[Samba] winbind offline logon

Jon Gerdes gerdesj at blueloop.net
Thu Jan 21 13:28:09 UTC 2021 

Dale

I have just been down this rabbit hole.  Winbind sets KRB5CCNAME when you use pam_winbind.  If you set eg

krb5_ccache_type = FILE:/var/lib/krb5cc/krb5cc_%u

in pam_winbind.conf then it should work.  For me it doesn't 8( . The code is in source3/winbindd/winbindd_pam.c and it
looks correct.  I can see the %u thing mentioned in the code that looks for FILE:/ at the start of krb5_ccache_type.  My
systemd journal reports: 

login[5550]: pam_winbind(login:auth): CONFIG file: krb5_ccache_type 'FILE:/var/lib/krb5cc/krb5cc_%u'

If I set this in /etc/krb5.conf:

[libdefaults]
    default_ccache_name = FILE:/var/lib/krb5cc/krb5cc_%{uid}

then kinit creates the cache correctly.  Winbind ignores that I think and does its own thing instead and sets KRB5CCNAME
to override krb5.conf.

Cheers
Jon



On Wed, 2021-01-20 at 11:33 -0600, Dale via samba wrote:
> Louis,
> 
> Could you provide a hint?  I found the following on MIT's website =>
> 
> "The default credential cache name is determined by the following, in 
> descending order of priority:
> 
>  1. The *KRB5CCNAME* environment variable. For example,
>     KRB5CCNAME=DIR:/mydir/.
>  2. The *default_ccache_name* profile variable in /[libdefaults]/
>     <https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults>.
>  3. The hardcoded default, /DEFCCNAME/
>     <https://web.mit.edu/kerberos/krb5-1.12/doc/mitK5defaults.html#paths>."
> 
> #2 is not working for me and I have no idea where to look for #1, if it 
> even exists.   For #2, I used
> 
> default_ccache_name = File:/path/to/cache_dir/krb5cc_%{uid} as shown by MIT.
> 
> My, only guess for #1, /etc/environment and /etc/environment.d have 
> nothing related to kerberos in them.
> 
> I also tried enabling in pam_winbind.conf the krb5_auth and 
> krb5_ccache_type variables.  That also did not work.
> 
> Thanks,
> 
> Dale
> 
> 
> On 1/20/21 3:57 AM, L.P.H. van Belle via samba wrote:
> > Try changing the location of the kerberos cached files..
> > 
> > This: FILE:/tmp/krb5cc_21046
> > 
> > /tmp is emptied after a reboot, to yeah, logical you cant login..
> > 
> > And beware, some also have /var/tmp linked to /tmp.
> > So, create a custom folder point it to that.
> > login, reboot retry.
> > 
> > ;-)
> > Good luck..
> > 
> > 
> > Greetz,
> > 
> > Louis
> > 
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Piviul via samba
> > > Verzonden: woensdag 20 januari 2021 9:21
> > > Aan: samba at lists.samba.org
> > > Onderwerp: [Samba] winbind offline logon
> > > 
> > > Reading this[¹] samba wiki and applying it, offline authentication seems
> > > to work but on the real world doesn't work at all... let me explain. If
> > > I put winbind offline using smbcontrol, offline authentication works
> > > flowlessy:
> > > 
> > > > $ wbinfo -K <domain>\\<username>
> > > > Enter <domain>\<username>'s password:
> > > > plaintext kerberos password authentication for [<domain>\<username>]
> > > > succeeded (requesting cctype: FILE)
> > > > credentials were put in: FILE:/tmp/krb5cc_21046
> > > > $ sudo smbcontrol winbind offline
> > > > $ wbinfo -K <domain>\\<username>
> > > > Enter <domain>\<username>'s password:
> > > > plaintext kerberos password authentication for [<domain>\<username>]
> > > > succeeded (requesting cctype: FILE)
> > > > user_flgs: NETLOGON_CACHED_ACCOUNT
> > > > credentials were put in: FILE:/tmp/krb5cc_21046
> > > But offline authentication should work when the PC can't connect to the
> > > AD. So I have disconnected the PC from the LAN and all seems to work:
> > > 
> > > > $ wbinfo -K <domain>\\<username>
> > > > Enter <domain>\<username>'s password:
> > > > plaintext kerberos password authentication for [<domain>\<username>]
> > > > succeeded (requesting cctype: FILE)
> > > > user_flgs: NETLOGON_CACHED_ACCOUNT
> > > > credentials were put in: FILE:/tmp/krb5cc_21046
> > > 
> > > But if I restart the PC without the LAN cable:
> > > 
> > > > $ wbinfo -K <domain>\\<username>
> > > > Enter <domain>\<username>'s password:
> > > > plaintext kerberos password authentication for [<domain>\<username>]
> > > > failed (requesting cctype: FILE)
> > > > wbcLogonUser(DOMINIOCSA\psala): error code was NT_STATUS_NO_SUCH_USER
> > > > (0xc0000064)
> > > > error message was: The specified account does not exist.
> > > > Could not authenticate user [<domain>\<username>] with Kerberos
> > > > (ccache: FILE)
> > > > $ getent passwd <domain>\\<username>
> > > > <domain>\\<username>:*:21046:10513:User
> > > > Name:/home/domain/username:/bin/bash
> > > So the account seems to exixts (getent passwd seems to work correctly)
> > > but cached login doesn't...
> > > 
> > > Someone can help me to troubleshoot this problem?
> > > 
> > > Piviul
> > > 
> > > [¹] https://wiki.samba.org/index.php/PAM_Offline_Authentication
> > > 
> > > 
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
>

More information about the samba mailing list