[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
Rowland Penny
rpenny at samba.org
Wed Nov 27 17:38:30 UTC 2024
On Wed, 27 Nov 2024 11:52:14 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 11/27/24 11:39, John R. Graham wrote:
> > On 11/27/24 11:10, Rowland Penny via samba wrote:
> >> I am not having a good day, I now seem to have replied to the wrong
> >> thread :-(
> >>
> >> Lets try again:
> >>
> >> If I remember correctly, this is on Gentoo, Debian sets up PAM for
> >> you, so can we see your PAM config files. Putting winbindd (or is
> >> it winbind ?) offline is supposed to be the same as pulling the
> >> ethernet cable or the network going down, it should move to a
> >> cache (provided the user has logged in at least once.
> >>
> >> Rowland
> >
> Ugh. Expanded tabs version of system-auth file:
>
> auth required pam_env.so
> auth requisite pam_faillock.so preauth
> auth [success=2
> default=ignore] pam_winbind.so
> try_first_pass
> auth [success=1 new_authtok_reqd=1 ignore=ignore
> default=bad] pam_unix.so nullok try_first_pass
> auth [default=die] pam_faillock.so authfail
>
> account [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> account required pam_unix.so
> account required pam_faillock.so
>
> password required pam_passwdqc.so
> config=/etc/security/passwdqc.conf password required pam_unix.so
> try_first_pass use_authtok nullok sha512 shadow
> password sufficient pam_winbind.so use_authtok
>
> session required pam_limits.so
> session required pam_env.so
> session required pam_unix.so
>
>
>
Hmm, PAM on Gentoo appears to be very different to Debian. For
instance on Debian, to include lines from another file you use
'@include' and it includes the entire contents of the file, Gentoo
appears to just include the lines referred to in the first column,
which, if correct, means that your PAM stack for sshd is this:
auth required pam_shells.so
auth required pam_nologin.so
auth required pam_env.so
auth requisite pam_faillock.so preauth
account required pam_access.so
account required pam_nologin.so
account required pam_time.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_unix.so
account required pam_faillock.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password sufficient pam_winbind.so use_authtok
session optional pam_loginuid.so
session required pam_env.so envfile=/etc/profile.env
session optional pam_lastlog.so silent
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so
-session optional pam_elogind.so
Compare it with the Debian stack:
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
account required pam_nologin.so
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_winbind.so
session optional pam_elogind.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv
session required pam_limits.so
session required pam_env.so
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
password [success=2 default=ignore] pam_unix.so obscure yescrypt
password [success=1 default=ignore] pam_winbind.so try_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
NOTE: I have cut & pasted a few files together to get the above.
I haven't used Gentoo for years, mostly because I do not what to spend
hours setting up an OS, but I can understand others that want to.
Can I suggest an idea, install Debian bookworm in a VM, use Samba from
backports and then after you get it working, you can compare a working
Unix domain member with your nearly working Gentoo one.
Rowland
More information about the samba
mailing list