Hi all, I have a problem in libpam-winbind: offline logon doesn't seems to work. The first version of samba in which I have found the problem is 4.1 and the last is 4.7 but I fear that newer version are affected too. Hopefully there is a workaround: you have to remove krb5_ccache_type=FILE from /etc/pam.d/common-auth I have opened a bug report[¹] where you can find more details. Any one have the same problem? Piviul [¹] https://bugzilla.samba.org/show_bug.cgi?id=10455
I experienced this same issue (with the default packages from Ubuntu) and switched to using sssd for all my Linux clients specifically because of this issue. Mike E. On Thu, Feb 14, 2019 at 3:30 AM Piviul via samba <samba at lists.samba.org> wrote:> Hi all, I have a problem in libpam-winbind: offline logon doesn't seems > to work. The first version of samba in which I have found the problem is > 4.1 and the last is 4.7 but I fear that newer version are affected too. > Hopefully there is a workaround: you have to remove > krb5_ccache_type=FILE from /etc/pam.d/common-auth > > I have opened a bug report[¹] where you can find more details. > > Any one have the same problem? > > Piviul > > [¹] https://bugzilla.samba.org/show_bug.cgi?id=10455 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Il 14/02/19 19:25, Data Control Systems - Mike Elkevizth via samba ha scritto:> I experienced this same issue (with the default packages from Ubuntu) and > switched to using sssd for all my Linux clients specifically because of > this issue.thanks Mike, have you tried the workaround I suggest i.e. remove krb5_ccache_type=FILE from the winbind row of the file /etc/pam.d/common-auth? Piviul
Mandi! Piviul via samba In chel di` si favelave...> [¹] https://bugzilla.samba.org/show_bug.cgi?id=10455Very, very interesting thing. The same configuration happen on Debian stretch (at least). I've effectively test offline logon in the past, but with a sub-5 minutes delay from latest connected logon. A note: the manpage for pam_winbind and pam_winbind.conf area bit different; the latter seems more complete and say: krb5_ccache_type = [type] When pam_winbind is configured to try kerberos authentication by enabling the krb5_auth option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache. The type of credential cache can be controlled with this option. The supported values are: KEYRING (when supported by the system's Kerberos library and Kernel), FILE and DIR (when the DIR type is supported by the system's Kerberos library). In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created - in case of DIR you NEED to specify a directory. UID is replaced with the numeric user id. When using the KEYRING type, the supported mechanism is “KEYRING:persistent:UID”, which uses the Linux kernel keyring to store credentials on a per-UID basis. This is the recommended choice on latest Linux distributions, as it is the most secure and predictable method. It is also possible to define custom filepaths and use the "%u" pattern in order to substitue the numeric user id. Examples: krb5_ccache_type = DIR:/run/user/%u/krb5cc This will create a credential cache file in the specified directory. krb5_ccache_type = FILE:/tmp/krb5cc_%u This will create a credential cache file. Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded. This setting is empty by default. Thsi indeed seems reasonably to me. a) if i set 'krb5_ccache_type=FILE', i'm connected to my domain and i do a login, i update the ticket and all goes well. b) if i disconnect for the domain and i do a subsequent sub-5 minute logon, work as expected and the credential cache is still valid. c) if i disconnect for the domain and i do a subsequent over-5 minute logon, there's no way to update the credential cache (there's no kerberos...) and so the login fail (probably because suppose, not so wrongly, that not updating the credential cache is a failure). So seems to me that 'krb5_ccache_type=FILE' (at least, but probably *ALL* 'krb5_ccache_type=' value is the same...) and 'cached_login = yes' are incompatible. So, is a distribution/packaging bug? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Thu, 14 Feb 2019 09:30:00 +0100 Piviul via samba <samba at lists.samba.org> wrote:> Hi all, I have a problem in libpam-winbind: offline logon doesn't > seems to work. The first version of samba in which I have found the > problem is 4.1 and the last is 4.7 but I fear that newer version are > affected too. Hopefully there is a workaround: you have to remove > krb5_ccache_type=FILE from /etc/pam.d/common-auth > > I have opened a bug report[¹] where you can find more details. > > Any one have the same problem? > > Piviul > > [¹] https://bugzilla.samba.org/show_bug.cgi?id=10455 >Hi Piviul, I have read that bug report and sorry but your smb.conf is incorrect. try this one: [global] workgroup = DOMINIOCSA security = ADS realm = <UPPERCASE_WHATEVER_YOUR_DNS_DOMAIN_IS> server string = Samba 4 Client %h winbind use default domain = yes winbind expand groups = 2 winbind refresh tickets = Yes winbind offline logon = yes idmap config *:backend = tdb idmap config *:range = 25000-30000 idmap config DOMINIOCSA : backend = rid idmap config DOMINIOCSA : range = 10000-24999 template shell = /bin/bash domain master = no local master = no preferred master = no vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 [printers] comment = All Printers create mask = 0700 path = /var/spool/samba printable = Yes [print$] comment = Printer Drivers path = /var/lib/samba/printers Then put 'krb5_ccache_type=FILE' back into common-auth and try again. Rowland
Il 16/02/19 18:15, Rowland Penny via samba ha scritto:> On Thu, 14 Feb 2019 09:30:00 +0100 > [...] > Hi Piviul, I have read that bug report and sorry but your smb.conf is > incorrect. > > try this one: > > [global] > workgroup = DOMINIOCSA > security = ADSfrom man smb.conf: SECURITY = ADS In this mode, Samba will act as a domain member in an ADS realm. but I have no ADS realm in my network: my domain is an old samba3 domain. Have a great day Piviul
Il 15/02/19 13:01, Marco Gaiarin via samba ha scritto:> [...] > The same configuration happen on Debian stretch (at least). I've > effectively test offline logon in the past, but with a sub-5 minutes delay > from latest connected logon....but in my experience cached credentials doesn't works even in 5 minutes after a successfully logon: the mistery of winbind cached credential is growing...>[...] > So, is a distribution/packaging bug?Marco I can't understand you... why you say that is a distribution related bug? Do you mean that other distributions are not affected from this bug? Piviul