[Samba] Working through the PAM Offline Authentication Wiki page, but...

John R. Graham john at graham-family.org
Mon Nov 25 17:40:56 UTC 2024


On 11/25/24 11:26, Rowland Penny via samba wrote:
> D, I must go to specsavers, I appear to be going blind ;-)
>
> you wrote 'smbcontrol winbind offline' and I missed it, the extra 'd'
> that is, it should have been:
>
> smbcontrol winbindd offline
>
> Rowland

Okay, thanks, but I'm going to start over as I appear to have related 
some incorrect information.

Running

     smbcontrol winbind offline

contrary to previous report does do something

     wbinfo -K SAMDOM\\jgraham%password

returns

     plaintext kerberos password authentication for [SAMDOM\\jgraham] 
succeeded (requesting cctype: FILE)
     user_flgs: NETLOGON_CACHED_ACCOUNT
     credentials were put in: FILE:/tmp/krb5cc_0

Turns out smbcontrol will accept either "winbind" or "winbindd". I was 
following the Wiki page verbatim, which uses the former. I can tweak the 
Wiki page if the latter is more canonically correct. More importantly an 
ssh login succeeds:

     terra ~ # ssh SAMDOM\\jgraham at localhost
     (SAMDOM\jgraham at localhost) Password:
     Domain Controller unreachable, using cached credentials instead. 
Network resources may be unavailable
     Domain Controller unreachable, using cached credentials instead. 
Network resources may be unavailable
     SAMDOM\jgraham at terra ~ $

with the following information in /var/log messages:

     Nov 25 12:15:18 terra sshd-session[25073]: pam_winbind(sshd:auth): 
getting password (0x00004388)
     Nov 25 12:15:22 terra sshd-session[25073]: pam_winbind(sshd:auth): 
user 'SAMDOM\jgraham' granted access
     Nov 25 12:15:23 terra sshd-session[25073]: 
pam_winbind(sshd:account): user 'SAMDOM\jgraham' granted access
     Nov 25 12:15:23 terra sshd-session[25037]: Accepted 
keyboard-interactive/pam for SAMDOM\\jgraham from 127.0.0.1 port 44002 ssh2
     Nov 25 12:15:24 terra sshd-session[25037]: pam_unix(sshd:session): 
session opened for user HOME\jgraham(uid=10000) by HOME\jgraham(uid=0)
     Nov 25 12:15:24 terra elogind-daemon[3816]: New session 11 of user 
SAMDOM\jgraham.

This is behaving well as far as I can tell. However, the network cable 
is still attached when this test was run. When I remove the network 
cable, the behavior changes. With the exact same ssh command as above, 
there's a long timeout before the password prompt appears and another 
one after the password is provided. /var/log/messages tells a sad tale:

     Nov 25 12:28:11 terra sshd-session[28633]: pam_faillock(sshd:auth): 
User unknown
     Nov 25 12:28:11 terra sshd-session[28633]: pam_winbind(sshd:auth): 
getting password (0x00004388)
     Nov 25 12:28:11 terra sshd-session[27411]: Postponed 
keyboard-interactive for invalid user SAMDOM\\\\jgraham from 127.0.0.1 
port 38014 ssh2 [preauth]
     Nov 25 12:28:11 terra sshd-session[27411]: Connection closed by 
invalid user SAMDOM\\\\jgraham 127.0.0.1 port 38014 [preauth]
     Nov 25 12:28:11 terra elogind-daemon[3816]: Removed session 11.
     Nov 25 12:28:16 terra sshd-session[25037]: fatal: login_init_entry: 
Cannot find user "SAMDOM\\jgraham"
     Nov 25 12:28:16 terra sshd-session[30386]: Invalid user 
SAMDOM\\jgraham from 127.0.0.1 port 36848
     Nov 25 12:28:46 terra sshd-session[31332]: pam_faillock(sshd:auth): 
User unknown
     Nov 25 12:28:46 terra sshd-session[31332]: pam_winbind(sshd:auth): 
getting password (0x00004388)
     Nov 25 12:28:46 terra sshd-session[30386]: Postponed 
keyboard-interactive for invalid user SAMDOM\\\\jgraham from 127.0.0.1 
port 36848 ssh2 [preauth]
     Nov 25 12:29:31 terra sshd-session[31332]: pam_unix(sshd:auth): 
check pass; user unknown
     Nov 25 12:29:31 terra sshd-session[31332]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=127.0.0.1
     Nov 25 12:29:46 terra sshd-session[31332]: pam_faillock(sshd:auth): 
User unknown
     Nov 25 12:29:48 terra sshd-session[30386]: error: PAM: User not 
known to the underlying authentication module for illegal user 
SAMDOM\\jgraham from 127.0.0.1
     Nov 25 12:29:48 terra sshd-session[30386]: Failed 
keyboard-interactive/pam for invalid user SAMDOM\\jgraham from 127.0.0.1 
port 36848 ssh2
     Nov 25 12:30:04 terra sshd[3802]: Timeout before authentication for 
connection from 127.0.0.1 to 127.0.0.1, pid = 30386

I suppose that this could indicate that my PAM configuration still needs 
work, but I don't yet see it.

- John





More information about the samba mailing list