[Samba] winbind offline logon

L.P.H. van Belle belle at bazuin.nl
Wed Jan 20 09:57:24 UTC 2021 

Try changing the location of the kerberos cached files.. 

This: FILE:/tmp/krb5cc_21046 

/tmp is emptied after a reboot, to yeah, logical you cant login.. 

And beware, some also have /var/tmp linked to /tmp.
So, create a custom folder point it to that. 
login, reboot retry. 

;-) 
Good luck.. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Piviul via samba
> Verzonden: woensdag 20 januari 2021 9:21
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] winbind offline logon
> 
> Reading this[¹] samba wiki and applying it, offline authentication seems
> to work but on the real world doesn't work at all... let me explain. If
> I put winbind offline using smbcontrol, offline authentication works
> flowlessy:
> 
> > $ wbinfo -K <domain>\\<username>
> > Enter <domain>\<username>'s password:
> > plaintext kerberos password authentication for [<domain>\<username>]
> > succeeded (requesting cctype: FILE)
> > credentials were put in: FILE:/tmp/krb5cc_21046
> > $ sudo smbcontrol winbind offline
> > $ wbinfo -K <domain>\\<username>
> > Enter <domain>\<username>'s password:
> > plaintext kerberos password authentication for [<domain>\<username>]
> > succeeded (requesting cctype: FILE)
> > user_flgs: NETLOGON_CACHED_ACCOUNT
> > credentials were put in: FILE:/tmp/krb5cc_21046
> 
> But offline authentication should work when the PC can't connect to the
> AD. So I have disconnected the PC from the LAN and all seems to work:
> 
> > $ wbinfo -K <domain>\\<username>
> > Enter <domain>\<username>'s password:
> > plaintext kerberos password authentication for [<domain>\<username>]
> > succeeded (requesting cctype: FILE)
> > user_flgs: NETLOGON_CACHED_ACCOUNT
> > credentials were put in: FILE:/tmp/krb5cc_21046
> 
> 
> But if I restart the PC without the LAN cable:
> 
> > $ wbinfo -K <domain>\\<username>
> > Enter <domain>\<username>'s password:
> > plaintext kerberos password authentication for [<domain>\<username>]
> > failed (requesting cctype: FILE)
> > wbcLogonUser(DOMINIOCSA\psala): error code was NT_STATUS_NO_SUCH_USER
> > (0xc0000064)
> > error message was: The specified account does not exist.
> > Could not authenticate user [<domain>\<username>] with Kerberos
> > (ccache: FILE)
> > $ getent passwd <domain>\\<username>
> > <domain>\\<username>:*:21046:10513:User
> > Name:/home/domain/username:/bin/bash
> So the account seems to exixts (getent passwd seems to work correctly)
> but cached login doesn't...
> 
> Someone can help me to troubleshoot this problem?
> 
> Piviul
> 
> [¹] https://wiki.samba.org/index.php/PAM_Offline_Authentication
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list