[Samba] Working through the PAM Offline Authentication Wiki page, but...
Rowland Penny
rpenny at samba.org
Mon Nov 25 15:56:01 UTC 2024
On Mon, 25 Nov 2024 09:57:06 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 11/19/24 12:56, Rowland Penny via samba wrote:
> > At a guess, your PAM stack is incorrect, it doesn't seem to be using
> > winbind, I would expect to see lines like this:
> >
> > 2024-11-19T17:48:38.678440+00:00 devstation sshd[9437]:
> > pam_winbind(sshd:auth): getting password (0x00000388)
> >
> > Rowland
>
> Yes, that was it. Thank you! That was a deeper rabbit hole than I had
> anticipated, requiring learning YASMCL (Yet Another State Machine
> Configuration Language). I have a PAM configuration working except
> for a few corner cases and a few puzzling things. The first of the
> latter is that bringing the winbind daemon offline with
>
> smbcontrol winbind offline
>
> doesn't appear do do anything.
On a DC it doesn't, you cannot take winbind offline on a DC. When it
comes to a DC 'smbcontrol' does nothing, you can only stop the 'samba'
deamon (which turns off smbd & winbindd), start it (which starts smbd &
winbindd) or restart it (which stops, then starts smbd & winbindd).
If you stop and think about it, I feel it will come to you why you
cannot take a major part of a DC offline ;-)
This, along with numerous other reasons, is why it is not recommended to
use a Samba AD DC as a fileserver.
Rowland
More information about the samba
mailing list