[Samba] PAM Offline Authentication in Ubuntu 22.04...

Marco Gaiarin gaio at lilliput.linux.it
Mon May 22 09:14:00 UTC 2023 

Mandi! Rowland Penny via samba
  In chel di` si favelave...

> I would undo that, it appears to be wrong.

OK, i've undo also i.


> I have tested this on a Ubuntu 22.04 computer and it works, so I have 
> updated the wiki page:
> https://wiki.samba.org/index.php/PAM_Offline_Authentication

Apparently works as expected:

 root at dane:~# wbinfo -K gaio
 Enter gaio's password: 
 plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE)
 credentials were put in: FILE:/tmp/krb5cc_0
 root at dane:~# smbcontrol winbind offline
 root at dane:~# wbinfo -K gaio
 Enter gaio's password: 
 plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE)
 user_flgs: NETLOGON_CACHED_ACCOUNT
 credentials were put in: FILE:/tmp/krb5cc_0
 root at dane:~# ssh gaio at localhost
 gaio at localhost's password: 
 Warning: Your password will expire in 36 days on Tue Jun 27 18:19:27 2023
 Warning: Your password will expire in 36 days on Tue Jun 27 18:19:27 2023
 Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-41-generic x86_64)
 
  * Documentation:  https://help.ubuntu.com
  * Management:     https://landscape.canonical.com
  * Support:        https://ubuntu.com/advantage
 
 La manutenzione della sicurezza estesa per Applications non è abilitata.
 
 0 aggiornamenti possono essere applicati immediatamente.
 
 Abilita ESM Apps per ricevere ulteriori aggiornamenti di sicurezza futuri.
 Vedi https://ubuntu.com/esm o esegui: sudo pro status
 
 
 1 updates could not be installed automatically. For more details,
 see /var/log/unattended-upgrades/unattended-upgrades.log
 Last login: Fri May 19 12:33:09 2023 from 10.5.1.44
 gaio at dane:~$ 


I've also tried to shut off the wireless (and clearly not connect ethernet
cable ;) and i can confirm that i have the same response:

 plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE)
 user_flgs: NETLOGON_CACHED_ACCOUNT

BUT a simple:

	getent passwd gaio

took 60 seconds to run, and return nothing. So login does not work, because
obviously user 'gaio' does not exist.


The strange thing is that the same portable was on a Ubuntu 16.04, with the
same configuration, and worked as expected.

Seems to me that simply winbind loose the ability to do NSS cache... i've
googled a bit, and Samba in Xenial was 4.3.11+dfsg-0ubuntu0.16.04.34 .


It is worth a try to update samba to the later versions? There was updates
in this fields?

-- 
  In amore ci vuole fortuna, ma anche un bel culo non guasta.
							(Fabio Fazio)

More information about the samba mailing list