[Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?

L.P.H. van Belle belle at bazuin.nl
Thu Feb 28 11:05:45 UTC 2019


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: donderdag 28 februari 2019 11:33
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [OT?] Kerberos, PAM, NSS: if user does 
> not exist, pam_krb5 try login?
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> > logname=admin uid=0 euid=0  << no no.. Uid=0 ? Thats not 
> good, root = uid 0
> It is the standard log of pam susbsystem, also for ldap.

> > Administrator is mapped through /etc/samba/smb.conf ( usermapping)
> No, louis; i'm speaking about machine where samba is even not
> installed; i've simply created some users (in /etc/passwd) and added
> pam_krb5 to (also) authenticate against. No samba (so the 'OT' ;-).

Ok, wrong list ;-) :-P 

No, here you go, read this, this explains it. 
The second alinea tels what you want to know. 

And i noticed also this on that site. 
Hint: Offline caching of LDAP credentials is only useful if LDAP information 
about users and groups is also available offline through NSS. 
This can be accomplished through the use of NSCD. See LDAP/NSS for more information. 

Often not seen, the last lines on the site. 
If using OpenSSH, you may need to add "UsePAM yes" to sshd_config or it will not use PAM by default. 

While reading more, for the offline logins or you exim, read. 
Shows some good info, bit older but still ok with minor adjustments. 



More information about the samba mailing list