samba - Apr 2010 - offline logon in 3.4.7-58

Having issues adapting our 3.4 configuration that worked very well using idmap
rid in 3.3.

It seems like winbind does not cache the credentials despite all of the settings
being present. I can set winbind offline via smbcontrol and have it work, but if
I reboot the machine (important for my laptops) off the network winbind
complains that it can't find the logon server.

When disconnected and booted cold off the network, logon reports no logon
server.

Testing with wbinfo -K while offline:
wbinfo -K bry47927
Enter bry47927's password:
plaintext kerberos password authentication for [bry47927] succeeded (requesting
cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
no credentials cached

Not sure why this works but regular logon does not.

Samba config:
This configuration works fine connected to the LAN. But, having to digest more
than a year's worth of changes and updates I'm not sure if the idmap
settings are really correct.
[global]
        workgroup = AES
        realm = AES.DE.ITTIND.COM
        server string = Samba Server Version %v
        security = ADS
        password server = 2008dc
        log file = /var/log/samba/log.%m
        max log size = 50
        enable core files = No
        idmap backend = tdb
        idmap uid = 800 - 9999
        idmap gid = 800 - 9999
#       idmap domains = BUILTIN, AES
#       idmap config AES: default = yes
        idmap config AES: backend = rid
        template shell = /bin/bash
        winbind use default domain = Yes
        winbind offline logon = Yes
        idmap config AES : range = 100000 - 900000
        cups options = raw

pam settings:

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so cached_login use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
cached_login
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=12
dcredit=1 ucredit=1 lcredit=1 ocredit=1
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so cached_login use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

pam_winbind.conf:

[global]

# turn on debugging
;debug = no

# turn on extended PAM state debugging
;debug_state = no

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

# authenticate using kerberos
;krb5_auth = yes

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type = file

Nsswitch.conf:

passwd:     files winbind
shadow:     files winbind
group:      files winbind



Phillip Bryant - ABQ IT Site Lead
5901 Indian School Rd NE
ph# 505-889-7016
cell# 505-385-8668
RHCT/RHCE RHEL 5 ID#805009017938113
MCSE NT4.0, 2000, 2003, 2008 MCP ID#1150956
MCTS Windows 7, Windows Server 2008 Enterprise
MCP+I
MCP


________________________________
This e-mail and any files transmitted with it may be proprietary and are
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those
of the author and do not necessarily represent those of ITT Corporation. The
recipient should check this e-mail and any attachments for the presence of
viruses. ITT accepts no liability for any damage caused by any virus transmitted
by this e-mail.

Did you check the release notes for 3.4? I have the same
config(cached_login) as you and works fine on 3.2.


On Fri, Apr 16, 2010 at 5:17 PM, Bryant, Phillip - IS <
Phillip.Bryant at itt.com> wrote:
> Having issues adapting our 3.4 configuration that worked very well using
> idmap rid in 3.3.
>
> It seems like winbind does not cache the credentials despite all of the
> settings being present. I can set winbind offline via smbcontrol and have
it
> work, but if I reboot the machine (important for my laptops) off the
network
> winbind complains that it can't find the logon server.
>
> When disconnected and booted cold off the network, logon reports no logon
> server.
>
> Testing with wbinfo -K while offline:
> wbinfo -K bry47927
> Enter bry47927's password:
> plaintext kerberos password authentication for [bry47927] succeeded
> (requesting cctype: FILE)
> user_flgs: NETLOGON_CACHED_ACCOUNT
> no credentials cached
>
> Not sure why this works but regular logon does not.
>
> Samba config:
> This configuration works fine connected to the LAN. But, having to digest
> more than a year's worth of changes and updates I'm not sure if the
idmap
> settings are really correct.
> [global]
>        workgroup = AES
>        realm = AES.DE.ITTIND.COM
>        server string = Samba Server Version %v
>        security = ADS
>        password server = 2008dc
>        log file = /var/log/samba/log.%m
>        max log size = 50
>        enable core files = No
>        idmap backend = tdb
>        idmap uid = 800 - 9999
>        idmap gid = 800 - 9999
> #       idmap domains = BUILTIN, AES
> #       idmap config AES: default = yes
>        idmap config AES: backend = rid
>        template shell = /bin/bash
>        winbind use default domain = Yes
>        winbind offline logon = Yes
>        idmap config AES : range = 100000 - 900000
>        cups options = raw
>
> pam settings:
>
> auth        required      pam_env.so
> auth        sufficient    pam_fprintd.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_krb5.so use_first_pass
> auth        sufficient    pam_winbind.so cached_login use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
> cached_login
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=12
> dcredit=1 ucredit=1 lcredit=1 ocredit=1
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_krb5.so use_authtok
> password    sufficient    pam_winbind.so cached_login use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_krb5.so
>
> pam_winbind.conf:
>
> [global]
>
> # turn on debugging
> ;debug = no
>
> # turn on extended PAM state debugging
> ;debug_state = no
>
> # request a cached login if possible
> # (needs "winbind offline logon = yes" in smb.conf)
> cached_login = yes
>
> # authenticate using kerberos
> ;krb5_auth = yes
>
> # when using kerberos, request a "FILE" krb5 credential cache
type
> # (leave empty to just do krb5 authentication but not have a ticket
> # afterwards)
> ;krb5_ccache_type = file
>
> Nsswitch.conf:
>
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
>
>
>
> Phillip Bryant - ABQ IT Site Lead
> 5901 Indian School Rd NE
> ph# 505-889-7016
> cell# 505-385-8668
> RHCT/RHCE RHEL 5 ID#805009017938113
> MCSE NT4.0, 2000, 2003, 2008 MCP ID#1150956
> MCTS Windows 7, Windows Server 2008 Enterprise
> MCP+I
> MCP
>
>
> ________________________________
> This e-mail and any files transmitted with it may be proprietary and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error please notify the
> sender.
> Please note that any views or opinions presented in this e-mail are solely
> those of the author and do not necessarily represent those of ITT
> Corporation. The recipient should check this e-mail and any attachments for
> the presence of viruses. ITT accepts no liability for any damage caused by
> any virus transmitted by this e-mail.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>