[Samba] Working through the PAM Offline Authentication Wiki page, but...
John R. Graham
john at graham-family.org
Mon Nov 25 15:14:39 UTC 2024
On 11/25/24 09:57, John R. Graham via samba wrote:
> On 11/19/24 12:56, Rowland Penny via samba wrote:
>> At a guess, your PAM stack is incorrect, it doesn't seem to be using
>> winbind, I would expect to see lines like this:
>>
>> 2024-11-19T17:48:38.678440+00:00 devstation sshd[9437]:
>> pam_winbind(sshd:auth): getting password (0x00000388)
>>
>> Rowland
>
> Yes, that was it. Thank you! That was a deeper rabbit hole than I had
> anticipated, requiring learning YASMCL (Yet Another State Machine
> Configuration Language). I have a PAM configuration working except for
> a few corner cases and a few puzzling things. The first of the latter
> is that bringing the winbind daemon offline with
>
> smbcontrol winbind offline
>
> doesn't appear do do anything. Commands like
>
> wbinfo --ping-dc
>
> still show the DC as reachable. I ended up doing my testing with an
> unplugged network cable but encountered some rather long network
> timeouts as a result, by which I conclude that an explicit offline
> state is beneficial.
>
> - John
>
I guess I should've added that, when offline,
wbinfo -K YOURDOM\\youruser%password
does show a cached account being used.
More information about the samba
mailing list