[Samba] winbind offline logon

Marco Gaiarin gaio at sv.lnf.it
Fri Feb 15 12:01:52 UTC 2019

Mandi! Piviul via samba
  In chel di` si favelave...

> [¹] https://bugzilla.samba.org/show_bug.cgi?id=10455

Very, very interesting thing.

The same configuration happen on Debian stretch (at least). I've
effectively test offline logon in the past, but with a sub-5 minutes delay
from latest connected logon.

A note: the manpage for pam_winbind and pam_winbind.conf area bit
different; the latter seems more complete and say:

       krb5_ccache_type = [type]
           When pam_winbind is configured to try kerberos authentication by enabling the krb5_auth option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache. The type of
           credential cache can be controlled with this option. The supported values are: KEYRING (when supported by the system's Kerberos library and Kernel), FILE and DIR (when the DIR type is
           supported by the system's Kerberos library). In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created - in case of DIR you NEED to specify a directory. UID is
           replaced with the numeric user id.

           When using the KEYRING type, the supported mechanism is “KEYRING:persistent:UID”, which uses the Linux kernel keyring to store credentials on a per-UID basis. This is the recommended choice
           on latest Linux distributions, as it is the most secure and predictable method.

           It is also possible to define custom filepaths and use the "%u" pattern in order to substitue the numeric user id. Examples:

           krb5_ccache_type = DIR:/run/user/%u/krb5cc
               This will create a credential cache file in the specified directory.

           krb5_ccache_type = FILE:/tmp/krb5cc_%u
               This will create a credential cache file.

           Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded. This setting is empty by default.

Thsi indeed seems reasonably to me.

a) if i set 'krb5_ccache_type=FILE', i'm connected to my domain and i
 do a login, i update the ticket and all goes well.

b) if i disconnect for the domain and i do a subsequent sub-5 minute
 logon, work as expected and the credential cache is still valid.

c) if i disconnect for the domain and i do a subsequent over-5 minute
 logon, there's no way to update the credential cache (there's no
kerberos...) and so the login fail (probably because suppose, not so
wrongly, that not updating the credential cache is a failure).

So seems to me that 'krb5_ccache_type=FILE' (at least, but probably
*ALL* 'krb5_ccache_type=' value is the same...) and 'cached_login = yes'
are incompatible.

So, is a distribution/packaging bug?

dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list