[Samba] AD Users on Linux Laptop

basti mailinglist at unix-solution.de
Thu Jul 9 09:06:28 UTC 2020



On 09.07.20 10:29, L.P.H. van Belle via samba wrote:
> Hai Basti,  
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> basti via samba
>> Verzonden: donderdag 9 juli 2020 10:20
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] AD Users on Linux Laptop
>>
>> Hello,
>> I have setup a laptop with debian10, where samba ad users 
>> should able to
>> login. I also setup PAM_Offline_Authentication, so far so good.
>>
>> There are several Problems:
>>
>> - After Reboot winbind seem to start before network is redy, 
>> so winbind
>> can't get user info via getent passwd <username>, after 
>> restart winbind
>> it works
> 
> Quick fix : 
> systemctl edit winbind.service
> Add: 
> Unit
> After=network.target network-online.target
> 
> Save, reboot. (wait, do below first) 
> 

Start winbind, after network online target is not a good option in my
opinion.

when there is only wlan available that must connect manually winbind
would never start so user can't never login, i guess.

There must be a way to cache login infos  between reboot.

sssd or somethink like that?

>>
>> - How can I cache logins infos, for offline login
>> (e.g. when only wlan is available or to start vpn after login to get
>> access to shares)
> 
> cat /etc/pam.d/common-auth 
> Verify if you see. 
> 
> # here are the per-package modules (the "Primary" block)
> auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
> auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
> 

the krb5_ccache file is saved on /tmp/ is there a way to save that to an
other folder, thats not cleanup on reboot? /usr/lib .... for example.

> If not, run : pam-auth-update ( even if you dont see it, run it, it sets everything correct.) 
> 
> And im sure you have this in smb.conf : 
> But i have to ask/show it. 
>     # Renew the kerberos tickets
>     winbind refresh tickets = yes
> 
>     # Enable offline logins
>     winbind offline logon = yes
> 
> Try above and report back. 
> Thats all i do on debian. 
> 
> 
> Greetz, 
> 
> Louis
> 
> 



More information about the samba mailing list