Samba upgrade broke my login

tuxaholic · March 28, 2024, 11:46am

Hello,

I’ve been logging in using Active Directory for a while now, as per the instructions in this post I made

Unfortunately this has broken after this upgrade:

[2024-03-27T22:07:21+0000] [PACMAN] starting full system upgrade
[2024-03-27T22:07:24+0000] [ALPM] transaction started
[2024-03-27T22:07:24+0000] [ALPM] upgraded xorgproto (2023.2-1 -> 2024.1-1)
[2024-03-27T22:07:25+0000] [ALPM] upgraded libx11 (1.8.8-1 -> 1.8.8-2)
[2024-03-27T22:07:26+0000] [ALPM] upgraded electron28 (28.2.8-1 -> 28.2.9-1)
[2024-03-27T22:07:26+0000] [ALPM] upgraded talloc (2.4.1-1 -> 2.4.2-1)
[2024-03-27T22:07:26+0000] [ALPM] upgraded tevent (1:0.15.0-1 -> 1:0.16.1-1)
[2024-03-27T22:07:26+0000] [ALPM] upgraded tdb (1.4.9-1 -> 1.4.10-1)
[2024-03-27T22:07:26+0000] [ALPM] upgraded ldb (2:2.8.0-1 -> 2:2.9.0-1)
[2024-03-27T22:07:26+0000] [ALPM] upgraded libwbclient (4.19.5-1 -> 4.20.0-1)
[2024-03-27T22:07:27+0000] [ALPM] upgraded smbclient (4.19.5-1 -> 4.20.0-1)
[2024-03-27T22:07:27+0000] [ALPM] transaction completed

I think this upgrade caused some share library to be moved/missing?

Mar 28 11:34:45 myhost sssd_be[735]: Starting up
Mar 28 11:34:48 myhost sssd[738]: /usr/lib/sssd/sssd/sssd_pac: error while loading shared libraries: libndr.so.3: cannot open s>
Mar 28 11:34:48 myhost sssd[739]: /usr/lib/sssd/sssd/sssd_pac: error while loading shared libraries: libndr.so.3: cannot open s>

The smbclient package contains this:

$ yay -Ql smbclient | grep ndr
smbclient /usr/lib/libndr-krb5pac.so
smbclient /usr/lib/libndr-krb5pac.so.0
smbclient /usr/lib/libndr-krb5pac.so.0.0.1
smbclient /usr/lib/libndr-nbt.so
smbclient /usr/lib/libndr-nbt.so.0
smbclient /usr/lib/libndr-nbt.so.0.0.1
smbclient /usr/lib/libndr-standard.so
smbclient /usr/lib/libndr-standard.so.0
smbclient /usr/lib/libndr-standard.so.0.0.1
smbclient /usr/lib/libndr.so
smbclient /usr/lib/libndr.so.4
smbclient /usr/lib/libndr.so.4.0.0
...

Not sure what to do, I cannot log into my regular home… Will likely revert to previous BTRFS snapshot but colelcted this info and explain the issue…

tuxaholic · March 28, 2024, 11:59am

Ok an sssd package update just hit the repos. I just ran another upgrade hoping to fix the issue and received:

[2024-03-28T11:47:23+0000] [ALPM] transaction started
[2024-03-28T11:47:23+0000] [ALPM] upgraded util-linux-libs (2.40rc2-1 -> 2.40-1)
[2024-03-28T11:47:23+0000] [ALPM] upgraded util-linux (2.40rc2-1 -> 2.40-1)
[2024-03-28T11:47:24+0000] [ALPM] upgraded electron29 (29.1.5-1 -> 29.1.6-1)
[2024-03-28T11:47:24+0000] [ALPM] upgraded eos-bash-shared (24.16.2-1 -> 24.16.3-1)
[2024-03-28T11:47:24+0000] [ALPM] upgraded libvirt (1:10.1.0-1 -> 1:10.1.0-2)
[2024-03-28T11:47:29+0000] [ALPM] upgraded linux (6.8.1.arch1-1 -> 6.8.2.arch1-1)
[2024-03-28T11:47:32+0000] [ALPM] upgraded linux-headers (6.8.1.arch1-1 -> 6.8.2.arch1-1)
[2024-03-28T11:47:32+0000] [ALPM] upgraded qemu-common (8.2.2-1 -> 8.2.2-2)
[2024-03-28T11:47:32+0000] [ALPM] upgraded qemu-guest-agent (8.2.2-1 -> 8.2.2-2)
[2024-03-28T11:47:33+0000] [ALPM] upgraded qemu-ui-opengl (8.2.2-1 -> 8.2.2-2)
[2024-03-28T11:47:33+0000] [ALPM] upgraded qemu-ui-spice-core (8.2.2-1 -> 8.2.2-2)
[2024-03-28T11:47:33+0000] [ALPM] upgraded qemu-hw-display-qxl (8.2.2-1 -> 8.2.2-2)
[2024-03-28T11:47:33+0000] [ALPM] upgraded qemu-hw-display-virtio-gpu (8.2.2-1 -> 8.2.2-2)
[2024-03-28T11:47:33+0000] [ALPM] upgraded qemu-hw-display-virtio-gpu-gl (8.2.2-1 -> 8.2.2-2)
[2024-03-28T11:47:33+0000] [ALPM] upgraded qemu-hw-display-virtio-gpu-pci (8.2.2-1 -> 8.2.2-2)
[2024-03-28T11:47:33+0000] [ALPM] upgraded qemu-hw-display-virtio-gpu-pci-gl (8.2.2-1 -> 8.2.2-2)
[2024-03-28T11:47:33+0000] [ALPM] upgraded qemu-hw-display-virtio-vga (8.2.2-1 -> 8.2.2-2)
[2024-03-28T11:47:33+0000] [ALPM] upgraded qemu-hw-display-virtio-vga-gl (8.2.2-1 -> 8.2.2-2)
[2024-03-28T11:47:33+0000] [ALPM] upgraded qemu-ui-egl-headless (8.2.2-1 -> 8.2.2-2)
[2024-03-28T11:47:33+0000] [ALPM] upgraded sssd (2.9.4-1 -> 2.9.4-2)
[2024-03-28T11:47:33+0000] [ALPM] transaction completed

Indeed the library error has now gone away and I can log in! What were the chances of this happening, it seems I upgraded while the packages were being updated and only received “half an update”…

Anyway, I managed to log in, but now I get this constant error:

● sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-03-28 11:51:09 GMT; 5min ago
   Main PID: 493 (sssd)
      Tasks: 5 (limit: 19126)
     Memory: 105.1M (peak: 107.0M)
        CPU: 618ms
     CGroup: /system.slice/sssd.service
             ├─493 /usr/bin/sssd -i --logger=files
             ├─545 /usr/lib/sssd/sssd/sssd_be --domain ad.home.lan --uid 0 --gid 0 --logger=files
             ├─567 /usr/lib/sssd/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             ├─568 /usr/lib/sssd/sssd/sssd_pam --uid 0 --gid 0 --logger=files
             └─569 /usr/lib/sssd/sssd/sssd_pac --uid 0 --gid 0 --logger=files

Mar 28 11:53:57 myhost ldap_child[4913]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:53:57 myhost ldap_child[4914]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:54:57 myhost krb5_child[5547]: Pre-authentication failed: No pkinit_anchors supplied
Mar 28 11:55:25 myhost ldap_child[7137]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:55:27 myhost ldap_child[7151]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:55:31 myhost ldap_child[7158]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:55:31 myhost ldap_child[7159]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:55:31 myhost ldap_child[7160]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:57:00 myhost ldap_child[7340]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:57:02 myhost ldap_child[7345]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

I am worried that my user is now cached locally and at some point will expire and I will lose the abilty to log in (not sure how long sssd cache lasts).

Any idea what this error is and how to address it?

tuxaholic · March 28, 2024, 12:21pm

I found this resource online and followed the instructions to delete/re-add the computer to the domain. By completing the half-update to get the new sssd, then following these instruction (basically recreate the computer account in the domain) the problem is now solved.

Seems like somehow the half-update caused the kerberos keytab became corrupted?

Anyway for now I can log in and sssd has stopped logging this error…

Seems like I ran into a very fring situation but who knows, maybe this will help someone in the future…

system · March 30, 2024, 12:22pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.