[Samba] Working through the PAM Offline Authentication Wiki page, but...
Rowland Penny
rpenny at samba.org
Wed Nov 27 16:07:24 UTC 2024
On Mon, 25 Nov 2024 12:40:56 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 11/25/24 11:26, Rowland Penny via samba wrote:
> > D, I must go to specsavers, I appear to be going blind ;-)
> >
> > you wrote 'smbcontrol winbind offline' and I missed it, the extra
> > 'd' that is, it should have been:
> >
> > smbcontrol winbindd offline
> >
> > Rowland
>
> Okay, thanks, but I'm going to start over as I appear to have related
> some incorrect information.
>
> Running
>
> smbcontrol winbind offline
>
> contrary to previous report does do something
>
> wbinfo -K SAMDOM\\jgraham%password
>
> returns
>
> plaintext kerberos password authentication for [SAMDOM\\jgraham]
> succeeded (requesting cctype: FILE)
> user_flgs: NETLOGON_CACHED_ACCOUNT
> credentials were put in: FILE:/tmp/krb5cc_0
>
> Turns out smbcontrol will accept either "winbind" or "winbindd". I
> was following the Wiki page verbatim, which uses the former. I can
> tweak the Wiki page if the latter is more canonically correct. More
> importantly an ssh login succeeds:
>
> terra ~ # ssh SAMDOM\\jgraham at localhost
> (SAMDOM\jgraham at localhost) Password:
> Domain Controller unreachable, using cached credentials instead.
> Network resources may be unavailable
> Domain Controller unreachable, using cached credentials instead.
> Network resources may be unavailable
> SAMDOM\jgraham at terra ~ $
>
> with the following information in /var/log messages:
>
> Nov 25 12:15:18 terra sshd-session[25073]:
> pam_winbind(sshd:auth): getting password (0x00004388)
> Nov 25 12:15:22 terra sshd-session[25073]:
> pam_winbind(sshd:auth): user 'SAMDOM\jgraham' granted access
> Nov 25 12:15:23 terra sshd-session[25073]:
> pam_winbind(sshd:account): user 'SAMDOM\jgraham' granted access
> Nov 25 12:15:23 terra sshd-session[25037]: Accepted
> keyboard-interactive/pam for SAMDOM\\jgraham from 127.0.0.1 port
> 44002 ssh2 Nov 25 12:15:24 terra sshd-session[25037]:
> pam_unix(sshd:session): session opened for user
> HOME\jgraham(uid=10000) by HOME\jgraham(uid=0) Nov 25 12:15:24 terra
> elogind-daemon[3816]: New session 11 of user SAMDOM\jgraham.
>
> This is behaving well as far as I can tell. However, the network
> cable is still attached when this test was run. When I remove the
> network cable, the behavior changes. With the exact same ssh command
> as above, there's a long timeout before the password prompt appears
> and another one after the password is provided. /var/log/messages
> tells a sad tale:
>
> Nov 25 12:28:11 terra sshd-session[28633]:
> pam_faillock(sshd:auth): User unknown
> Nov 25 12:28:11 terra sshd-session[28633]:
> pam_winbind(sshd:auth): getting password (0x00004388)
> Nov 25 12:28:11 terra sshd-session[27411]: Postponed
> keyboard-interactive for invalid user SAMDOM\\\\jgraham from
> 127.0.0.1 port 38014 ssh2 [preauth]
> Nov 25 12:28:11 terra sshd-session[27411]: Connection closed by
> invalid user SAMDOM\\\\jgraham 127.0.0.1 port 38014 [preauth]
> Nov 25 12:28:11 terra elogind-daemon[3816]: Removed session 11.
> Nov 25 12:28:16 terra sshd-session[25037]: fatal:
> login_init_entry: Cannot find user "SAMDOM\\jgraham"
> Nov 25 12:28:16 terra sshd-session[30386]: Invalid user
> SAMDOM\\jgraham from 127.0.0.1 port 36848
> Nov 25 12:28:46 terra sshd-session[31332]:
> pam_faillock(sshd:auth): User unknown
> Nov 25 12:28:46 terra sshd-session[31332]:
> pam_winbind(sshd:auth): getting password (0x00004388)
> Nov 25 12:28:46 terra sshd-session[30386]: Postponed
> keyboard-interactive for invalid user SAMDOM\\\\jgraham from
> 127.0.0.1 port 36848 ssh2 [preauth]
> Nov 25 12:29:31 terra sshd-session[31332]: pam_unix(sshd:auth):
> check pass; user unknown
> Nov 25 12:29:31 terra sshd-session[31332]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=127.0.0.1
> Nov 25 12:29:46 terra sshd-session[31332]:
> pam_faillock(sshd:auth): User unknown
> Nov 25 12:29:48 terra sshd-session[30386]: error: PAM: User not
> known to the underlying authentication module for illegal user
> SAMDOM\\jgraham from 127.0.0.1
> Nov 25 12:29:48 terra sshd-session[30386]: Failed
> keyboard-interactive/pam for invalid user SAMDOM\\jgraham from
> 127.0.0.1 port 36848 ssh2
> Nov 25 12:30:04 terra sshd[3802]: Timeout before authentication
> for connection from 127.0.0.1 to 127.0.0.1, pid = 30386
>
> I suppose that this could indicate that my PAM configuration still
> needs work, but I don't yet see it.
>
> - John
>
>
If I remember correctly, this is on Gentoo, Debian sets up PAM for you,
so can we see your PAM config files. Putting winbindd (or is it winbind
?) offline is supposed to be the same as pulling the ethernet cable or
the network going down, it should move to a cache (provided the user
has logged in at least once.
Rowland
More information about the samba
mailing list