[Samba] DM and ''offline'' PAM (and NSS?)...
Rowland Penny
rpenny at samba.org
Mon Dec 18 15:05:26 UTC 2017
On Mon, 18 Dec 2017 15:51:47 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> > I've seen:
> > https://wiki.samba.org/index.php/PAM_Offline_Authentication
>
> I've tried to enable offline logon, and seems to work as expected.
>
> I've only found a little strange thing, i think related to the fact
> that in my DM i've set 'winbind use default domain = yes'.
>
>
> Folowing the wiki, i've enabled offline logon and then done:
>
> ['smbcontrol winbind online'
> root at vdmsv1:~# wbinfo -K LNFFVG\\gaio
> Enter LNFFVG\gaio's password:
> plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE) credentials were put in:
> FILE:/tmp/krb5cc_0
>
> ['smbcontrol winbind offline']
> root at vdmsv1:~# wbinfo -K LNFFVG\\gaio
> Enter LNFFVG\gaio's password:
> plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT
> credentials were put in: FILE:/tmp/krb5cc_0
>
> Goot. But still in 'smbcontrol winbind offline' i've done also a:
>
> root at vdmsv1:~# wbinfo -K gaio
> Enter gaio's password:
> plaintext kerberos password authentication for [gaio] succeeded
> (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0
>
> and there's no 'user_flgs'. Boh...
>
If you have the 'winbind use default domain = yes', winbind strips off
the domain name, so 'LNFFVG\\gaio' becomes 'gaio', or to put it another
way, you do not need to use the domain name with 'getent passwd' etc
Rowland
More information about the samba
mailing list