[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

Wed Nov 27 16:52:14 UTC 2024

On 11/27/24 11:39, John R. Graham wrote:
> On 11/27/24 11:10, Rowland Penny via samba wrote:
>> I am not having a good day, I now seem to have replied to the wrong
>> thread :-(
>>
>> Lets try again:
>>
>> If I remember correctly, this is on Gentoo, Debian sets up PAM for you,
>> so can we see your PAM config files. Putting winbindd (or is it winbind
>> ?) offline is supposed to be the same as pulling the ethernet cable or
>> the network going down, it should move to a cache (provided the user
>> has logged in at least once.
>>
>> Rowland
>
Ugh. Expanded tabs version of system-auth file:

     auth required pam_env.so
     auth requisite pam_faillock.so preauth
     auth        [success=2 
default=ignore]                                  pam_winbind.so 
try_first_pass
     auth        [success=1 new_authtok_reqd=1 ignore=ignore 
default=bad]    pam_unix.so nullok try_first_pass
     auth [default=die] pam_faillock.so authfail

     account     [default=bad success=ok 
user_unknown=ignore]                pam_winbind.so
     account required pam_unix.so
     account required pam_faillock.so

     password required pam_passwdqc.so config=/etc/security/passwdqc.conf
     password required pam_unix.so try_first_pass use_authtok nullok 
sha512 shadow
     password sufficient pam_winbind.so use_authtok

     session required pam_limits.so
     session required pam_env.so
     session required pam_unix.so