[Samba] winbind offline logon
Dale
samba at txschroeder.family
Wed Jan 20 17:33:14 UTC 2021
Louis,
Could you provide a hint? I found the following on MIT's website =>
"The default credential cache name is determined by the following, in
descending order of priority:
1. The *KRB5CCNAME* environment variable. For example,
KRB5CCNAME=DIR:/mydir/.
2. The *default_ccache_name* profile variable in /[libdefaults]/
<https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults>.
3. The hardcoded default, /DEFCCNAME/
<https://web.mit.edu/kerberos/krb5-1.12/doc/mitK5defaults.html#paths>."
#2 is not working for me and I have no idea where to look for #1, if it
even exists. For #2, I used
default_ccache_name = File:/path/to/cache_dir/krb5cc_%{uid} as shown by MIT.
My, only guess for #1, /etc/environment and /etc/environment.d have
nothing related to kerberos in them.
I also tried enabling in pam_winbind.conf the krb5_auth and
krb5_ccache_type variables. That also did not work.
Thanks,
Dale
On 1/20/21 3:57 AM, L.P.H. van Belle via samba wrote:
> Try changing the location of the kerberos cached files..
>
> This: FILE:/tmp/krb5cc_21046
>
> /tmp is emptied after a reboot, to yeah, logical you cant login..
>
> And beware, some also have /var/tmp linked to /tmp.
> So, create a custom folder point it to that.
> login, reboot retry.
>
> ;-)
> Good luck..
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Piviul via samba
>> Verzonden: woensdag 20 januari 2021 9:21
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] winbind offline logon
>>
>> Reading this[¹] samba wiki and applying it, offline authentication seems
>> to work but on the real world doesn't work at all... let me explain. If
>> I put winbind offline using smbcontrol, offline authentication works
>> flowlessy:
>>
>>> $ wbinfo -K <domain>\\<username>
>>> Enter <domain>\<username>'s password:
>>> plaintext kerberos password authentication for [<domain>\<username>]
>>> succeeded (requesting cctype: FILE)
>>> credentials were put in: FILE:/tmp/krb5cc_21046
>>> $ sudo smbcontrol winbind offline
>>> $ wbinfo -K <domain>\\<username>
>>> Enter <domain>\<username>'s password:
>>> plaintext kerberos password authentication for [<domain>\<username>]
>>> succeeded (requesting cctype: FILE)
>>> user_flgs: NETLOGON_CACHED_ACCOUNT
>>> credentials were put in: FILE:/tmp/krb5cc_21046
>> But offline authentication should work when the PC can't connect to the
>> AD. So I have disconnected the PC from the LAN and all seems to work:
>>
>>> $ wbinfo -K <domain>\\<username>
>>> Enter <domain>\<username>'s password:
>>> plaintext kerberos password authentication for [<domain>\<username>]
>>> succeeded (requesting cctype: FILE)
>>> user_flgs: NETLOGON_CACHED_ACCOUNT
>>> credentials were put in: FILE:/tmp/krb5cc_21046
>>
>> But if I restart the PC without the LAN cable:
>>
>>> $ wbinfo -K <domain>\\<username>
>>> Enter <domain>\<username>'s password:
>>> plaintext kerberos password authentication for [<domain>\<username>]
>>> failed (requesting cctype: FILE)
>>> wbcLogonUser(DOMINIOCSA\psala): error code was NT_STATUS_NO_SUCH_USER
>>> (0xc0000064)
>>> error message was: The specified account does not exist.
>>> Could not authenticate user [<domain>\<username>] with Kerberos
>>> (ccache: FILE)
>>> $ getent passwd <domain>\\<username>
>>> <domain>\\<username>:*:21046:10513:User
>>> Name:/home/domain/username:/bin/bash
>> So the account seems to exixts (getent passwd seems to work correctly)
>> but cached login doesn't...
>>
>> Someone can help me to troubleshoot this problem?
>>
>> Piviul
>>
>> [¹] https://wiki.samba.org/index.php/PAM_Offline_Authentication
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list