[Samba] winbind offline logon
Rowland penny
rpenny at samba.org
Thu Jan 21 15:05:30 UTC 2021
On 21/01/2021 13:28, Jon Gerdes via samba wrote:
> Dale
>
> I have just been down this rabbit hole. Winbind sets KRB5CCNAME when you use pam_winbind. If you set eg
>
> krb5_ccache_type = FILE:/var/lib/krb5cc/krb5cc_%u
>
> in pam_winbind.conf then it should work. For me it doesn't 8( . The code is in source3/winbindd/winbindd_pam.c and it
> looks correct. I can see the %u thing mentioned in the code that looks for FILE:/ at the start of krb5_ccache_type. My
> systemd journal reports:
>
> login[5550]: pam_winbind(login:auth): CONFIG file: krb5_ccache_type 'FILE:/var/lib/krb5cc/krb5cc_%u'
>
> If I set this in /etc/krb5.conf:
>
> [libdefaults]
> default_ccache_name = FILE:/var/lib/krb5cc/krb5cc_%{uid}
>
> then kinit creates the cache correctly. Winbind ignores that I think and does its own thing instead and sets KRB5CCNAME
> to override krb5.conf.
>
OK, can you try this (tested on Debian Buster with Samba 4.12.9):
As root, create a directory
mkdir /temp
Alter /etc/krb5.conf to match this:
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[appdefaults]
ccache = krb5cc_%u
ccache_dir = FILE:/temp
Replace 'SAMDOM.EXAMPLE.COM' with your realm.
Alter /etc/pam.d/common-auth
Change:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=10000
auth [success=2 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
To:
auth [success=3 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE:/temp/krb5cc_%u cached_login try_first_pass
auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=1 default=ignore] pam_unix.so nullok_secure
try_first_pass
Now log out and log in as a domain user, you should now find a kerberos
ticket in temp.
Log out again and disconnect from network, then log in again as the user.
Rowland
More information about the samba
mailing list