[Samba] Working through the PAM Offline Authentication Wiki page, but...
John R. Graham
john at graham-family.org
Mon Nov 25 17:40:56 UTC 2024
On 11/25/24 11:26, Rowland Penny via samba wrote:
> D, I must go to specsavers, I appear to be going blind ;-)
>
> you wrote 'smbcontrol winbind offline' and I missed it, the extra 'd'
> that is, it should have been:
>
> smbcontrol winbindd offline
>
> Rowland
Okay, thanks, but I'm going to start over as I appear to have related
some incorrect information.
Running
smbcontrol winbind offline
contrary to previous report does do something
wbinfo -K SAMDOM\\jgraham%password
returns
plaintext kerberos password authentication for [SAMDOM\\jgraham]
succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0
Turns out smbcontrol will accept either "winbind" or "winbindd". I was
following the Wiki page verbatim, which uses the former. I can tweak the
Wiki page if the latter is more canonically correct. More importantly an
ssh login succeeds:
terra ~ # ssh SAMDOM\\jgraham at localhost
(SAMDOM\jgraham at localhost) Password:
Domain Controller unreachable, using cached credentials instead.
Network resources may be unavailable
Domain Controller unreachable, using cached credentials instead.
Network resources may be unavailable
SAMDOM\jgraham at terra ~ $
with the following information in /var/log messages:
Nov 25 12:15:18 terra sshd-session[25073]: pam_winbind(sshd:auth):
getting password (0x00004388)
Nov 25 12:15:22 terra sshd-session[25073]: pam_winbind(sshd:auth):
user 'SAMDOM\jgraham' granted access
Nov 25 12:15:23 terra sshd-session[25073]:
pam_winbind(sshd:account): user 'SAMDOM\jgraham' granted access
Nov 25 12:15:23 terra sshd-session[25037]: Accepted
keyboard-interactive/pam for SAMDOM\\jgraham from 127.0.0.1 port 44002 ssh2
Nov 25 12:15:24 terra sshd-session[25037]: pam_unix(sshd:session):
session opened for user HOME\jgraham(uid=10000) by HOME\jgraham(uid=0)
Nov 25 12:15:24 terra elogind-daemon[3816]: New session 11 of user
SAMDOM\jgraham.
This is behaving well as far as I can tell. However, the network cable
is still attached when this test was run. When I remove the network
cable, the behavior changes. With the exact same ssh command as above,
there's a long timeout before the password prompt appears and another
one after the password is provided. /var/log/messages tells a sad tale:
Nov 25 12:28:11 terra sshd-session[28633]: pam_faillock(sshd:auth):
User unknown
Nov 25 12:28:11 terra sshd-session[28633]: pam_winbind(sshd:auth):
getting password (0x00004388)
Nov 25 12:28:11 terra sshd-session[27411]: Postponed
keyboard-interactive for invalid user SAMDOM\\\\jgraham from 127.0.0.1
port 38014 ssh2 [preauth]
Nov 25 12:28:11 terra sshd-session[27411]: Connection closed by
invalid user SAMDOM\\\\jgraham 127.0.0.1 port 38014 [preauth]
Nov 25 12:28:11 terra elogind-daemon[3816]: Removed session 11.
Nov 25 12:28:16 terra sshd-session[25037]: fatal: login_init_entry:
Cannot find user "SAMDOM\\jgraham"
Nov 25 12:28:16 terra sshd-session[30386]: Invalid user
SAMDOM\\jgraham from 127.0.0.1 port 36848
Nov 25 12:28:46 terra sshd-session[31332]: pam_faillock(sshd:auth):
User unknown
Nov 25 12:28:46 terra sshd-session[31332]: pam_winbind(sshd:auth):
getting password (0x00004388)
Nov 25 12:28:46 terra sshd-session[30386]: Postponed
keyboard-interactive for invalid user SAMDOM\\\\jgraham from 127.0.0.1
port 36848 ssh2 [preauth]
Nov 25 12:29:31 terra sshd-session[31332]: pam_unix(sshd:auth):
check pass; user unknown
Nov 25 12:29:31 terra sshd-session[31332]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=127.0.0.1
Nov 25 12:29:46 terra sshd-session[31332]: pam_faillock(sshd:auth):
User unknown
Nov 25 12:29:48 terra sshd-session[30386]: error: PAM: User not
known to the underlying authentication module for illegal user
SAMDOM\\jgraham from 127.0.0.1
Nov 25 12:29:48 terra sshd-session[30386]: Failed
keyboard-interactive/pam for invalid user SAMDOM\\jgraham from 127.0.0.1
port 36848 ssh2
Nov 25 12:30:04 terra sshd[3802]: Timeout before authentication for
connection from 127.0.0.1 to 127.0.0.1, pid = 30386
I suppose that this could indicate that my PAM configuration still needs
work, but I don't yet see it.
- John
More information about the samba
mailing list