I had the weirdest thing suddenly start happening last night that took several hours to finally figure out was a time-related issue.
I've got an Ubuntu box that uses
pam_winbind to allow for logging into a machine using an Active Directory account. Normally I connect with an SSH key, but once in when doing
sudo -s I enter an AD password to become root. Last night that
sudo -s suddenly stopped working.
Luckily I had another non-AD account that I could connect with, and sudo worked for that, so I could become root and poke around. The logs showed:
sudo: pam_unix(sudo:auth): authentication failure; logname=barry.pederson uid=14283 euid=0 tty=/dev/pts/0 ruser=barry.pederson rhost= user=barry.pederson sudo: pam_unix(sudo:auth): conversation failed sudo: pam_unix(sudo:auth): auth could not identify password for [barry.pederson]
That was weird, I could log into other things though that used the same AD account, so I knew the password was right and the account wasn't locked out.
I hoped by the next morning, some cache thing would expire and I'd be back in business, but no dice.
Poking around some more I found if I disabled my SSH keys, I couldn't log in at all, so it was really a
pam_winbind issue, not a
sudo one. The logs for a SSH password login attempt were a bit more informative:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.yyy.zzz user=barry.pederson pam_winbind(sshd:auth): getting password (0x00000388) pam_winbind(sshd:auth): pam_get_item returned a password pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure pam_winbind(sshd:auth): user 'barry.pederson' denied access (incorrect password or invalid membership) Failed password for barry.pederson from x.x.x.x port 50655 ssh2
WTF? I know the password's right, I've been typing it all morning into other systems. I even tried
wbinfo --authenticate barry.pederson on this box and it accepted my passwords.
Much time was spent Googling, trying various tweaks to
smb.conf, etc. Finally, I don't remember why, I thought to check the date with
ntpdate -d my.ad.server and it came back with
offset -338.308573 sec. Holy crap, that's more than 5 minutes! Even though ntpd is running.
Anyhow, once the clock was fixed to be closer to the AD server, logins and sudo started working again.