[Samba] PAM Offline Authentication in Ubuntu 22.04
rpenny at samba.org
Mon Jun 19 12:49:38 UTC 2023
On 16/06/2023 17:07, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
> Sorry, it was a very busy week i've had NO time to do some tests... some
> 'offline' consideration only...
> As i've hust stated, the PC was previously installed with Ubunut 16.04, and
> really i don't want to do 4 major OS upgrade so i've simply reinstalld;
> configuration was pretty standard, but with 16.04 worked.
>> So, I suggest Marco looks very closely at his DNS, I am sure he has a
>> problem there somewhere.
> I suppose the same thing. BUT i restate that the problem is not the 'logon
> delay' inducted by some DNS misconfiguration, but I CANNOT LOGON AT ALL if
> the computer get disconnected.
> Also supposing to setup correctly my work DHCP server, what happen if user
> go at home/restaurant/hotel/... and cannot logon anymore because that DHCP
> server is also misconfigured? I cannot condamn users to damness... or al
> least not all users. ;-)
> Michael, how can i debug systemd-resolvd?
> PS: Rowland, Ubuntu 2204 have systemd-resolvd, but now it is called
Hi Marco, I feel a bit of a fool now, guess what I didn't do during my
testing ? Yes, I forgot to reboot, so whilst I think my testing proved
the basic offline logon code worked, it didn't test what happens if you
turn off the computer, take it somewhere and restart it and it cannot
connect to a DC. So I started the tests again.
I started off with a VM running Debian Bookworm with Samba 4.17.8 as a
Unix domain member, this VM is connected to my network. I also have nmbd
masked and 'disable netbios = yes' in smb.conf .
When Samba starts at boot the /run/samba directory is created and
populated with numerous files.
I stopped winbind and smbd from starting at boot and restarted the
computer, Samba didn't start (as expected) and there was no /run/samba
I started winbind and smbd, at this point the /run/samba directory was
created and populated and I could logon as a domain user. I logged out,
disconnected the network and logged on again as the same domain user. To
me this proves the basic winbind offline code works.
I now set winbind and smbd to start at boot, rebooted with the network
still disconnected, the domain user was not able to logon.
I added the parameter/value 'lock directory = /var/cache/samba' to the
smb.conf, reconnected the computer to the network and rebooted, the
domain user could now logon again.
I then disconnected the computer from the network again and rebooted,
This time, the domain user was able to logon.
As most of what was in /run/samba is now in /var/cache/samba and
survives a reboot, I therefore feel it is a safe assumption that
something in /run/samba is required for offline logon, 'gencache.tdb' ?
I still think that dns has a place in this somewhere, I have an
/etc/hosts file that looks like this:
127.0.1.1 testdm12.samdom.example.com testdm12
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
If I run the following commands when connected to the network, I get the
If I disconnect the network and reboot, I get the same answers, except
for 'hostname -I', which doesn't return anything, no dhcp server, no IP.
I suppose that if the client connected to a different dhcp server and
got a different IP, it will still work, still trying to think of a way
to test this.
More information about the samba