[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

John R. Graham john at graham-family.org
Wed Nov 27 15:19:48 UTC 2024


When I put winbindd in offline mode,

     terra ~ # smbcontrol winbindd offline
     terra ~ # smbcontrol winbindd onlinestatus
     PID 20664: global:Offline BUILTIN:Online TERRA:Online HOME:Offline

I can successfully log in (with the test shown in the PAM Offline 
Authentication Wiki article):

     terra ~ # ssh SAMDOM\\jgraham at localhost
     (SAMDOM\jgraham at localhost) Password:
     Domain Controller unreachable, using cached credentials instead. 
Network resources may be unavailable
     Domain Controller unreachable, using cached credentials instead. 
Network resources may be unavailable

Log entries in /var/log/messages look normal to my eye and seem to 
confirm the use of cached credentials:

     Nov 27 09:32:42 terra sshd-session[16687]: pam_winbind(sshd:auth): 
[pamh: 0x55dc18bc2780] ENTER: pam_sm_authenticate (flags: 0x0001)
     Nov 27 09:32:42 terra sshd-session[16687]: pam_winbind(sshd:auth): 
getting password (0x00004389)
     Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:auth): 
Verify user 'SAMDOM\jgraham'
     Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:auth): 
CONFIG file: krb5_ccache_type 'FILE'
     Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:auth): 
enabling krb5 login flag
     Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:auth): 
enabling cached login flag
     Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:auth): 
enabling request for a FILE krb5 ccache
     Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:auth): 
request wbcLogonUser succeeded
     Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:auth): 
user 'SAMDOM\jgraham' granted access
     Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:auth): 
User SAMDOM\jgraham logged on using cached credentials
     Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:auth): 
request returned KRB5CCNAME: FILE:/tmp/krb5cc_10000
     Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:auth): 
Returned user was 'SAMDOM\jgraham'
     Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:auth): 
[pamh: 0x55dc18bc2780] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
     Nov 27 09:32:47 terra sshd-session[16687]: 
pam_winbind(sshd:account): [pamh: 0x55dc18bc2780] ENTER: 
pam_sm_acct_mgmt (flags: 0x0000)
     Nov 27 09:32:47 terra sshd-session[16687]: 
pam_winbind(sshd:account): user 'SAMDOM\jgraham' granted access
     Nov 27 09:32:47 terra sshd-session[16687]: 
pam_winbind(sshd:account): [pamh: 0x55dc18bc2780] LEAVE: 
pam_sm_acct_mgmt returning 0 (PAM_SUCCESS)
     Nov 27 09:32:47 terra sshd-session[16674]: Accepted 
keyboard-interactive/pam for SAMDOM\\jgraham from 127.0.0.1 port 37410 ssh2
     Nov 27 09:32:47 terra sshd-session[16674]: 
pam_winbind(sshd:setcred): [pamh: 0x55dc18bc2780] ENTER: pam_sm_setcred 
(flags: 0x0002)
     Nov 27 09:32:47 terra sshd-session[16674]: 
pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
     Nov 27 09:32:47 terra sshd-session[16674]: 
pam_winbind(sshd:setcred): [pamh: 0x55dc18bc2780] LEAVE: pam_sm_setcred 
returning 0 (PAM_SUCCESS)
     Nov 27 09:32:47 terra sshd-session[16674]: pam_unix(sshd:session): 
session opened for user SAMDOM\jgraham(uid=10000) by SAMDOM\jgraham(uid=0)
     Nov 27 09:32:47 terra elogind-daemon[3814]: New session 22 of user 
SAMDOM\jgraham.

But this is done with the network connection up. When I unplug the 
cable, the behavior is very different:

     terra ~ # ssh SAMDOM\\jgraham at localhost
     (SAMDOM\jgraham at localhost) Password:
     (SAMDOM\jgraham at localhost) Password:
     Connection closed by 127.0.0.1 port 22

/var/log/messages shows:

     Nov 27 09:41:17 terra sshd-session[29098]: Invalid user 
SAMDOM\\jgraham from 127.0.0.1 port 50306
     Nov 27 09:41:39 terra sshd-session[30699]: pam_faillock(sshd:auth): 
User unknown
     Nov 27 09:41:39 terra sshd-session[30699]: pam_winbind(sshd:auth): 
[pamh: 0x55c233e7bc70] ENTER: pam_sm_authenticate (flags: 0x0001)
     Nov 27 09:41:39 terra sshd-session[30699]: pam_winbind(sshd:auth): 
getting password (0x00004389)
     Nov 27 09:41:39 terra sshd-session[29098]: Postponed 
keyboard-interactive for invalid user SAMDOM\\\\jgraham from 127.0.0.1 
port 50306 ssh2 [preauth]
     Nov 27 09:41:52 terra sshd-session[30699]: pam_winbind(sshd:auth): 
Verify user 'SAMDOM\jgraham'
     Nov 27 09:41:52 terra sshd-session[30699]: pam_winbind(sshd:auth): 
CONFIG file: krb5_ccache_type 'FILE'
     Nov 27 09:42:03 terra sshd-session[30699]: pam_winbind(sshd:auth): 
[pamh: 0x55c233e7bc70] LEAVE: pam_sm_authenticate returning 10 
(PAM_USER_UNKNOWN)
     Nov 27 09:42:14 terra sshd-session[30699]: pam_unix(sshd:auth): 
check pass; user unknown
     Nov 27 09:42:14 terra sshd-session[30699]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=127.0.0.1
     Nov 27 09:42:25 terra sshd-session[30699]: pam_faillock(sshd:auth): 
User unknown
     Nov 27 09:42:27 terra sshd-session[29098]: error: PAM: User not 
known to the underlying authentication module for illegal user 
SAMDOM\\jgraham from 127.0.0.1
     Nov 27 09:42:27 terra sshd-session[29098]: Failed 
keyboard-interactive/pam for invalid user SAMDOM\\jgraham from 127.0.0.1 
port 50306 ssh2
     Nov 27 09:42:49 terra sshd-session[7489]: pam_faillock(sshd:auth): 
User unknown
     Nov 27 09:42:49 terra sshd-session[7489]: pam_winbind(sshd:auth): 
[pamh: 0x55c233e7bc70] ENTER: pam_sm_authenticate (flags: 0x0001)
     Nov 27 09:42:49 terra sshd-session[7489]: pam_winbind(sshd:auth): 
getting password (0x00004389)
     Nov 27 09:42:49 terra sshd-session[29098]: Postponed 
keyboard-interactive for invalid user SAMDOM\\\\jgraham from 127.0.0.1 
port 50306 ssh2 [preauth]
     Nov 27 09:43:01 terra sshd-session[7489]: pam_winbind(sshd:auth): 
Verify user 'SAMDOM\jgraham'
     Nov 27 09:43:01 terra sshd-session[7489]: pam_winbind(sshd:auth): 
CONFIG file: krb5_ccache_type 'FILE'
     Nov 27 09:43:06 terra sshd[3801]: Timeout before authentication for 
connection from 127.0.0.1 to 127.0.0.1, pid = 29098

Is this still looking like a PAM configuration issue?

There are other related things misbehaving with the network cable 
unplugged. For instance previously logged in sessions appear to lose 
access to their home directories (which are owned by the domain user).

For the record, it's samba 4.21.1.

- John





More information about the samba mailing list