samba - Jan 2019 - Winbind, cached logons and 'user persistency'...

On Mon, 28 Jan 2019 12:52:45 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > > Strictly speaking, why winbind cache ''PAM'' data
and not ''NSS''
> > > one (seems to me)?
> > The problem is (for myself anyway), I do not understand the
> > difference between 'PAM' and 'NSS' data.
> 
> 'PAM' is authorization scenario (eg, «user X use the correct
> password»), while 'NSS' enable the system to 'see' user
(eg, «user X
> exist in the system»).
Now this is what I do not understand, my understanding is that 'PAM' is
used to find the correct authentication system and 'NSS' just connects
to that authentication system. For instance, in /etc/pam.d/common-auth
I have:

auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=10000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass

And /etc/nsswitch.conf has these two lines:

passwd:         compat winbind
group:          compat winbind

This is on my laptop and I have 'winbind offline logon = yes' set in
smb.conf

If I go anywhere (away from the domain), I can still log into the
laptop as my domain user, read and save files etc. All files are saved
as the domain user and when I do re-connect to the domain, it is if I
haven't been anywhere.
> 
> Make really little sense to me to have an 'offline' system that can
> answer to the first question but not to the second... also because if
> user are not known to the underlying system, there's no credential to
> check.
You seem to be doing something wrong ;-)
> 
> 
> 'nscd' do NSS offline cache, but if i remember well all samba
expert
> here suggest not to use winbind and nscd togeter(
> 	https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
> «You should also ensure that nscd is not installed, it will interfere
> with winbind.»)
Not entirely true that you cannot run nscd with winbind, you just have
to stop nscd caching everything that winbind does and by the time you
do that, there isn't much left.
> 
> There's a more general approach, really offline (nssl_updatedb,
> https://www.padl.com/OSS/nss_updatedb.html) but seems overkilled here.
Well, mainly because that will do what winbind is already doing.
> 
> I think that, to be effective, winbind have to be some sort of 'NSS
> cache', and seems to me this is not.
> 'nscd' can provide simple and effective NSS cache, but
'interfere with
> winbind'.
I think the time has come to ask, what isn't working if you disconnect
from the domain e.g. walk away with a laptop, also why is it not
working, what can it not find ?

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> Now this is what I do not understand, my understanding is that
'PAM' is
> used to find the correct authentication system and 'NSS' just
connects
> to that authentication system.
No. NSS, roughly, 'extend the user database':
	https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html

> For instance, in /etc/pam.d/common-auth I have:
> auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=10000
> auth    [success=2 default=ignore]      pam_unix.so nullok_secure
try_first_pass
> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
Putting 'cached_login' here is the same of putting:

	[global]
	cached_login = yes

in /etc/security/pam_winbind.conf .

> If I go anywhere (away from the domain), I can still log into the
> laptop as my domain user, read and save files etc. All files are saved
> as the domain user and when I do re-connect to the domain, it is if I
> haven't been anywhere.
This is what i supposed to work mee too. Seems not.

You have also your user in /etc/passwd? O;-)

> You seem to be doing something wrong ;-)
Probably. But i don't understand what. Authentication works as
expected:

 root at vdmsv2:~# wbinfo -K LNFFVG\\gaio
 Enter LNFFVG\gaio's password: 
 plaintext kerberos password authentication for [LNFFVG\gaio] succeeded
(requesting cctype: FILE)
 credentials were put in: FILE:/tmp/krb5cc_0
 root at vdmsv2:~# smbcontrol winbind offline
 root at vdmsv2:~# wbinfo -K LNFFVG\\gaio
 Enter LNFFVG\gaio's password: 
 plaintext kerberos password authentication for [LNFFVG\gaio] succeeded
(requesting cctype: FILE)
 user_flgs: NETLOGON_CACHED_ACCOUNT
 credentials were put in: FILE:/tmp/krb5cc_0

a simple 'getent' seems to work:

 root at vdmsv2:~# getent passwd LNFFVG\\gaio; smbcontrol winbind offline; sleep
65; getent passwd LNFFVG\\gaio; smbcontrol winbind online
 gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash
 gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash

but, i just stated that, if i disconnect DM from DC for more then a minute,
NSS start to reply that user does not exist (seems that).


[nscd and windbind]
> Not entirely true that you cannot run nscd with winbind, you just have
> to stop nscd caching everything that winbind does and by the time you
> do that, there isn't much left.
Ahem, sorry i've not understood you...

> I think the time has come to ask, what isn't working if you disconnect
> from the domain e.g. walk away with a laptop, also why is it not
> working, what can it not find ?
Ahem, again i've not understood...


But, clearly, i've found 'exim' that reply 'user not found',
so
probably winbind cache effectvaly data, but in a way that exim does not
find... seems REALLY strange...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Tue, 29 Jan 2019 18:47:45 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > Now this is what I do not understand, my understanding is that
> > 'PAM' is used to find the correct authentication system and
'NSS'
> > just connects to that authentication system.
> 
> No. NSS, roughly, 'extend the user database':
> 
https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html
> 
Your meaning and my meaning, roughly mean the same ;-)
> > For instance, in /etc/pam.d/common-auth I have:
> > auth    [success=3 default=ignore]      pam_krb5.so
> > minimum_uid=10000 auth    [success=2 default=ignore]
> > pam_unix.so nullok_secure try_first_pass auth    [success=1
> > default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE
> > cached_login try_first_pass
> 
> Putting 'cached_login' here is the same of putting:
> 
> 	[global]
> 	cached_login = yes
> 
> in /etc/security/pam_winbind.conf .
I do not even have that file.
> 
> 
> > If I go anywhere (away from the domain), I can still log into the
> > laptop as my domain user, read and save files etc. All files are
> > saved as the domain user and when I do re-connect to the domain, it
> > is if I haven't been anywhere.
> 
> This is what i supposed to work mee too. Seems not.
> 
> You have also your user in /etc/passwd? O;-)
No, you cannot have a user in /etc/passwd and AD.
> 
> 
> > You seem to be doing something wrong ;-)
> 
> Probably. But i don't understand what. Authentication works as
> expected:
> 
>  root at vdmsv2:~# wbinfo -K LNFFVG\\gaio
>  Enter LNFFVG\gaio's password: 
>  plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE) credentials were put in:
> FILE:/tmp/krb5cc_0 root at vdmsv2:~# smbcontrol winbind offline
>  root at vdmsv2:~# wbinfo -K LNFFVG\\gaio
>  Enter LNFFVG\gaio's password: 
>  plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT
>  credentials were put in: FILE:/tmp/krb5cc_0
> 
> a simple 'getent' seems to work:
> 
>  root at vdmsv2:~# getent passwd LNFFVG\\gaio; smbcontrol winbind
> offline; sleep 65; getent passwd LNFFVG\\gaio; smbcontrol winbind
> online gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash
> gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash
That all works for myself.
> 
> but, i just stated that, if i disconnect DM from DC for more then a
> minute, NSS start to reply that user does not exist (seems that).
>
There must be some reason for this, what is in /etc/nsswitch.conf ?

Do you have libpam-winbind libnss-winbind libpam-krb5 installed ?
 
> 
> [nscd and windbind]
> > Not entirely true that you cannot run nscd with winbind, you just
> > have to stop nscd caching everything that winbind does and by the
> > time you do that, there isn't much left.
> 
> Ahem, sorry i've not understood you...
nscd caches certain things, as does winbind, if you want to run nscd
with winbind, you need to stop nscd caching the things that winbind
does, when you do this, nscd isn't caching very much, so you might as
well not use it.
> 
> 
> > I think the time has come to ask, what isn't working if you
> > disconnect from the domain e.g. walk away with a laptop, also why
> > is it not working, what can it not find ?
> 
> Ahem, again i've not understood...
> 
That basically says 'why isn't it working for you'

Have you tried turning up the Samba logging and seeing if anything
'pops' out.
> 
> But, clearly, i've found 'exim' that reply 'user not
found', so
> probably winbind cache effectvaly data, but in a way that exim does
> not find... seems REALLY strange...
AH, how does 'exim' look for the user ?

Rowland