[Samba] PAM Offline Authentication in Ubuntu 22.04...

Marco Gaiarin gaio at lilliput.linux.it
Tue Jun 13 13:07:31 UTC 2023

Mandi! Rowland Penny via samba
  In chel di` si favelave...

> Please post the following:

> What desktop are you using (Gnome, KDE, MATE, XFCE, etc).
> What is your login manager (lightdm. gdm3, sddm, etc)

Standard Ubuntu install, so Gnome/GDM.

> confirm the distro and version.
> What version of Samba and where from.
> The contents of /etc/resolv.conf /etc/hostname /etc/hosts /etc/krb5.conf 
> /etc/samba/smb.conf /etc/nsswitch.conf

I've run the Louis script:

 root at dane:~# bash samba-collect-debug-info.sh 
 Please wait, collecting debug info.
 samba-collect-debug-info.sh: riga 180: systemd-resolve: comando non trovato
 The debug info about your system can be found in this file:
 Please check this and if required, sanitise it.
 Then copy & paste it into an  email to the samba list
 Do not attach it to the email, the Samba mailing list strips attachments.

That produced this:

Config collected --- 2023-06-13-14:59 -----------

Hostname:   dane
DNS Domain: 
FQDN:       dane


This computer is running Ubuntu 22.04.2 LTS x86_64


running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host 
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether b4:b6:86:37:26:7e brd ff:ff:ff:ff:ff:ff
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 90:61:ae:b2:70:37 brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic noprefixroute wlp2s0
       valid_lft 422sec preferred_lft 422sec
    inet6 fe80::4c3b:6af8:609c:4e32/64 scope link noprefixroute 


Checking file: /etc/hosts	localhost	dane

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


Checking file: /etc/resolv.conf

# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

options edns0 trust-ad
search sv.lnf.it dyn.sv.lnf.it


systemd stub resolver detected, running command : systemd-resolve --status



WARNING: 'kinit Administrator' will fail, you need to fix this.
Unable to verify DNS kerberos._tcp SRV records


'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.


Samba is running as a Unix domain member


Checking file: /etc/krb5.conf

	default_realm = AD.FVG.LNF.IT

# The following krb5.conf variables are only for MIT Kerberos.
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#	default_tgs_enctypes = des3-hmac-sha1
#	default_tkt_enctypes = des3-hmac-sha1
#	permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
	fcc-mit-ticketflags = true

		kdc = kerberos.mit.edu
		kdc = kerberos-1.mit.edu
		kdc = kerberos-2.mit.edu:88
		admin_server = kerberos.mit.edu
		default_domain = mit.edu
		kdc = casio.mit.edu
		kdc = seiko.mit.edu
		admin_server = casio.mit.edu
		admin_server = kerberos.csail.mit.edu
		default_domain = csail.mit.edu
		kdc = kerberos.ihtfp.org
		admin_server = kerberos.ihtfp.org
	1TS.ORG = {
		kdc = kerberos.1ts.org
		admin_server = kerberos.1ts.org
		admin_server = kerberos.andrew.cmu.edu
		default_domain = andrew.cmu.edu
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
		kdc = kerberos.dementix.org
		kdc = kerberos2.dementix.org
		admin_server = kerberos.dementix.org
	stanford.edu = {
		kdc = krb5auth1.stanford.edu
		kdc = krb5auth2.stanford.edu
		kdc = krb5auth3.stanford.edu
		master_kdc = krb5auth1.stanford.edu
		admin_server = krb5-admin.stanford.edu
		default_domain = stanford.edu
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca

	.mit.edu = ATHENA.MIT.EDU
	mit.edu = ATHENA.MIT.EDU
	.media.mit.edu = MEDIA-LAB.MIT.EDU
	media.mit.edu = MEDIA-LAB.MIT.EDU
	.csail.mit.edu = CSAIL.MIT.EDU
	csail.mit.edu = CSAIL.MIT.EDU
	.whoi.edu = ATHENA.MIT.EDU
	whoi.edu = ATHENA.MIT.EDU
	.stanford.edu = stanford.edu
	.slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA


Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


Checking file: /etc/samba/smb.conf

# smb.conf per Client LNF
#  (c) Marco Gaiarin (gaio at sv.lnf.it) under GNU GPL Licence 2.0 or newer

# Il file vuole essere una raccolta dei parametri standard, cercando di
# essere un buon punto di partenza per la realizzazione di un file per
# la particolare installazione.
# Leggere con attenzione i commenti e la manpage di smb.conf.

# (Tue Sep 25 14:56:56 CEST 2018)
#  + prima versione, a partire dall'equivalente file per Domain Member.

# Parametri globali
	# Definizioni del dominio.
	security = ADS
	workgroup = LNFFVG
	realm = AD.FVG.LNF.IT

	# Configurazione di Winbind/IDMap.
	# Default idmap config for local BUILTIN accounts and groups
	idmap config * : backend = tdb
	idmap config * : range = 5000-9999
	# The domain
	idmap config LNFFVG : backend = ad
	idmap config LNFFVG : range = 10000-49999
	# Uso dei dati POSIX/rfc2307 (Samba 4.6+)
	idmap config LNFFVG : schema_mode = rfc2307
	idmap config LNFFVG : unix_nss_info = yes
	idmap config LNFFVG : unix_primary_group = yes
	## Uso dei dati POSIX/rfc2307 (Samba 4.5-)
	#winbind nss info = rfc2307
	# Se si usa 'winbind use default domain = yes' è necessario sincerarsi che i nomi utente non siano ''overlapping''
	# (ovvero utenti definiti nel dominio *e* in /etc/passwd) pena ''confusione'' nella definizione dei gruppi/responsabilità.
	winbind use default domain = yes
	# Opzionalmente posso voler abilitare le ''cached credentials''; oltre ad abilitare questa opzione, occorre anche abilitarne l'uso
	# in winbind. Si veda: https://wiki.samba.org/index.php/PAM_Offline_Authentication
	winbind offline logon = yes
	# Workaround Bug #14618
	lock directory = /var/cache/samba
	# Workaround delay...
	winbind request timeout = 5

	# Utenti speciali e permessi
	# Disabilitazione di qualche account, e definizione dell'account guest (il default è già 'nobody').
	# Tutti gli utenti non conosciuti vengono mappati su guest.
	#invalid users =
	#guest account = nobody
	map to guest = Bad User
	# Per un DM manteniamo una mappa esplicita locale per alcuni utenti, per default solo Administrator (su root)
	username map = /etc/samba/user.map

	# Riabilito SMB1; non credo sia strettamente necessario qui, ma serve per il mount delle home assolutamente, sono necessarie
	# alcune UNIX extension...
	client min protocol = NT1

	# Stampanti... siamo un client, disabilito tutto.
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes

	# Disabilito gli 'usershare', il default sembra essere 100 per debian. Vedi:
	#  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900396
	usershare max shares = 0

	# LOG
	log level = 0 winbind:5
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 5000
	panic action = /usr/share/samba/panic-action %d


Running as Unix domain member and user.map detected.

Contents of /etc/samba/user.map

!root = LNFFVG\Administrator LNFFVG\administrator Administrator administrator

Server Role is set to : auto


This Unix domain member is using 'winbind' in /etc/nsswitch.conf.


Time on the DC with PDC Emulator role is: 2023-06-13T14:59:30

Time on this computer is:                 2023-06-13T14:59:31

Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds


Installed packages:
ii  acl                                        2.3.1-1                                     amd64        access control list - utilities
ii  attr                                       1:2.5.1-1build1                             amd64        utilities for manipulating filesystem extended attributes
ii  fonts-quicksand                            0.2016-2.1                                  all          sans-serif font with round attributes
ii  krb5-config                                2.6+nmu1ubuntu1                             all          Configuration files for Kerberos Version 5
ii  krb5-locales                               1.19.2-2ubuntu0.2                           all          internationalization support for MIT Kerberos
ii  libacl1:amd64                              2.3.1-1                                     amd64        access control list - shared library
ii  libattr1:amd64                             1:2.5.1-1build1                             amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64                     1.19.2-2ubuntu0.2                           amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libgssapi-krb5-2:i386                      1.19.2-2ubuntu0.2                           i386         MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                            1.19.2-2ubuntu0.2                           amd64        MIT Kerberos runtime libraries
ii  libkrb5-3:i386                             1.19.2-2ubuntu0.2                           i386         MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                      1.19.2-2ubuntu0.2                           amd64        MIT Kerberos runtime libraries - Support library
ii  libkrb5support0:i386                       1.19.2-2ubuntu0.2                           i386         MIT Kerberos runtime libraries - Support library
ii  libldb2:amd64                              2:2.7.2+samba4.18.3+dfsg-1                  amd64        LDAP-like embedded database - shared library
ii  libnss-winbind:amd64                       2:4.18.3+dfsg-1                             amd64        Samba nameservice integration plugins
ii  libpam-krb5:amd64                          4.11-1build1                                amd64        PAM module for MIT Kerberos
ii  libpam-winbind:amd64                       2:4.18.3+dfsg-1                             amd64        Windows domain authentication integration plugin
ii  libsmbclient:amd64                         2:4.18.3+dfsg-1                             amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                         2:4.18.3+dfsg-1                             amd64        Samba winbind client library
ii  python3-ldb                                2:2.7.2+samba4.18.3+dfsg-1                  amd64        Python 3 bindings for LDB
ii  python3-nacl                               1.5.0-2                                     amd64        Python bindings to libsodium (Python 3)
ii  python3-samba                              2:4.18.3+dfsg-1                             amd64        Python 3 bindings for Samba
ii  samba                                      2:4.18.3+dfsg-1                             amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-ad-provision                         2:4.18.3+dfsg-1                             all          Samba files needed for AD domain provision
ii  samba-common                               2:4.18.3+dfsg-1                             all          common files used by both the Samba server and client
ii  samba-common-bin                           2:4.18.3+dfsg-1                             amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64                   2:4.18.3+dfsg-1                             amd64        Samba Directory Services Database
ii  samba-libs:amd64                           2:4.18.3+dfsg-1                             amd64        Samba core libraries
ii  samba-vfs-modules:amd64                    2:4.18.3+dfsg-1                             amd64        Samba Virtual FileSystem plugins
ii  smbclient                                  2:4.18.3+dfsg-1                             amd64        command-line SMB/CIFS clients for Unix
ii  winbind                                    2:4.18.3+dfsg-1                             amd64        service to resolve user and group information from Windows NT servers


> Is selinux or apparmor involved ?

Ahem... apparmor is installed (as by defaut on Ubuntu, i suppose) but i've
not touched the configuration.


  Siamo circondati da troppa gente piena di sé. E a quelli pieni di sé,
  io preferisco le persone piene di se, di ma, di forse. (Tonio Dell'Olio)

More information about the samba mailing list