[Samba] PAM Offline Authentication in Ubuntu 22.04

Rowland Penny rpenny at samba.org
Mon Jun 19 12:49:38 UTC 2023

On 16/06/2023 17:07, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
>    In chel di` si favelave...
> Sorry, it was a very busy week i've had NO time to do some tests... some
> 'offline' consideration only...
> As i've hust stated, the PC was previously installed with Ubunut 16.04, and
> really i don't want to do 4 major OS upgrade so i've simply reinstalld;
> configuration was pretty standard, but with 16.04 worked.
>> So, I suggest Marco looks very closely at his DNS, I am sure he has a
>> problem there somewhere.
> I suppose the same thing. BUT i restate that the problem is not the 'logon
> delay' inducted by some DNS misconfiguration, but I CANNOT LOGON AT ALL if
> the computer get disconnected.
> Also supposing to setup correctly my work DHCP server, what happen if user
> go at home/restaurant/hotel/... and cannot logon anymore because that DHCP
> server is also misconfigured? I cannot condamn users to damness... or al
> least not all users. ;-)
> Michael, how can i debug systemd-resolvd?
> PS: Rowland, Ubuntu 2204 have systemd-resolvd, but now it is called
>      'resolvectl'...

Hi Marco, I feel a bit of a fool now, guess what I didn't do during my 
testing ? Yes, I forgot to reboot, so whilst I think my testing proved 
the basic offline logon code worked, it didn't test what happens if you 
turn off the computer, take it somewhere and restart it and it cannot 
connect to a DC. So I started the tests again.

I started off with a VM running Debian Bookworm with Samba 4.17.8 as a 
Unix domain member, this VM is connected to my network. I also have nmbd 
masked and 'disable netbios = yes' in smb.conf .

When Samba starts at boot the /run/samba directory is created and 
populated with numerous files.
I stopped winbind and smbd from starting at boot and restarted the 
computer, Samba didn't start (as expected) and there was no /run/samba 

I started winbind and smbd, at this point the /run/samba directory was 
created and populated and I could logon as a domain user. I logged out, 
disconnected the network and logged on again as the same domain user. To 
me this proves the basic winbind offline code works.

I now set winbind and smbd to start at boot, rebooted with the network 
still disconnected, the domain user was not able to logon.

I added the parameter/value 'lock directory = /var/cache/samba' to the 
smb.conf, reconnected the computer to the network and rebooted, the 
domain user could now logon again.
I then disconnected the computer from the network again and rebooted, 
This time, the domain user was able to logon.

As most of what was in /run/samba is now in /var/cache/samba and 
survives a reboot, I therefore feel it is a safe assumption that 
something in /run/samba is required for offline logon, 'gencache.tdb' ?

I still think that dns has a place in this somewhere, I have an 
/etc/hosts file that looks like this:	localhost	testdm12.samdom.example.com testdm12

# The following lines are desirable for IPv6 capable hosts
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

If I run the following commands when connected to the network, I get the 
expected output:

hostname -s

hostname -d

hostname -f

hostname -i

hostname -I

If I disconnect the network and reboot, I get the same answers, except 
for 'hostname -I', which doesn't return anything, no dhcp server, no IP. 
I suppose that if the client connected to a different dhcp server and 
got a different IP, it will still work, still trying to think of a way 
to test this.


More information about the samba mailing list