[Samba] AD Users on Linux Laptop

L.P.H. van Belle belle at bazuin.nl
Thu Jul 9 08:29:28 UTC 2020

Hai Basti,  

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> basti via samba
> Verzonden: donderdag 9 juli 2020 10:20
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] AD Users on Linux Laptop
> Hello,
> I have setup a laptop with debian10, where samba ad users 
> should able to
> login. I also setup PAM_Offline_Authentication, so far so good.
> There are several Problems:
> - After Reboot winbind seem to start before network is redy, 
> so winbind
> can't get user info via getent passwd <username>, after 
> restart winbind
> it works

Quick fix : 
systemctl edit winbind.service
After=network.target network-online.target

Save, reboot. (wait, do below first) 

> - How can I cache logins infos, for offline login
> (e.g. when only wlan is available or to start vpn after login to get
> access to shares)

cat /etc/pam.d/common-auth 
Verify if you see. 

# here are the per-package modules (the "Primary" block)
auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

If not, run : pam-auth-update ( even if you dont see it, run it, it sets everything correct.) 

And im sure you have this in smb.conf : 
But i have to ask/show it. 
    # Renew the kerberos tickets
    winbind refresh tickets = yes

    # Enable offline logins
    winbind offline logon = yes

Try above and report back. 
Thats all i do on debian. 



More information about the samba mailing list