[Samba] AD Users on Linux Laptop
basti
mailinglist at unix-solution.de
Thu Jul 9 09:06:28 UTC 2020
On 09.07.20 10:29, L.P.H. van Belle via samba wrote:
> Hai Basti,
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> basti via samba
>> Verzonden: donderdag 9 juli 2020 10:20
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] AD Users on Linux Laptop
>>
>> Hello,
>> I have setup a laptop with debian10, where samba ad users
>> should able to
>> login. I also setup PAM_Offline_Authentication, so far so good.
>>
>> There are several Problems:
>>
>> - After Reboot winbind seem to start before network is redy,
>> so winbind
>> can't get user info via getent passwd <username>, after
>> restart winbind
>> it works
>
> Quick fix :
> systemctl edit winbind.service
> Add:
> Unit
> After=network.target network-online.target
>
> Save, reboot. (wait, do below first)
>
Start winbind, after network online target is not a good option in my
opinion.
when there is only wlan available that must connect manually winbind
would never start so user can't never login, i guess.
There must be a way to cache login infos between reboot.
sssd or somethink like that?
>>
>> - How can I cache logins infos, for offline login
>> (e.g. when only wlan is available or to start vpn after login to get
>> access to shares)
>
> cat /etc/pam.d/common-auth
> Verify if you see.
>
> # here are the per-package modules (the "Primary" block)
> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
> auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
> auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
>
the krb5_ccache file is saved on /tmp/ is there a way to save that to an
other folder, thats not cleanup on reboot? /usr/lib .... for example.
> If not, run : pam-auth-update ( even if you dont see it, run it, it sets everything correct.)
>
> And im sure you have this in smb.conf :
> But i have to ask/show it.
> # Renew the kerberos tickets
> winbind refresh tickets = yes
>
> # Enable offline logins
> winbind offline logon = yes
>
> Try above and report back.
> Thats all i do on debian.
>
>
> Greetz,
>
> Louis
>
>
More information about the samba
mailing list