Kees van Vloten
2023-May-31 09:05 UTC
[Samba] PAM Offline Authentication in Ubuntu 22.04...
Op 31-05-2023 om 10:28 schreef Rowland Penny via samba:> > > On 31/05/2023 08:54, Marco Gaiarin via samba wrote: >> Mandi! Rowland Penny via samba >> ?? In chel di` si favelave... >> >>> Is there anyway that Ubuntu can stop destroying the users kerberos >>> ticket in /tmp at logout ? >>> I am fairly sure it is required for winbind offline logon. >> >> ...the strange thing is that i'm not forced to logoff to trigger the >> problem: as just stated, it suffices to: >> >> 1) logon (connected) >> 2) shut off the wireless (so, disconnected) >> 3) open a terminal, took 5 minute to present the bash shell prompt with >> ??? an 'unknown user' prompt. >> >> I'm looking at a way to move kerberos ticket file out from /tmp, but >> still >> does not seem that. >> > > I was forced to stop at the point where I discovered that the users > ticket disappeared from /tmp > > Coming back to it this morning, I discovered that the ticket > disappearing is a red herring, winbind offline logon is working > without the ticket. > > Your problem isn't that winbind offline logon isn't working, it is > something else instead. > > There is a big clue in the name 'winbind offline logon', it is a > process that allows 'winbind' when 'offline' to authenticate users and > allow them to 'logon' > > Is it possible that something in your setup is trying to connect (and > authenticate) to something external ? > > Rowland >If I remember it correctly the issue I had was related to winbind_nss no responding when offline / disconnected, so indeed not related to kerberos. - Kees.
On 31/05/2023 10:05, Kees van Vloten via samba wrote:>> > If I remember it correctly the issue I had was related to winbind_nss no > responding when offline / disconnected, so indeed not related to kerberos. > > - Kees. > >Indeed, I have now done this three times, on Debian 11 with lightdm, on Debian 11 with gdm3 and on Ubuntu 22.04 with gdm3. In all three cases, 'winbind offline logon' does what it says on the tin, it allows a user that has logged on previously to logon to a computer that is offline. If there are problems on a computer where a user is logged on when the internet connection goes down, then that is, in my opinion, nothing to do with winbind offline logon and needs further investigation. Rowland