[Samba] Winbind, cached logons and 'user persistency'...

Marco Gaiarin gaio at sv.lnf.it
Tue Jan 29 17:47:45 UTC 2019


Mandi! Rowland Penny via samba
  In chel di` si favelave...

> Now this is what I do not understand, my understanding is that 'PAM' is
> used to find the correct authentication system and 'NSS' just connects
> to that authentication system.

No. NSS, roughly, 'extend the user database':
	https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html


> For instance, in /etc/pam.d/common-auth I have:
> auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=10000
> auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

Putting 'cached_login' here is the same of putting:

	[global]
	cached_login = yes

in /etc/security/pam_winbind.conf .


> If I go anywhere (away from the domain), I can still log into the
> laptop as my domain user, read and save files etc. All files are saved
> as the domain user and when I do re-connect to the domain, it is if I
> haven't been anywhere.

This is what i supposed to work mee too. Seems not.

You have also your user in /etc/passwd? O;-)


> You seem to be doing something wrong ;-)

Probably. But i don't understand what. Authentication works as
expected:

 root at vdmsv2:~# wbinfo -K LNFFVG\\gaio
 Enter LNFFVG\gaio's password: 
 plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE)
 credentials were put in: FILE:/tmp/krb5cc_0
 root at vdmsv2:~# smbcontrol winbind offline
 root at vdmsv2:~# wbinfo -K LNFFVG\\gaio
 Enter LNFFVG\gaio's password: 
 plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE)
 user_flgs: NETLOGON_CACHED_ACCOUNT
 credentials were put in: FILE:/tmp/krb5cc_0

a simple 'getent' seems to work:

 root at vdmsv2:~# getent passwd LNFFVG\\gaio; smbcontrol winbind offline; sleep 65; getent passwd LNFFVG\\gaio; smbcontrol winbind online
 gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash
 gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash

but, i just stated that, if i disconnect DM from DC for more then a minute,
NSS start to reply that user does not exist (seems that).


[nscd and windbind]
> Not entirely true that you cannot run nscd with winbind, you just have
> to stop nscd caching everything that winbind does and by the time you
> do that, there isn't much left.

Ahem, sorry i've not understood you...


> I think the time has come to ask, what isn't working if you disconnect
> from the domain e.g. walk away with a laptop, also why is it not
> working, what can it not find ?

Ahem, again i've not understood...


But, clearly, i've found 'exim' that reply 'user not found', so
probably winbind cache effectvaly data, but in a way that exim does not
find... seems REALLY strange...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



More information about the samba mailing list