[Bug 904346] New: Can't login using Active Directory account for about 5 to 10 minutes after boot
http://bugzilla.opensuse.org/show_bug.cgi?id=904346 Bug ID: 904346 Summary: Can't login using Active Directory account for about 5 to 10 minutes after boot Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Samba Assignee: samba-maintainers@SuSE.de Reporter: robin.roevens@uza.be QA Contact: samba-maintainers@SuSE.de Found By: --- Blocker: --- On a new installation of openSUSE 13.2 I joined an Active Directory domain and enabled linux authentication using YaST2. AD Login worked imediatly. However when the system reboots or starts, I can't login using an AD account. Only after about 5 to 10 minutes, it suddenly is possible to login using an AD account. During the period that AD login is not possible I also can't query the user using getent passwd <AD userid> which does work as soon as I can log in with an AD account. wbinfo -u however displays all AD users, also during the period that I can't log in. When examining journalctl I only see winbind starting up correctly during boot and no related error messages besides the actual authentication failure, telling that it can't find the user: --- gnome-session[2435]: (gnome-shell:2476): AccountsService-WARNING **: ActUserManager: user (null) has no username (uid: 0) gnome-session[2435]: Gjs-Message: JS LOG: Ignored exception from dbus method: Gio.DBusError: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.realmd was not provided by any .service files gdm-session-worker[2565]: <5>AccountsService: ActUserManager: user (null) has no username (uid: 0) gdm-password][2565]: gkr-pam: error looking up user information gdm-password][2565]: pam_unix(gdm-password:auth): check pass; user unknown nov 07 09:10:16 uzaws0531 gdm-password][2565]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= gdm-password][2565]: pam_winbind(gdm-password:auth): getting password (0x00000190) gdm-password][2565]: pam_winbind(gdm-password:auth): pam_get_item returned a password gdm-session-worker[2568]: <5>AccountsService: ActUserManager: user (null) has no username (uid: 0) gdm-password][2568]: gkr-pam: error looking up user information --- I have absolutely no clue where or how I can find more information about this problem, and what component is causing it. Winbind itself seems to be working correctly. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
David Disseldorp
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
--- Comment #2 from Robin Roevens
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
--- Comment #3 from Robin Roevens
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
--- Comment #4 from Robin Roevens
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
--- Comment #5 from Robin Roevens
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
--- Comment #6 from Robin Roevens
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
--- Comment #7 from Robin Roevens
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
Robin Roevens
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
--- Comment #9 from David Disseldorp
I attached the requested log files.
Thanks!
I have to mention that this time I was able to login about a minute after boot (gdm on screen) Looking at the logfile, it looks like winbind initially can't find the domain servers..until after a while..
I expect this is due to Windbind being started before the network is up. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
David Disseldorp
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
--- Comment #12 from Robin Roevens
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
Robin Roevens
Is NetworkManager-wait-online.service enabled?
Please provide the output of: # systemctl status NetworkManager-wait-online.service NetworkManager-wait-online.service - Network Manager Wait Online Loaded: loaded (/usr/lib/systemd/system/NetworkManager-wait-online.service; enabled) Active: inactive (dead)
It was disabled at first, but then I enabled it and rebooted again. But it didn't help.
and... # grep NM_ONLINE_TIMEOUT /etc/sysconfig/network/config
NM_ONLINE_TIMEOUT="30" -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
David Disseldorp
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
Robin Roevens
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
--- Comment #16 from Robin Roevens
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
--- Comment #17 from Robin Roevens
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
David Disseldorp
Created attachment 612796 [details] systemd boot analysis
Thanks. This graph shows winbind.service starting before NetworkManager-wait-online.service completes. Please provide the contents of /usr/lib/systemd/system/winbind.service . -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
Robin Roevens
Please provide the contents of /usr/lib/systemd/system/winbind.service .
[Unit] Description=Samba Winbind Daemon After=syslog.target network-online.target nmb.service [Service] Type=notify NotifyAccess=all Environment=KRB5CCNAME=/run/samba/krb5cc_samba Environment=KRB5RCACHEDIR=/var/cache/krb5rcache PIDFile=/run/samba/winbindd.pid EnvironmentFile=-/etc/sysconfig/samba ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS" ExecReload=/usr/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
--- Comment #20 from Robin Roevens
ls -lia /usr/lib/systemd/system/network-online.target.wants/ totaal 4 45521 drwxr-xr-x 1 root root 68 26 okt 10:09 . 9003 drwxr-xr-x 1 root root 12984 5 nov 13:49 .. 62495 lrwxrwxrwx 1 root root 37 26 okt 10:09 NetworkManager-wait-online.service -> ../NetworkManager-wait-online.service
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
David Disseldorp
(In reply to David Disseldorp from comment #18)
Please provide the contents of /usr/lib/systemd/system/winbind.service .
[Unit] Description=Samba Winbind Daemon After=syslog.target network-online.target nmb.service
I can't explain why Winbind is being started prior to NetworkManager-wait-online.service completion, despite the above directive. Maybe one of our systemd gurus could shed some light (cc'ing Frederic). For now, I would suggest changing winbind.service to specify: ... [Unit] Description=Samba Winbind Daemon Wants=network-online.target After=network-online.target ... Then generate and provide the `systemd-analyze plot` output once again. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
Robin Roevens
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
David Disseldorp
Created attachment 613362 [details] systemd boot analysis after winbind.service change
I added Wants=network-online.target to winbind.service and left After=syslog.target network-online.target nmb.service as is.
Systemd analysis now shows winbind starting after network is up. And I could now log-in with an AD account immediately.
Great, thanks for the feedback. So it looks as though we need to add the "Wants=network-online.target" directive to the winbind service file. @Frederich: is it invalid to configure a service with "After=X" directives, but without a corresponding "Requires/Wants=X"? This isn't clear from the systemd.unit man page documentation. The iscsi service script appears to match winbind, in specifying "After=network.target network-online.target..." without a corresponding "Wants=/Requires=" directive. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
Frederic Crozat
(In reply to Robin Roevens from comment #22)
Created attachment 613362 [details] systemd boot analysis after winbind.service change
I added Wants=network-online.target to winbind.service and left After=syslog.target network-online.target nmb.service as is.
Systemd analysis now shows winbind starting after network is up. And I could now log-in with an AD account immediately.
Great, thanks for the feedback.
So it looks as though we need to add the "Wants=network-online.target" directive to the winbind service file.
@Frederich: is it invalid to configure a service with "After=X" directives, but without a corresponding "Requires/Wants=X"? This isn't clear from the systemd.unit man page documentation.
Wants are only needed if you want to be sure the service referenced will be activated (if present). If you don't need it, After/Before are enough (they are just ordering information, not "I need/want this service to run" information). In your case, the service taking care of "switching on" network-online.target (either wicked or NM) might not have been enabled, which would explain the incorrect behavior. By adding "Wants", you ensure the service will be enabled. -
The iscsi service script appears to match winbind, in specifying "After=network.target network-online.target..." without a corresponding "Wants=/Requires=" directive.
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=904346
David Disseldorp
participants (1)
-
bugzilla_noreply@novell.com