[Samba] winbind offline logon
Rowland Penny
rpenny at samba.org
Thu Dec 28 18:59:41 UTC 2023
On Thu, 28 Dec 2023 18:18:22 +0000
bd730c5053df9efb via samba <samba at lists.samba.org> wrote:
> Hi all!
>
> As a die hard slackware user and as a part of my learning pam process
> I installed debian bookworm (12.4.0) in a vm and setup a domain
> member server per the instructions in the wiki trying to figure out
> how debian does it so I can correct some issues I have with how it's
> done in slackware.
>
> Everything seems to be working fine except for the winbind offline
> logons, what I tried was to start session with my user, SAMDOM\dave
> and then logout to make sure my password is cached. After that I
> disconnected the vm's nic from the network and tried to log back in
> and I got an error stating that "password authentication didn't work"
>
> Here's the content of smb.conf
> [global]
> kerberos method = secrets and keytab
> realm = SAMDOM.EXAMPLE.COM
> security = ADS
> server role = member server
> username map = /etc/samba/user.map
> winbind refresh tickets = Yes
> workgroup = SAMDOM
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> idmap config samdom:unix_primary_group = Yes
> idmap config samdom:unix_nss_info = Yes
> idmap config samdom:range = 10000-999999
> idmap config smadom:schema_mode = rfc2307
> idmap config samdom:backend=ad
> map acl inherit = Yes
> store dos attributes = Yes
> vfs objects = acl_xattr
> min domain uid = 0
> winbind offline logon = Yes
> winbind request timeout = 10
>
> /etc/security/pam_winbind.conf
> [global]
> cached_login = Yes
> #krb5_auth = Yes # <= Commented since it's part of
> /etc/pam.d/common-auth #krb5_ccache_type = FILE # <= Commented since
> it's part of /etc/pam.d/common-auth
You do not need /etc/security/pam_winbind.conf if the settings are in
/etc/pam.d/common-auth (which they are on Debian by default).
>
> /etc/pam.d/common-auth
> #
> # /etc/pam.d/common-auth - authentication settings common to all
> services #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authentication modules that define
> # the central authentication scheme for use on the system
> # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use
> the # traditional Unix authentication mechanisms.
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by
> default. # To take advantage of this, it is recommended that you
> configure any # local modules either before or after the default
> block, and use # pam-auth-update to manage selection of other
> modules. See # pam-auth-update(8) for details.
>
> # here are the per-package modules (the "Primary" block)
> auth [success=2 default=ignore] pam_unix.so nullok
> auth [success=1 default=ignore] pam_winbind.so cached_login
> krb5_auth krb5_ccache_type=FILE cached_login try_first_pass # <=
> added cached_login, just in case # here's the fallback if no module
Which one did you add ? The one after 'pam_winbind.so' or the other one
?
Try reading this:
https://wiki.samba.org/index.php/PAM_Offline_Authentication
Rowland
More information about the samba
mailing list