[Samba] winbind offline logon

Alexey A Nikitin nikitin at amazon.com
Wed Jan 20 18:44:07 UTC 2021

On Wednesday, 20 January 2021 01:57:24 PST L.P.H. van Belle via samba wrote:
> /tmp is emptied after a reboot, to yeah, logical you cant login..
Unless the system is configured to mount tmpfs in /tmp that's not always the case. Debian and debian-based distros certainly like to clean /tmp on boot, but there are plenty other distros (I believe most fedora/rhel-based) that preserve /tmp contents on reboot.

On Wednesday, 20 January 2021 01:57:24 PST L.P.H. van Belle via samba wrote:
> And beware, some also have /var/tmp linked to /tmp.
> So, create a custom folder point it to that.

While I have to agree that's something to watch out for, the practice is frankly not the best, since the intended use case between the two is rather different.

On Wednesday, 20 January 2021 09:33:14 PST Dale via samba wrote:
> Could you provide a hint?  I found the following on MIT's website =>
> "The default credential cache name is determined by the following, in
> descending order of priority:
>  1. The *KRB5CCNAME* environment variable. For example,
>     KRB5CCNAME=DIR:/mydir/.
>  2. The *default_ccache_name* profile variable in /[libdefaults]/
>     <https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults>.
>  3. The hardcoded default, /DEFCCNAME/
>     <https://web.mit.edu/kerberos/krb5-1.12/doc/mitK5defaults.html#paths>."
> #2 is not working for me and I have no idea where to look for #1, if it
> even exists.   For #2, I used
> default_ccache_name = File:/path/to/cache_dir/krb5cc_%{uid} as shown by MIT.
> My, only guess for #1, /etc/environment and /etc/environment.d have
> nothing related to kerberos in them.
> I also tried enabling in pam_winbind.conf the krb5_auth and
> krb5_ccache_type variables.  That also did not work.
There are three configuration locations you need to check:
* krb5_ccache_type in pam_winbind.conf (on fedora-based distros should be in /etc/security/pam_winbind.conf)
* default_ccache_name in /etc/krb5.conf
* krb5_ccache_type parameters in /etc/pam.d/* (distros like CentOS 7 and AL2 are guilty of overriding pam_winbind.conf in PAM stacks)

AFAIK krb5_ccache_type is what drives KRB5CCNAME when pam_winbind is used for authentication, default_ccache_name in krb5.conf should match krb5_ccache_type, but if it doesn't you shouldn't run into any major issues.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20210120/2b2890d2/signature.sig>

More information about the samba mailing list