[Samba] winbind offline logon
gaio at sv.lnf.it
Fri Feb 15 12:01:52 UTC 2019
Mandi! Piviul via samba
In chel di` si favelave...
> [¹] https://bugzilla.samba.org/show_bug.cgi?id=10455
Very, very interesting thing.
The same configuration happen on Debian stretch (at least). I've
effectively test offline logon in the past, but with a sub-5 minutes delay
from latest connected logon.
A note: the manpage for pam_winbind and pam_winbind.conf area bit
different; the latter seems more complete and say:
krb5_ccache_type = [type]
When pam_winbind is configured to try kerberos authentication by enabling the krb5_auth option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache. The type of
credential cache can be controlled with this option. The supported values are: KEYRING (when supported by the system's Kerberos library and Kernel), FILE and DIR (when the DIR type is
supported by the system's Kerberos library). In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created - in case of DIR you NEED to specify a directory. UID is
replaced with the numeric user id.
When using the KEYRING type, the supported mechanism is “KEYRING:persistent:UID”, which uses the Linux kernel keyring to store credentials on a per-UID basis. This is the recommended choice
on latest Linux distributions, as it is the most secure and predictable method.
It is also possible to define custom filepaths and use the "%u" pattern in order to substitue the numeric user id. Examples:
krb5_ccache_type = DIR:/run/user/%u/krb5cc
This will create a credential cache file in the specified directory.
krb5_ccache_type = FILE:/tmp/krb5cc_%u
This will create a credential cache file.
Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded. This setting is empty by default.
Thsi indeed seems reasonably to me.
a) if i set 'krb5_ccache_type=FILE', i'm connected to my domain and i
do a login, i update the ticket and all goes well.
b) if i disconnect for the domain and i do a subsequent sub-5 minute
logon, work as expected and the credential cache is still valid.
c) if i disconnect for the domain and i do a subsequent over-5 minute
logon, there's no way to update the credential cache (there's no
kerberos...) and so the login fail (probably because suppose, not so
wrongly, that not updating the credential cache is a failure).
So seems to me that 'krb5_ccache_type=FILE' (at least, but probably
*ALL* 'krb5_ccache_type=' value is the same...) and 'cached_login = yes'
So, is a distribution/packaging bug?
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba