[Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?
L.P.H. van Belle
belle at bazuin.nl
Thu Feb 28 11:05:45 UTC 2019
Hai,
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: donderdag 28 februari 2019 11:33
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [OT?] Kerberos, PAM, NSS: if user does
> not exist, pam_krb5 try login?
>
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > logname=admin uid=0 euid=0 << no no.. Uid=0 ? Thats not
> good, root = uid 0
>
> It is the standard log of pam susbsystem, also for ldap.
>
>
> > Administrator is mapped through /etc/samba/smb.conf ( usermapping)
>
> No, louis; i'm speaking about machine where samba is even not
> installed; i've simply created some users (in /etc/passwd) and added
> pam_krb5 to (also) authenticate against. No samba (so the 'OT' ;-).
Ok, wrong list ;-) :-P
No, here you go, read this, this explains it.
https://wiki.debian.org/LDAP/PAM
The second alinea tels what you want to know.
And i noticed also this on that site.
/snap
Hint: Offline caching of LDAP credentials is only useful if LDAP information
about users and groups is also available offline through NSS.
This can be accomplished through the use of NSCD. See LDAP/NSS for more information.
/snapoff
Often not seen, the last lines on the site.
If using OpenSSH, you may need to add "UsePAM yes" to sshd_config or it will not use PAM by default.
While reading more, for the offline logins or you exim, read.
http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html
Shows some good info, bit older but still ok with minor adjustments.
Greetz,
Louis
More information about the samba
mailing list