[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

Wed Nov 27 16:39:40 UTC 2024

On 11/27/24 11:10, Rowland Penny via samba wrote:
> I am not having a good day, I now seem to have replied to the wrong
> thread :-(
>
> Lets try again:
>
> If I remember correctly, this is on Gentoo, Debian sets up PAM for you,
> so can we see your PAM config files. Putting winbindd (or is it winbind
> ?) offline is supposed to be the same as pulling the ethernet cable or
> the network going down, it should move to a cache (provided the user
> has logged in at least once.
>
> Rowland

Apologies for the somewhat double post; I thought the other one might 
have dropped off the radar. You can see from the provided logs that 
pam_winbindf has been brought offline and is using cached credentials. 
And, yes, it's Gentoo, and its out-of-box PAM winbind configuration 
apparently hasn't evolved with the times, which I'm trying to correct. 
PAM 1.6.1 in use here; the following files are in /etc/pam.d/ as usual:

sshd:

     auth       include  system-remote-login
     account    include  system-remote-login
     password   include  system-remote-login
     session    include  system-remote-login

system-remote-login:

     auth        include     system-login
     account     include     system-login
     password    include     system-login
     session     include     system-login

system-login:

     auth        required    pam_shells.so
     auth        required    pam_nologin.so
     auth        include     system-auth
     account     required    pam_access.so
     account     required    pam_nologin.so
     account     required    pam_time.so
     account     include     system-auth
     password    include     system-auth
     session     optional    pam_loginuid.so
     session     required    pam_env.so envfile=/etc/profile.env
     session     optional    pam_lastlog.so silent
     session     include     system-auth
     session     optional    pam_motd.so motd=/etc/motd
     session     optional    pam_mail.so
     -session    optional    pam_elogind.so

system-auth:

     auth required pam_env.so
     auth requisite pam_faillock.so preauth
     auth        [success=2 
default=ignore]                                  pam_winbind.so 
try_first_pass
     auth        [success=1 new_authtok_reqd=1 ignore=ignore 
default=bad]    pam_unix.so nullok try_first_pass
     auth [default=die] pam_faillock.so authfail

     account     [default=bad success=ok 
user_unknown=ignore]                pam_winbind.so
     account required pam_unix.so
     account required pam_faillock.so

     password required pam_passwdqc.so config=/etc/security/passwdqc.conf
     password required pam_unix.so try_first_pass use_authtok nullok 
sha512 shadow
     password sufficient pam_winbind.so use_authtok

     session required pam_limits.so
     session required pam_env.so
     session required pam_unix.so

All are Gentoo standard except system-auth, which is my own work in 
progress.

- John