[Samba] offline logon in 3.4.7-58

Bryant, Phillip - IS Phillip.Bryant at itt.com
Fri Apr 16 15:17:51 MDT 2010 

Having issues adapting our 3.4 configuration that worked very well using idmap rid in 3.3.

It seems like winbind does not cache the credentials despite all of the settings being present. I can set winbind offline via smbcontrol and have it work, but if I reboot the machine (important for my laptops) off the network winbind complains that it can't find the logon server.

When disconnected and booted cold off the network, logon reports no logon server.

Testing with wbinfo -K while offline:
wbinfo -K bry47927
Enter bry47927's password:
plaintext kerberos password authentication for [bry47927] succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
no credentials cached

Not sure why this works but regular logon does not.

Samba config:
This configuration works fine connected to the LAN. But, having to digest more than a year's worth of changes and updates I'm not sure if the idmap settings are really correct.
[global]
        workgroup = AES
        realm = AES.DE.ITTIND.COM
        server string = Samba Server Version %v
        security = ADS
        password server = 2008dc
        log file = /var/log/samba/log.%m
        max log size = 50
        enable core files = No
        idmap backend = tdb
        idmap uid = 800 - 9999
        idmap gid = 800 - 9999
#       idmap domains = BUILTIN, AES
#       idmap config AES: default = yes
        idmap config AES: backend = rid
        template shell = /bin/bash
        winbind use default domain = Yes
        winbind offline logon = Yes
        idmap config AES : range = 100000 - 900000
        cups options = raw

pam settings:

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so cached_login use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=12 dcredit=1 ucredit=1 lcredit=1 ocredit=1
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so cached_login use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

pam_winbind.conf:

[global]

# turn on debugging
;debug = no

# turn on extended PAM state debugging
;debug_state = no

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

# authenticate using kerberos
;krb5_auth = yes

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type = file

Nsswitch.conf:

passwd:     files winbind
shadow:     files winbind
group:      files winbind



Phillip Bryant - ABQ IT Site Lead
5901 Indian School Rd NE
ph# 505-889-7016
cell# 505-385-8668
RHCT/RHCE RHEL 5 ID#805009017938113
MCSE NT4.0, 2000, 2003, 2008 MCP ID#1150956
MCTS Windows 7, Windows Server 2008 Enterprise
MCP+I
MCP


________________________________
This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.

More information about the samba mailing list