[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

Rowland Penny rpenny at samba.org
Wed Nov 27 17:38:30 UTC 2024


On Wed, 27 Nov 2024 11:52:14 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:

> On 11/27/24 11:39, John R. Graham wrote:
> > On 11/27/24 11:10, Rowland Penny via samba wrote:
> >> I am not having a good day, I now seem to have replied to the wrong
> >> thread :-(
> >>
> >> Lets try again:
> >>
> >> If I remember correctly, this is on Gentoo, Debian sets up PAM for
> >> you, so can we see your PAM config files. Putting winbindd (or is
> >> it winbind ?) offline is supposed to be the same as pulling the
> >> ethernet cable or the network going down, it should move to a
> >> cache (provided the user has logged in at least once.
> >>
> >> Rowland
> >
> Ugh. Expanded tabs version of system-auth file:
> 
>      auth required pam_env.so
>      auth requisite pam_faillock.so preauth
>      auth        [success=2 
> default=ignore]                                  pam_winbind.so 
> try_first_pass
>      auth        [success=1 new_authtok_reqd=1 ignore=ignore 
> default=bad]    pam_unix.so nullok try_first_pass
>      auth [default=die] pam_faillock.so authfail
> 
>      account     [default=bad success=ok 
> user_unknown=ignore]                pam_winbind.so
>      account required pam_unix.so
>      account required pam_faillock.so
> 
>      password required pam_passwdqc.so
> config=/etc/security/passwdqc.conf password required pam_unix.so
> try_first_pass use_authtok nullok sha512 shadow
>      password sufficient pam_winbind.so use_authtok
> 
>      session required pam_limits.so
>      session required pam_env.so
>      session required pam_unix.so
> 
> 
> 

Hmm, PAM on Gentoo appears to be very different to Debian. For
instance on Debian, to include lines from another file you use
'@include' and it includes the entire contents of the file, Gentoo
appears to just include the lines referred to in the first column,
which, if correct, means that your PAM stack for sshd is this:

     auth	required	pam_shells.so
     auth	required	pam_nologin.so
     auth	required	pam_env.so
     auth	requisite	pam_faillock.so preauth

     account	required	pam_access.so
     account	required	pam_nologin.so
     account	required	pam_time.so
     account	[default=bad success=ok user_unknown=ignore] pam_winbind.so
     account	required	pam_unix.so
     account	required	pam_faillock.so

     password	required	pam_passwdqc.so config=/etc/security/passwdqc.conf
     password	required	pam_unix.so try_first_pass use_authtok nullok sha512 shadow
     password	sufficient	pam_winbind.so use_authtok

     session	optional	pam_loginuid.so
     session	required	pam_env.so envfile=/etc/profile.env
     session	optional	pam_lastlog.so silent
     session	required	pam_limits.so
     session	required	pam_env.so
     session	required	pam_unix.so
     session	optional	pam_motd.so motd=/etc/motd
     session	optional	pam_mail.so
     -session	optional	pam_elogind.so

Compare it with the Debian stack:

auth	[success=2 default=ignore]	pam_unix.so nullok
auth	[success=1 default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so
auth	optional			pam_cap.so 

account    required     pam_nologin.so
account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so 
account	[success=1 new_authtok_reqd=done default=ignore]	pam_winbind.so 
account	requisite			pam_deny.so
account	required			pam_permit.so

session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
session	[default=1]			pam_permit.so
session	requisite			pam_deny.so
session	required			pam_permit.so
session	required	pam_unix.so 
session	optional			pam_winbind.so 
session	optional			pam_elogind.so 
session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so standard noenv
session    required     pam_limits.so
session    required     pam_env.so
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale

password	[success=2 default=ignore]	pam_unix.so obscure yescrypt
password	[success=1 default=ignore]	pam_winbind.so try_authtok try_first_pass
password	requisite			pam_deny.so
password	required			pam_permit.so
password	optional	pam_gnome_keyring.so 

NOTE: I have cut & pasted a few files together to get the above.

I haven't used Gentoo for years, mostly because I do not what to spend
hours setting up an OS, but I can understand others that want to.

Can I suggest an idea, install Debian bookworm in a VM, use Samba from
backports and then after you get it working, you can compare a working
Unix domain member with your nearly working Gentoo one.

Rowland
 



More information about the samba mailing list