[Samba] PAM Offline Authentication in Ubuntu 22.04

Marco Gaiarin gaio at lilliput.linux.it
Fri Jul 7 12:45:58 UTC 2023 

Mandi! Rowland Penny via samba
  In chel di` si favelave...

> So put it into short terms, using the 'ad' idmap backend gives nothing 
> but problems when 'winbind offline logon' is used, but (for myself) 
> absolutely no problems if the 'rid' idmap backend is used.

I can confirm that. Switching to RID backand work as expected.


Only a little note: for some reason i can logon in console and SSH but not
in GDM;

 Jul  7 14:34:02 dane gdm-password]: pam_unix(gdm-password:session): session closed for user gaio
 Jul  7 14:34:02 dane gdm-password]: pam_winbind(gdm-password:setcred): user 'gaio' OK
 Jul  7 14:34:02 dane systemd-logind[1198]: Session 4 logged out. Waiting for processes to exit.
 Jul  7 14:34:02 dane systemd-logind[1198]: Removed session 4.
 Jul  7 14:34:28 dane login[2867]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhost=  user=root
 Jul  7 14:34:28 dane login[2867]: pam_winbind(login:auth): getting password (0x00000388)
 Jul  7 14:34:28 dane login[2867]: pam_winbind(login:auth): pam_get_item returned a password
 Jul  7 14:34:28 dane login[2867]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: The specified account does not exist.

 Jul  7 14:35:01 dane CRON[3567]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
 Jul  7 14:35:01 dane CRON[3567]: pam_unix(cron:session): session closed for user root
 Jul  7 14:35:06 dane sshd[3571]: pam_krb5(sshd:auth): authentication failure; logname=gaio uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
 Jul  7 14:35:06 dane sshd[3571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1  user=gaio
 Jul  7 14:35:06 dane sshd[3571]: pam_winbind(sshd:auth): getting password (0x00000388)
 Jul  7 14:35:06 dane sshd[3571]: pam_winbind(sshd:auth): pam_get_item returned a password
 Jul  7 14:35:06 dane sshd[3571]: pam_winbind(sshd:auth): user 'gaio' granted access
 Jul  7 14:35:07 dane sshd[3571]: Accepted password for gaio from 127.0.0.1 port 39200 ssh2
 Jul  7 14:35:07 dane sshd[3571]: pam_unix(sshd:session): session opened for user gaio(uid=11105) by (uid=0)
 Jul  7 14:35:07 dane systemd-logind[1198]: New session 8 of user gaio.
 Jul  7 14:35:07 dane systemd: pam_unix(systemd-user:session): session opened for user gaio(uid=11105) by (uid=0)
 Jul  7 14:35:09 dane sshd[3787]: Received disconnect from 127.0.0.1 port 39200:11: disconnected by user
 Jul  7 14:35:09 dane sshd[3787]: Disconnected from user gaio 127.0.0.1 port 39200
 Jul  7 14:35:09 dane sshd[3571]: pam_unix(sshd:session): session closed for user gaio
 Jul  7 14:35:09 dane sshd[3571]: pam_winbind(sshd:setcred): user 'gaio' OK
 Jul  7 14:35:09 dane systemd-logind[1198]: Session 8 logged out. Waiting for processes to exit.
 Jul  7 14:35:09 dane systemd-logind[1198]: Removed session 8.

but probably there's some glitches somewhere, Oh, ok, found. What a jerk.
UID/GID was still the rfc2307 ones. ;-)


But still this lead me to some question:

1) this is a BUG?

2) this is a regression? Older versions of Samba worked in the same
 laptop...


Someone can (try to) explain? Thanks.

-- 
  Siamo circondati da troppa gente piena di sé. E a quelli pieni di sé,
  io preferisco le persone piene di se, di ma, di forse. (Tonio Dell'Olio)

More information about the samba mailing list