[Samba] winbind offline logon

bd730c5053df9efb bd730c5053df9efb at proton.me
Thu Dec 28 18:18:22 UTC 2023


Hi all!

As a die hard slackware user and as a part of my learning pam process I installed debian bookworm (12.4.0) in a vm and setup a domain member server per the instructions in the wiki trying to figure out how debian does it so I can correct some issues I have with how it's done in slackware.

Everything seems to be working fine except for the winbind offline logons, what I tried was to start session with my user, SAMDOM\dave and then logout to make sure my password is cached. After that I disconnected the vm's nic from the network and tried to log back in and I got an error stating that "password authentication didn't work"

Here's the content of smb.conf
[global]
        kerberos method = secrets and keytab
        realm = SAMDOM.EXAMPLE.COM
        security = ADS
        server role = member server
        username map = /etc/samba/user.map
        winbind refresh tickets = Yes
        workgroup = SAMDOM
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        idmap config samdom:unix_primary_group = Yes
        idmap config samdom:unix_nss_info = Yes
        idmap config samdom:range = 10000-999999
        idmap config smadom:schema_mode = rfc2307
        idmap config samdom:backend=ad
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr
        min domain uid = 0
        winbind offline logon = Yes
        winbind request timeout = 10

/etc/security/pam_winbind.conf
[global]
        cached_login = Yes
        #krb5_auth = Yes          # <= Commented since it's part of /etc/pam.d/common-auth
        #krb5_ccache_type = FILE  # <= Commented since it's part of /etc/pam.d/common-auth

/etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok
auth    [success=1 default=ignore]      pam_winbind.so cached_login krb5_auth krb5_ccache_type=FILE cached_login try_first_pass   # <= added cached_login, just in case
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

And this is the only relevant piece of information I find in the system logs
Dec 28 14:53:17 debian gdm-password][3563]: pam_unix(gdm-password:auth): check pass; user unknown
Dec 28 14:53:17 debian gdm-password][3563]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Dec 28 14:53:17 debian gdm-password][3563]: pam_winbind(gdm-password:auth): getting password (0x00000388)
Dec 28 14:53:17 debian gdm-password][3563]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Dec 28 14:53:40 debian nmbd[679]: [2023/12/28 14:53:40.843955,  0] ../../source3/libsmb/nmblib.c:923(send_udp)
Dec 28 14:53:40 debian nmbd[679]:   Packet send failed to 192.168.123.255(137) ERRNO=Network is unreachable
Dec 28 14:53:40 debian nmbd[679]: [2023/12/28 14:53:40.844109,  0] ../../source3/nmbd/nmbd_packets.c:180(send_netbios_packet)
Dec 28 14:53:40 debian nmbd[679]:   send_netbios_packet: send_packet() to IP 192.168.123.255 port 137 failed
Dec 28 14:53:40 debian nmbd[679]: [2023/12/28 14:53:40.844121,  0] ../../source3/nmbd/nmbd_namequery.c:245(query_name)
Dec 28 14:53:40 debian nmbd[679]:   query_name: Failed to send packet trying to query name SAMDOM<1d>
Dec 28 14:53:47 debian gdm-password][3594]: accountsservice: ActUserManager: user (null) has no username (uid: -1)
Dec 28 14:53:50 debian nmbd[679]: [2023/12/28 14:53:50.854572,  0] ../../source3/nmbd/nmbd.c:359(reload_interfaces)
Dec 28 14:53:50 debian nmbd[679]:   reload_interfaces: No subnets to listen to. Waiting..

Thanks in advance!
Best regards,
Dave.

Sent with Proton Mail secure email.



More information about the samba mailing list