[Samba] offline logon in 3.4.7-58

Linux Addict linuxaddict7 at gmail.com
Tue Apr 20 07:44:55 MDT 2010 

Did you check the release notes for 3.4? I have the same
config(cached_login) as you and works fine on 3.2.


On Fri, Apr 16, 2010 at 5:17 PM, Bryant, Phillip - IS <
Phillip.Bryant at itt.com> wrote:

> Having issues adapting our 3.4 configuration that worked very well using
> idmap rid in 3.3.
>
> It seems like winbind does not cache the credentials despite all of the
> settings being present. I can set winbind offline via smbcontrol and have it
> work, but if I reboot the machine (important for my laptops) off the network
> winbind complains that it can't find the logon server.
>
> When disconnected and booted cold off the network, logon reports no logon
> server.
>
> Testing with wbinfo -K while offline:
> wbinfo -K bry47927
> Enter bry47927's password:
> plaintext kerberos password authentication for [bry47927] succeeded
> (requesting cctype: FILE)
> user_flgs: NETLOGON_CACHED_ACCOUNT
> no credentials cached
>
> Not sure why this works but regular logon does not.
>
> Samba config:
> This configuration works fine connected to the LAN. But, having to digest
> more than a year's worth of changes and updates I'm not sure if the idmap
> settings are really correct.
> [global]
>        workgroup = AES
>        realm = AES.DE.ITTIND.COM
>        server string = Samba Server Version %v
>        security = ADS
>        password server = 2008dc
>        log file = /var/log/samba/log.%m
>        max log size = 50
>        enable core files = No
>        idmap backend = tdb
>        idmap uid = 800 - 9999
>        idmap gid = 800 - 9999
> #       idmap domains = BUILTIN, AES
> #       idmap config AES: default = yes
>        idmap config AES: backend = rid
>        template shell = /bin/bash
>        winbind use default domain = Yes
>        winbind offline logon = Yes
>        idmap config AES : range = 100000 - 900000
>        cups options = raw
>
> pam settings:
>
> auth        required      pam_env.so
> auth        sufficient    pam_fprintd.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_krb5.so use_first_pass
> auth        sufficient    pam_winbind.so cached_login use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
> cached_login
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=12
> dcredit=1 ucredit=1 lcredit=1 ocredit=1
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_krb5.so use_authtok
> password    sufficient    pam_winbind.so cached_login use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_krb5.so
>
> pam_winbind.conf:
>
> [global]
>
> # turn on debugging
> ;debug = no
>
> # turn on extended PAM state debugging
> ;debug_state = no
>
> # request a cached login if possible
> # (needs "winbind offline logon = yes" in smb.conf)
> cached_login = yes
>
> # authenticate using kerberos
> ;krb5_auth = yes
>
> # when using kerberos, request a "FILE" krb5 credential cache type
> # (leave empty to just do krb5 authentication but not have a ticket
> # afterwards)
> ;krb5_ccache_type = file
>
> Nsswitch.conf:
>
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
>
>
>
> Phillip Bryant - ABQ IT Site Lead
> 5901 Indian School Rd NE
> ph# 505-889-7016
> cell# 505-385-8668
> RHCT/RHCE RHEL 5 ID#805009017938113
> MCSE NT4.0, 2000, 2003, 2008 MCP ID#1150956
> MCTS Windows 7, Windows Server 2008 Enterprise
> MCP+I
> MCP
>
>
> ________________________________
> This e-mail and any files transmitted with it may be proprietary and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error please notify the
> sender.
> Please note that any views or opinions presented in this e-mail are solely
> those of the author and do not necessarily represent those of ITT
> Corporation. The recipient should check this e-mail and any attachments for
> the presence of viruses. ITT accepts no liability for any damage caused by
> any virus transmitted by this e-mail.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list