[Samba] winbind offline logon
Piviul
piviul at riminilug.it
Wed Jan 20 08:20:47 UTC 2021
Reading this[¹] samba wiki and applying it, offline authentication seems
to work but on the real world doesn't work at all... let me explain. If
I put winbind offline using smbcontrol, offline authentication works
flowlessy:
> $ wbinfo -K <domain>\\<username>
> Enter <domain>\<username>'s password:
> plaintext kerberos password authentication for [<domain>\<username>]
> succeeded (requesting cctype: FILE)
> credentials were put in: FILE:/tmp/krb5cc_21046
> $ sudo smbcontrol winbind offline
> $ wbinfo -K <domain>\\<username>
> Enter <domain>\<username>'s password:
> plaintext kerberos password authentication for [<domain>\<username>]
> succeeded (requesting cctype: FILE)
> user_flgs: NETLOGON_CACHED_ACCOUNT
> credentials were put in: FILE:/tmp/krb5cc_21046
But offline authentication should work when the PC can't connect to the
AD. So I have disconnected the PC from the LAN and all seems to work:
> $ wbinfo -K <domain>\\<username>
> Enter <domain>\<username>'s password:
> plaintext kerberos password authentication for [<domain>\<username>]
> succeeded (requesting cctype: FILE)
> user_flgs: NETLOGON_CACHED_ACCOUNT
> credentials were put in: FILE:/tmp/krb5cc_21046
But if I restart the PC without the LAN cable:
> $ wbinfo -K <domain>\\<username>
> Enter <domain>\<username>'s password:
> plaintext kerberos password authentication for [<domain>\<username>]
> failed (requesting cctype: FILE)
> wbcLogonUser(DOMINIOCSA\psala): error code was NT_STATUS_NO_SUCH_USER
> (0xc0000064)
> error message was: The specified account does not exist.
> Could not authenticate user [<domain>\<username>] with Kerberos
> (ccache: FILE)
> $ getent passwd <domain>\\<username>
> <domain>\\<username>:*:21046:10513:User
> Name:/home/domain/username:/bin/bash
So the account seems to exixts (getent passwd seems to work correctly)
but cached login doesn't...
Someone can help me to troubleshoot this problem?
Piviul
[¹] https://wiki.samba.org/index.php/PAM_Offline_Authentication
More information about the samba
mailing list