[Samba] PAM Offline Authentication in Ubuntu 22.04...
Joachim Lindenberg
samba at lindenberg.one
Thu May 25 17:24:44 UTC 2023
Quick question related to the topic...
Does offline work with windows credentials only or even with kerberos authentication in ssh?
Thanks,
Joachim
-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba
Gesendet: Montag, 22. Mai 2023 12:12
An: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Betreff: Re: [Samba] PAM Offline Authentication in Ubuntu 22.04...
On 22/05/2023 10:14, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
>> I would undo that, it appears to be wrong.
>
> OK, i've undo also i.
>
>
>> I have tested this on a Ubuntu 22.04 computer and it works, so I have
>> updated the wiki page:
>> https://wiki.samba.org/index.php/PAM_Offline_Authentication
>
> Apparently works as expected:
>
> root at dane:~# wbinfo -K gaio
> Enter gaio's password:
> plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE)
> credentials were put in: FILE:/tmp/krb5cc_0
> root at dane:~# smbcontrol winbind offline
> root at dane:~# wbinfo -K gaio
> Enter gaio's password:
> plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE)
> user_flgs: NETLOGON_CACHED_ACCOUNT
> credentials were put in: FILE:/tmp/krb5cc_0
> root at dane:~# ssh gaio at localhost
> gaio at localhost's password:
> Warning: Your password will expire in 36 days on Tue Jun 27 18:19:27 2023
> Warning: Your password will expire in 36 days on Tue Jun 27 18:19:27 2023
> Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-41-generic x86_64)
>
> * Documentation: https://help.ubuntu.com
> * Management: https://landscape.canonical.com
> * Support: https://ubuntu.com/advantage
>
> La manutenzione della sicurezza estesa per Applications non è abilitata.
>
> 0 aggiornamenti possono essere applicati immediatamente.
>
> Abilita ESM Apps per ricevere ulteriori aggiornamenti di sicurezza futuri.
> Vedi https://ubuntu.com/esm o esegui: sudo pro status
>
>
> 1 updates could not be installed automatically. For more details,
> see /var/log/unattended-upgrades/unattended-upgrades.log
> Last login: Fri May 19 12:33:09 2023 from 10.5.1.44
> gaio at dane:~$
>
>
> I've also tried to shut off the wireless (and clearly not connect
> ethernet cable ;) and i can confirm that i have the same response:
>
> plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE)
> user_flgs: NETLOGON_CACHED_ACCOUNT
>
> BUT a simple:
>
> getent passwd gaio
I have Ubuntu 22.04 with Samba 4.15.13 running in a VM and it just works for myself.
If I disconnect the network and try to ping a DC, I get:
ping: rpidc1: Temporary failure in name resolution
So the DC cannot be found
But, if I run 'getent passwd rowland' I instantly get this:
rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash
I can log out from 'rowland' and then log in again, though I do appear to get a message from lightdm, but it goes past that fast it that I cannot read it.
>
> took 60 seconds to run, and return nothing. So login does not work,
> because obviously user 'gaio' does not exist.
Had the user 'gaio' logged in previously, it will not work if the user hasn't logged in at least once before the network has disconnected.
>
>
> The strange thing is that the same portable was on a Ubuntu 16.04,
> with the same configuration, and worked as expected.
>
> Seems to me that simply winbind loose the ability to do NSS cache...
> i've googled a bit, and Samba in Xenial was 4.3.11+dfsg-0ubuntu0.16.04.34 .
>
>
> It is worth a try to update samba to the later versions? There was
> updates in this fields?
>
It is always worth upgrading Samba if possible and easy, but as I say, it works for myself.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list