[Samba] offline logon in 3.4.7-58

Linux Addict linuxaddict7 at gmail.com
Tue Apr 20 10:53:50 MDT 2010 

I say remove the pam_krb5.so on one of the host and restart winbind and
test. I think it doesnt even get to the winbind layer and rejected on krb
layer itself which is where it is cached.

Also check  /etc/security/pam_winbind.conf if exists.





On Tue, Apr 20, 2010 at 9:44 AM, Linux Addict <linuxaddict7 at gmail.com>wrote:

> Did you check the release notes for 3.4? I have the same
> config(cached_login) as you and works fine on 3.2.
>
>
> On Fri, Apr 16, 2010 at 5:17 PM, Bryant, Phillip - IS <
> Phillip.Bryant at itt.com> wrote:
>
>> Having issues adapting our 3.4 configuration that worked very well using
>> idmap rid in 3.3.
>>
>> It seems like winbind does not cache the credentials despite all of the
>> settings being present. I can set winbind offline via smbcontrol and have it
>> work, but if I reboot the machine (important for my laptops) off the network
>> winbind complains that it can't find the logon server.
>>
>> When disconnected and booted cold off the network, logon reports no logon
>> server.
>>
>> Testing with wbinfo -K while offline:
>> wbinfo -K bry47927
>> Enter bry47927's password:
>> plaintext kerberos password authentication for [bry47927] succeeded
>> (requesting cctype: FILE)
>> user_flgs: NETLOGON_CACHED_ACCOUNT
>> no credentials cached
>>
>> Not sure why this works but regular logon does not.
>>
>> Samba config:
>> This configuration works fine connected to the LAN. But, having to digest
>> more than a year's worth of changes and updates I'm not sure if the idmap
>> settings are really correct.
>> [global]
>>        workgroup = AES
>>        realm = AES.DE.ITTIND.COM
>>        server string = Samba Server Version %v
>>        security = ADS
>>        password server = 2008dc
>>        log file = /var/log/samba/log.%m
>>        max log size = 50
>>        enable core files = No
>>        idmap backend = tdb
>>        idmap uid = 800 - 9999
>>        idmap gid = 800 - 9999
>> #       idmap domains = BUILTIN, AES
>> #       idmap config AES: default = yes
>>        idmap config AES: backend = rid
>>        template shell = /bin/bash
>>        winbind use default domain = Yes
>>        winbind offline logon = Yes
>>        idmap config AES : range = 100000 - 900000
>>        cups options = raw
>>
>> pam settings:
>>
>> auth        required      pam_env.so
>> auth        sufficient    pam_fprintd.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>> auth        sufficient    pam_krb5.so use_first_pass
>> auth        sufficient    pam_winbind.so cached_login use_first_pass
>> auth        required      pam_deny.so
>>
>> account     required      pam_unix.so broken_shadow
>> account     sufficient    pam_localuser.so
>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
>> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
>> cached_login
>> account     required      pam_permit.so
>>
>> password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=12
>> dcredit=1 ucredit=1 lcredit=1 ocredit=1
>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password    sufficient    pam_krb5.so use_authtok
>> password    sufficient    pam_winbind.so cached_login use_authtok
>> password    required      pam_deny.so
>>
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> session     optional      pam_mkhomedir.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in crond
>> quiet use_uid
>> session     required      pam_unix.so
>> session     optional      pam_krb5.so
>>
>> pam_winbind.conf:
>>
>> [global]
>>
>> # turn on debugging
>> ;debug = no
>>
>> # turn on extended PAM state debugging
>> ;debug_state = no
>>
>> # request a cached login if possible
>> # (needs "winbind offline logon = yes" in smb.conf)
>> cached_login = yes
>>
>> # authenticate using kerberos
>> ;krb5_auth = yes
>>
>> # when using kerberos, request a "FILE" krb5 credential cache type
>> # (leave empty to just do krb5 authentication but not have a ticket
>> # afterwards)
>> ;krb5_ccache_type = file
>>
>> Nsswitch.conf:
>>
>> passwd:     files winbind
>> shadow:     files winbind
>> group:      files winbind
>>
>>
>>
>> Phillip Bryant - ABQ IT Site Lead
>> 5901 Indian School Rd NE
>> ph# 505-889-7016
>> cell# 505-385-8668
>> RHCT/RHCE RHEL 5 ID#805009017938113
>> MCSE NT4.0, 2000, 2003, 2008 MCP ID#1150956
>> MCTS Windows 7, Windows Server 2008 Enterprise
>> MCP+I
>> MCP
>>
>>
>> ________________________________
>> This e-mail and any files transmitted with it may be proprietary and are
>> intended solely for the use of the individual or entity to whom they are
>> addressed. If you have received this e-mail in error please notify the
>> sender.
>> Please note that any views or opinions presented in this e-mail are solely
>> those of the author and do not necessarily represent those of ITT
>> Corporation. The recipient should check this e-mail and any attachments for
>> the presence of viruses. ITT accepts no liability for any damage caused by
>> any virus transmitted by this e-mail.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list