[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
John R. Graham
john at graham-family.org
Fri Nov 29 18:12:43 UTC 2024
On 11/29/24 13:03, John R. Graham via samba wrote:
> On 11/27/24 13:20, John R. Graham via samba wrote:
>> On 11/27/24 12:38, Rowland Penny via samba wrote:
>>>> Hmm, PAM on Gentoo appears to be very different to Debian. For
>>>> instance on Debian, to include lines from another file you use
>>>> '@include' and it includes the entire contents of the file, Gentoo
>>>> appears to just include the lines referred to in the first column,
>>>> which, if correct, means that your PAM stack for sshd is this:
>>>> ...
>> You've interpreted it correctly. Incidentally, that "module_name
>> include" syntax has been part of PAM since at least 2010 (which is
>> the date on the latest PAM Administrators' Guide). I surmise that the
>> @include syntax is older--and now deprecated, as it isn't described
>> in the guide. But, momentum, I guess.
>>>>
>>>> Can I suggest an idea, install Debian bookworm in a VM, use Samba from
>>>> backports and then after you get it working, you can compare a working
>>>> Unix domain member with your nearly working Gentoo one.
>> Let me study what you've provided first and, if I can't get it
>> working, I'll try your suggestion before I write back.Thank you so
>> much for taking the time to synthesize that.
>>
> I think I may have found something, but I need to ask a question. It
> appears that libnss_winbind.so.2 communicates with winbindd to do its
> job, so shouldn't it honor winbindd's offline status? It appears that
> it may not be--and it appears that that may be a bug. It seems central
> to my offline authentication issue that
>
> terra ~ # getent passwd SAMDOM\\jgraham
> [29645]: getpwnam_r SAMDOM\jgraham
> [29645]: getpwnam SAMDOM\jgraham returns NSS_STATUS_SUCCESS (1)
> SAMDOM\jgraham:*:10000:11001:John Graham:/home/jgraham:/bin/bash
>
> works when the network interface is up, but when the network interface
> is down,
>
> terra ~ # getent passwd SAMDOM\\jgraham
> [ 4156]: getpwnam_r SAMDOM\jgraham
> [ 4156]: getpwnam SAMDOM\jgraham returns NSS_STATUS_UNAVAIL (-1)
>
> does not. (I rebuilt winbind_nss_linux.c with the DEBUG_NSS symbol
> defined to get the messages depicted above.)
>
> - John
>
My question was somewhat poorly phrased. What I meant was, shouldn't
winbindd use its own offline status to trigger servicing
libnss_winbind.so.2's requests from cached information?
- John
More information about the samba
mailing list