change
I added Wants=network-online.target to winbind.service and left After=syslog.target network-online.target nmb.service as is.
Systemd analysis now shows winbind starting after network is up. And I could now log-in with an AD account immediately.
Great, thanks for the feedback.
So it looks as though we need to add the "Wants=network-online.target" directive to the winbind service file.
@Frederich: is it invalid to configure a service with "After=X" directives, but without a corresponding "Requires/Wants=X"? This isn't clear from the systemd.unit man page documentation.
Wants are only needed if you want to be sure the service referenced will be activated (if present). If you don't need it, After/Before are enough (they are just ordering information, not "I need/want this service to run" information). In your case, the service taking care of "switching on" network-online.target (either wicked or NM) might not have been enabled, which would explain the incorrect behavior. By adding "Wants", you ensure the service will be enabled. -
The iscsi service script appears to match winbind, in specifying "After=network.target network-online.target..." without a corresponding "Wants=/Requires=" directive.
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |DUPLICATE --- Comment #25 from David Disseldorp <ddiss@suse.com> --- Will proceed with the "Wants=network-online.target" Samba service changes for openSUSE and SLES. *** This bug has been marked as a duplicate of bug 889175 *** -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com