[Samba] Winbind, cached logons and 'user persistency'...
Marco Gaiarin
gaio at sv.lnf.it
Tue Jan 29 17:47:45 UTC 2019
Mandi! Rowland Penny via samba
In chel di` si favelave...
> Now this is what I do not understand, my understanding is that 'PAM' is
> used to find the correct authentication system and 'NSS' just connects
> to that authentication system.
No. NSS, roughly, 'extend the user database':
https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html
> For instance, in /etc/pam.d/common-auth I have:
> auth [success=3 default=ignore] pam_krb5.so minimum_uid=10000
> auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
> auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Putting 'cached_login' here is the same of putting:
[global]
cached_login = yes
in /etc/security/pam_winbind.conf .
> If I go anywhere (away from the domain), I can still log into the
> laptop as my domain user, read and save files etc. All files are saved
> as the domain user and when I do re-connect to the domain, it is if I
> haven't been anywhere.
This is what i supposed to work mee too. Seems not.
You have also your user in /etc/passwd? O;-)
> You seem to be doing something wrong ;-)
Probably. But i don't understand what. Authentication works as
expected:
root at vdmsv2:~# wbinfo -K LNFFVG\\gaio
Enter LNFFVG\gaio's password:
plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
root at vdmsv2:~# smbcontrol winbind offline
root at vdmsv2:~# wbinfo -K LNFFVG\\gaio
Enter LNFFVG\gaio's password:
plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0
a simple 'getent' seems to work:
root at vdmsv2:~# getent passwd LNFFVG\\gaio; smbcontrol winbind offline; sleep 65; getent passwd LNFFVG\\gaio; smbcontrol winbind online
gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash
gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash
but, i just stated that, if i disconnect DM from DC for more then a minute,
NSS start to reply that user does not exist (seems that).
[nscd and windbind]
> Not entirely true that you cannot run nscd with winbind, you just have
> to stop nscd caching everything that winbind does and by the time you
> do that, there isn't much left.
Ahem, sorry i've not understood you...
> I think the time has come to ask, what isn't working if you disconnect
> from the domain e.g. walk away with a laptop, also why is it not
> working, what can it not find ?
Ahem, again i've not understood...
But, clearly, i've found 'exim' that reply 'user not found', so
probably winbind cache effectvaly data, but in a way that exim does not
find... seems REALLY strange...
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list