[Samba] PAM Offline Authentication in Ubuntu 22.04...

Rowland Penny rpenny at samba.org
Mon May 22 10:12:29 UTC 2023 


On 22/05/2023 10:14, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
>    In chel di` si favelave...
> 
>> I would undo that, it appears to be wrong.
> 
> OK, i've undo also i.
> 
> 
>> I have tested this on a Ubuntu 22.04 computer and it works, so I have
>> updated the wiki page:
>> https://wiki.samba.org/index.php/PAM_Offline_Authentication
> 
> Apparently works as expected:
> 
>   root at dane:~# wbinfo -K gaio
>   Enter gaio's password:
>   plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE)
>   credentials were put in: FILE:/tmp/krb5cc_0
>   root at dane:~# smbcontrol winbind offline
>   root at dane:~# wbinfo -K gaio
>   Enter gaio's password:
>   plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE)
>   user_flgs: NETLOGON_CACHED_ACCOUNT
>   credentials were put in: FILE:/tmp/krb5cc_0
>   root at dane:~# ssh gaio at localhost
>   gaio at localhost's password:
>   Warning: Your password will expire in 36 days on Tue Jun 27 18:19:27 2023
>   Warning: Your password will expire in 36 days on Tue Jun 27 18:19:27 2023
>   Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-41-generic x86_64)
>   
>    * Documentation:  https://help.ubuntu.com
>    * Management:     https://landscape.canonical.com
>    * Support:        https://ubuntu.com/advantage
>   
>   La manutenzione della sicurezza estesa per Applications non è abilitata.
>   
>   0 aggiornamenti possono essere applicati immediatamente.
>   
>   Abilita ESM Apps per ricevere ulteriori aggiornamenti di sicurezza futuri.
>   Vedi https://ubuntu.com/esm o esegui: sudo pro status
>   
>   
>   1 updates could not be installed automatically. For more details,
>   see /var/log/unattended-upgrades/unattended-upgrades.log
>   Last login: Fri May 19 12:33:09 2023 from 10.5.1.44
>   gaio at dane:~$
> 
> 
> I've also tried to shut off the wireless (and clearly not connect ethernet
> cable ;) and i can confirm that i have the same response:
> 
>   plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE)
>   user_flgs: NETLOGON_CACHED_ACCOUNT
> 
> BUT a simple:
> 
> 	getent passwd gaio

I have Ubuntu 22.04 with Samba 4.15.13 running in a VM and it just works 
for myself.

If I disconnect the network and try to ping a DC, I get:

ping: rpidc1: Temporary failure in name resolution

So the DC cannot be found

But, if I run 'getent passwd rowland' I instantly get this:

rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash

I can log out from 'rowland' and then log in again, though I do appear 
to get a message from lightdm, but it goes past that fast it that I 
cannot read it.

> 
> took 60 seconds to run, and return nothing. So login does not work, because
> obviously user 'gaio' does not exist.

Had the user 'gaio' logged in previously, it will not work if the user 
hasn't logged in at least once before the network has disconnected.

> 
> 
> The strange thing is that the same portable was on a Ubuntu 16.04, with the
> same configuration, and worked as expected.
> 
> Seems to me that simply winbind loose the ability to do NSS cache... i've
> googled a bit, and Samba in Xenial was 4.3.11+dfsg-0ubuntu0.16.04.34 .
> 
> 
> It is worth a try to update samba to the later versions? There was updates
> in this fields?
> 

It is always worth upgrading Samba if possible and easy, but as I say, 
it works for myself.

Rowland

More information about the samba mailing list