[Samba] winbind offline logon

Rowland Penny rpenny at samba.org
Thu Dec 28 18:59:41 UTC 2023 

On Thu, 28 Dec 2023 18:18:22 +0000
bd730c5053df9efb via samba <samba at lists.samba.org> wrote:

> Hi all!
> 
> As a die hard slackware user and as a part of my learning pam process
> I installed debian bookworm (12.4.0) in a vm and setup a domain
> member server per the instructions in the wiki trying to figure out
> how debian does it so I can correct some issues I have with how it's
> done in slackware.
> 
> Everything seems to be working fine except for the winbind offline
> logons, what I tried was to start session with my user, SAMDOM\dave
> and then logout to make sure my password is cached. After that I
> disconnected the vm's nic from the network and tried to log back in
> and I got an error stating that "password authentication didn't work"
> 
> Here's the content of smb.conf
> [global]
>         kerberos method = secrets and keytab
>         realm = SAMDOM.EXAMPLE.COM
>         security = ADS
>         server role = member server
>         username map = /etc/samba/user.map
>         winbind refresh tickets = Yes
>         workgroup = SAMDOM
>         idmap config * : range = 3000-7999
>         idmap config * : backend = tdb
>         idmap config samdom:unix_primary_group = Yes
>         idmap config samdom:unix_nss_info = Yes
>         idmap config samdom:range = 10000-999999
>         idmap config smadom:schema_mode = rfc2307
>         idmap config samdom:backend=ad
>         map acl inherit = Yes
>         store dos attributes = Yes
>         vfs objects = acl_xattr
>         min domain uid = 0
>         winbind offline logon = Yes
>         winbind request timeout = 10
> 
> /etc/security/pam_winbind.conf
> [global]
>         cached_login = Yes
>         #krb5_auth = Yes          # <= Commented since it's part of
> /etc/pam.d/common-auth #krb5_ccache_type = FILE  # <= Commented since
> it's part of /etc/pam.d/common-auth

You do not need /etc/security/pam_winbind.conf if the settings are in
/etc/pam.d/common-auth (which they are on Debian by default).

> 
> /etc/pam.d/common-auth
> #
> # /etc/pam.d/common-auth - authentication settings common to all
> services #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authentication modules that define
> # the central authentication scheme for use on the system
> # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use
> the # traditional Unix authentication mechanisms.
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by
> default. # To take advantage of this, it is recommended that you
> configure any # local modules either before or after the default
> block, and use # pam-auth-update to manage selection of other
> modules.  See # pam-auth-update(8) for details.
> 
> # here are the per-package modules (the "Primary" block)
> auth    [success=2 default=ignore]      pam_unix.so nullok
> auth    [success=1 default=ignore]      pam_winbind.so cached_login
> krb5_auth krb5_ccache_type=FILE cached_login try_first_pass   # <=
> added cached_login, just in case # here's the fallback if no module

Which one did you add ? The one after 'pam_winbind.so' or the other one
?

Try reading this:

https://wiki.samba.org/index.php/PAM_Offline_Authentication

Rowland

More information about the samba mailing list