[Samba] PAM Offline Authentication in Ubuntu 22.04...

Rowland Penny rpenny at samba.org
Tue Jun 13 14:26:32 UTC 2023 


On 13/06/2023 14:07, Marco Gaiarin via samba wrote:

Hi Marco, please see inline comments:

>   root at dane:~# bash samba-collect-debug-info.sh
>   
>   Please wait, collecting debug info.
>   
>   nameserver 127.0.0.53
>   samba-collect-debug-info.sh: riga 180: systemd-resolve: comando non trovato

Your nameserver appears to be set to '127.0.0.53' and the script thinks 
that systemd-resolved is running, but it probably isn't

> 
> Config collected --- 2023-06-13-14:59 -----------
> 
> Hostname:   dane
> DNS Domain:
> Realm:
> FQDN:       dane
> ipaddress:  10.5.2.191

Hmm, it looks like a dns problem, no dns domain

> 
> -----------
> 
> This computer is running Ubuntu 22.04.2 LTS x86_64
> 
> -----------
> 
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
>      inet6 ::1/128 scope host
> 2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
>      link/ether b4:b6:86:37:26:7e brd ff:ff:ff:ff:ff:ff
> 3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
>      link/ether 90:61:ae:b2:70:37 brd ff:ff:ff:ff:ff:ff
>      inet 10.5.2.191/21 brd 10.5.7.255 scope global dynamic noprefixroute wlp2s0
>         valid_lft 422sec preferred_lft 422sec
>      inet6 fe80::4c3b:6af8:609c:4e32/64 scope link noprefixroute
> 
> -----------
> 
> Checking file: /etc/hosts
> 
> 127.0.0.1	localhost
> 127.0.1.1	dane

I would suggest you change the '127.0.1.1' line to:

127.0.1.1	dane.ad.fvg.lnf.it dane

> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> -----------
> 
> Checking file: /etc/resolv.conf
> 
> # This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).

Strange, as I said there was a problem with the systemd-resolved 
command, but it appears to managing your resolv.conf file ????

> 
> nameserver 127.0.0.53
> options edns0 trust-ad
> search sv.lnf.it dyn.sv.lnf.it

Based on the REALM found elsewhere on this post, shouldn't the search 
line be:
search ad.fvg.lnf.it

> 
> -----------
> 
> WARNING: 'kinit Administrator' will fail, you need to fix this.
> Unable to verify DNS kerberos._tcp SRV records

For some reason, kinit is failing, probably a dns problem. Fixing 
/etc/hosts and /etc/resolv.conf might fix that.

> Checking file: /etc/krb5.conf
> 
> [libdefaults]
> 	default_realm = AD.FVG.LNF.IT
> 
> # The following krb5.conf variables are only for MIT Kerberos.
> 	kdc_timesync = 1
> 	ccache_type = 4
> 	forwardable = true
> 	proxiable = true
> 
> # The following encryption type specification will be used by MIT Kerberos
> # if uncommented.  In general, the defaults in the MIT Kerberos code are
> # correct and overriding these specifications only serves to disable new
> # encryption types as they are added, creating interoperability problems.
> #
> # The only time when you might need to uncomment these lines and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know about (such as
> # old versions of Sun Java).
> 
> #	default_tgs_enctypes = des3-hmac-sha1
> #	default_tkt_enctypes = des3-hmac-sha1
> #	permitted_enctypes = des3-hmac-sha1
> 
> # The following libdefaults parameters are only for Heimdal Kerberos.
> 	fcc-mit-ticketflags = true
> 
> [realms]
> 	ATHENA.MIT.EDU = {
> 		kdc = kerberos.mit.edu
> 		kdc = kerberos-1.mit.edu
> 		kdc = kerberos-2.mit.edu:88
> 		admin_server = kerberos.mit.edu
> 		default_domain = mit.edu
> 	}
> 	ZONE.MIT.EDU = {
> 		kdc = casio.mit.edu
> 		kdc = seiko.mit.edu
> 		admin_server = casio.mit.edu
> 	}
> 	CSAIL.MIT.EDU = {
> 		admin_server = kerberos.csail.mit.edu
> 		default_domain = csail.mit.edu
> 	}
> 	IHTFP.ORG = {
> 		kdc = kerberos.ihtfp.org
> 		admin_server = kerberos.ihtfp.org
> 	}
> 	1TS.ORG = {
> 		kdc = kerberos.1ts.org
> 		admin_server = kerberos.1ts.org
> 	}
> 	ANDREW.CMU.EDU = {
> 		admin_server = kerberos.andrew.cmu.edu
> 		default_domain = andrew.cmu.edu
> 	}
>          CS.CMU.EDU = {
>                  kdc = kerberos-1.srv.cs.cmu.edu
>                  kdc = kerberos-2.srv.cs.cmu.edu
>                  kdc = kerberos-3.srv.cs.cmu.edu
>                  admin_server = kerberos.cs.cmu.edu
>          }
> 	DEMENTIA.ORG = {
> 		kdc = kerberos.dementix.org
> 		kdc = kerberos2.dementix.org
> 		admin_server = kerberos.dementix.org
> 	}
> 	stanford.edu = {
> 		kdc = krb5auth1.stanford.edu
> 		kdc = krb5auth2.stanford.edu
> 		kdc = krb5auth3.stanford.edu
> 		master_kdc = krb5auth1.stanford.edu
> 		admin_server = krb5-admin.stanford.edu
> 		default_domain = stanford.edu
> 	}
>          UTORONTO.CA = {
>                  kdc = kerberos1.utoronto.ca
>                  kdc = kerberos2.utoronto.ca
>                  kdc = kerberos3.utoronto.ca
>                  admin_server = kerberos1.utoronto.ca
>                  default_domain = utoronto.ca
> 	}
> 
> [domain_realm]
> 	.mit.edu = ATHENA.MIT.EDU
> 	mit.edu = ATHENA.MIT.EDU
> 	.media.mit.edu = MEDIA-LAB.MIT.EDU
> 	media.mit.edu = MEDIA-LAB.MIT.EDU
> 	.csail.mit.edu = CSAIL.MIT.EDU
> 	csail.mit.edu = CSAIL.MIT.EDU
> 	.whoi.edu = ATHENA.MIT.EDU
> 	whoi.edu = ATHENA.MIT.EDU
> 	.stanford.edu = stanford.edu
> 	.slac.stanford.edu = SLAC.STANFORD.EDU
>          .toronto.edu = UTORONTO.CA
>          .utoronto.ca = UTORONTO.CA
> 

That is the default /etc/krb5.conf , which I do not use, but it should work.

> # Parametri globali
> #
> [global]
> 	# Definizioni del dominio.
> 	#
> 	security = ADS
> 	workgroup = LNFFVG
> 	realm = AD.FVG.LNF.IT
> 
> 	# Configurazione di Winbind/IDMap.
> 	#
> 	# Default idmap config for local BUILTIN accounts and groups
> 	idmap config * : backend = tdb
> 	idmap config * : range = 5000-9999
> 	# The domain
> 	idmap config LNFFVG : backend = ad
> 	idmap config LNFFVG : range = 10000-49999
> 	# Uso dei dati POSIX/rfc2307 (Samba 4.6+)
> 	idmap config LNFFVG : schema_mode = rfc2307
> 	idmap config LNFFVG : unix_nss_info = yes
> 	idmap config LNFFVG : unix_primary_group = yes
> 	## Uso dei dati POSIX/rfc2307 (Samba 4.5-)
> 	#winbind nss info = rfc2307
> 	# Se si usa 'winbind use default domain = yes' è necessario sincerarsi che i nomi utente non siano ''overlapping''
> 	# (ovvero utenti definiti nel dominio *e* in /etc/passwd) pena ''confusione'' nella definizione dei gruppi/responsabilità.
> 	winbind use default domain = yes
> 	# Opzionalmente posso voler abilitare le ''cached credentials''; oltre ad abilitare questa opzione, occorre anche abilitarne l'uso
> 	# in winbind. Si veda: https://wiki.samba.org/index.php/PAM_Offline_Authentication
> 	winbind offline logon = yes
> 	# Workaround Bug #14618
> 	lock directory = /var/cache/samba

 From my (now extensive) testing, it would seem that you do not really 
need the 'lock directory' line.

> 	# Workaround delay...
> 	winbind request timeout = 5
> 
> 	# Utenti speciali e permessi
> 	# Disabilitazione di qualche account, e definizione dell'account guest (il default è già 'nobody').
> 	# Tutti gli utenti non conosciuti vengono mappati su guest.
> 	#
> 	#invalid users =
> 	#guest account = nobody
> 	map to guest = Bad User
> 	#
> 	# Per un DM manteniamo una mappa esplicita locale per alcuni utenti, per default solo Administrator (su root)
> 	#
> 	username map = /etc/samba/user.map
> 
> 	# Riabilito SMB1; non credo sia strettamente necessario qui, ma serve per il mount delle home assolutamente, sono necessarie
> 	# alcune UNIX extension...
> 	#
> 	client min protocol = NT1

I take it that you need SMBv1, if not, I suggest you remove that line.

> 
> 	# Stampanti... siamo un client, disabilito tutto.
> 	#
> 	load printers = no
> 	printing = bsd
> 	printcap name = /dev/null
> 	disable spoolss = yes
> 
> 	# Disabilito gli 'usershare', il default sembra essere 100 per debian. Vedi:
> 	#  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900396
> 	#
> 	usershare max shares = 0
> 
> 	# LOG
> 	#
> 	log level = 0 winbind:5
> 	syslog = 0
> 	log file = /var/log/samba/log.%m
> 	max log size = 5000
> 	panic action = /usr/share/samba/panic-action %d
> 
> -----------
> 
> Running as Unix domain member and user.map detected.
> 
> Contents of /etc/samba/user.map
> 
> !root = LNFFVG\Administrator LNFFVG\administrator Administrator administrator

Ah, that is my fault, an early mistake I made, you only need:
!root = LNFFVG\Administrator

> 
>> Is selinux or apparmor involved ?
> 
> Ahem... apparmor is installed (as by defaut on Ubuntu, i suppose) but i've
> not touched the configuration.

And you shouldn't have to, it is normally setup for you.

I am having problems in running my Ubuntu 22.04 VM, so I am going to 
have to re-install it.

But from the above output, I suggest you peer very closely at your dns.
Does the machine get its ipaddress etc from DHCP ? If so, is it 
supplying the correct information ?

Rowland

More information about the samba mailing list