[Samba] winbind offline logon
bd730c5053df9efb
bd730c5053df9efb at proton.me
Thu Dec 28 18:18:22 UTC 2023
Hi all!
As a die hard slackware user and as a part of my learning pam process I installed debian bookworm (12.4.0) in a vm and setup a domain member server per the instructions in the wiki trying to figure out how debian does it so I can correct some issues I have with how it's done in slackware.
Everything seems to be working fine except for the winbind offline logons, what I tried was to start session with my user, SAMDOM\dave and then logout to make sure my password is cached. After that I disconnected the vm's nic from the network and tried to log back in and I got an error stating that "password authentication didn't work"
Here's the content of smb.conf
[global]
kerberos method = secrets and keytab
realm = SAMDOM.EXAMPLE.COM
security = ADS
server role = member server
username map = /etc/samba/user.map
winbind refresh tickets = Yes
workgroup = SAMDOM
idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config samdom:unix_primary_group = Yes
idmap config samdom:unix_nss_info = Yes
idmap config samdom:range = 10000-999999
idmap config smadom:schema_mode = rfc2307
idmap config samdom:backend=ad
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
min domain uid = 0
winbind offline logon = Yes
winbind request timeout = 10
/etc/security/pam_winbind.conf
[global]
cached_login = Yes
#krb5_auth = Yes # <= Commented since it's part of /etc/pam.d/common-auth
#krb5_ccache_type = FILE # <= Commented since it's part of /etc/pam.d/common-auth
/etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_winbind.so cached_login krb5_auth krb5_ccache_type=FILE cached_login try_first_pass # <= added cached_login, just in case
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
And this is the only relevant piece of information I find in the system logs
Dec 28 14:53:17 debian gdm-password][3563]: pam_unix(gdm-password:auth): check pass; user unknown
Dec 28 14:53:17 debian gdm-password][3563]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Dec 28 14:53:17 debian gdm-password][3563]: pam_winbind(gdm-password:auth): getting password (0x00000388)
Dec 28 14:53:17 debian gdm-password][3563]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Dec 28 14:53:40 debian nmbd[679]: [2023/12/28 14:53:40.843955, 0] ../../source3/libsmb/nmblib.c:923(send_udp)
Dec 28 14:53:40 debian nmbd[679]: Packet send failed to 192.168.123.255(137) ERRNO=Network is unreachable
Dec 28 14:53:40 debian nmbd[679]: [2023/12/28 14:53:40.844109, 0] ../../source3/nmbd/nmbd_packets.c:180(send_netbios_packet)
Dec 28 14:53:40 debian nmbd[679]: send_netbios_packet: send_packet() to IP 192.168.123.255 port 137 failed
Dec 28 14:53:40 debian nmbd[679]: [2023/12/28 14:53:40.844121, 0] ../../source3/nmbd/nmbd_namequery.c:245(query_name)
Dec 28 14:53:40 debian nmbd[679]: query_name: Failed to send packet trying to query name SAMDOM<1d>
Dec 28 14:53:47 debian gdm-password][3594]: accountsservice: ActUserManager: user (null) has no username (uid: -1)
Dec 28 14:53:50 debian nmbd[679]: [2023/12/28 14:53:50.854572, 0] ../../source3/nmbd/nmbd.c:359(reload_interfaces)
Dec 28 14:53:50 debian nmbd[679]: reload_interfaces: No subnets to listen to. Waiting..
Thanks in advance!
Best regards,
Dave.
Sent with Proton Mail secure email.
More information about the samba
mailing list