[Samba] winbind offline logon

Piviul piviul at riminilug.it
Thu Jan 21 15:34:06 UTC 2021


Il 21/01/21 16:05, Rowland penny via samba ha scritto:
> OK, can you try this (tested on Debian Buster with Samba 4.12.9):
>
> As root, create a directory
>
> mkdir /temp
>
> Alter /etc/krb5.conf to match this:
>
> [libdefaults]
>         default_realm = SAMDOM.EXAMPLE.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> [appdefaults]
>         ccache = krb5cc_%u
>         ccache_dir = FILE:/temp
>
> Replace 'SAMDOM.EXAMPLE.COM' with your realm.
>
> Alter /etc/pam.d/common-auth
>
> Change:
>
> auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=10000
> auth    [success=2 default=ignore]      pam_unix.so nullok_secure 
> try_first_pass
> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth 
> krb5_ccache_type=FILE cached_login try_first_pass
>
> To:
>
> auth    [success=3 default=ignore]      pam_winbind.so krb5_auth 
> krb5_ccache_type=FILE:/temp/krb5cc_%u cached_login try_first_pass
> auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
> auth    [success=1 default=ignore]      pam_unix.so nullok_secure 
> try_first_pass
>
> Now log out and log in as a domain user, you should now find a 
> kerberos ticket in temp.
>
> Log out again and disconnect from network, then log in again as the user.

Yes, I can confirm that works even on debian with samba 4.13.3... but 
have you tried to reboot the machine? On my debian if I reboot, the 
cache file disappears from /temp e cached login doesn't work :(

Piviul




More information about the samba mailing list