Hello, I have setup a laptop with debian10, where samba ad users should able to login. I also setup PAM_Offline_Authentication, so far so good. There are several Problems: - After Reboot winbind seem to start before network is redy, so winbind can't get user info via getent passwd <username>, after restart winbind it works - How can I cache logins infos, for offline login (e.g. when only wlan is available or to start vpn after login to get access to shares) Best regards
Hai Basti,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: donderdag 9 juli 2020 10:20 > Aan: samba at lists.samba.org > Onderwerp: [Samba] AD Users on Linux Laptop > > Hello, > I have setup a laptop with debian10, where samba ad users > should able to > login. I also setup PAM_Offline_Authentication, so far so good. > > There are several Problems: > > - After Reboot winbind seem to start before network is redy, > so winbind > can't get user info via getent passwd <username>, after > restart winbind > it worksQuick fix : systemctl edit winbind.service Add: Unit After=network.target network-online.target Save, reboot. (wait, do below first)> > - How can I cache logins infos, for offline login > (e.g. when only wlan is available or to start vpn after login to get > access to shares)cat /etc/pam.d/common-auth Verify if you see. # here are the per-package modules (the "Primary" block) auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass If not, run : pam-auth-update ( even if you dont see it, run it, it sets everything correct.) And im sure you have this in smb.conf : But i have to ask/show it. # Renew the kerberos tickets winbind refresh tickets = yes # Enable offline logins winbind offline logon = yes Try above and report back. Thats all i do on debian. Greetz, Louis
On 09/07/2020 09:29, L.P.H. van Belle via samba wrote:>> - How can I cache logins infos, for offline login >> (e.g. when only wlan is available or to start vpn after login to get >> access to shares) > cat /etc/pam.d/common-auth > Verify if you see. > > # here are the per-package modules (the "Primary" block) > auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000I change the '1000' to the DOMAIN low range number I set in smb.conf, otherwise you cannot change the password for any local users. Rowland
Hai Rowland, Maybe i didnt understand your reply that well, but why would you change it. All (linux) users have minimum_uid=1000 and start at 1000. All (windows) users (samba) are above minimum_uid=1000 So in my optinion, you should not be needed to change this. Unless your users start below 1000. Also cat /etc/adduser.conf shows ( For Debian/Buster ) # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically # allocated user accounts/groups. FIRST_UID=1000 LAST_UID=29999 FIRST_GID=1000 LAST_GID=29999 If you can give me an example when its not working, ill have look at it.. The new member setup its progress is going as expected so far. I hope to have it so online. ( but the complete ) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: donderdag 9 juli 2020 10:38 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] AD Users on Linux Laptop > > On 09/07/2020 09:29, L.P.H. van Belle via samba wrote: > >> - How can I cache logins infos, for offline login > >> (e.g. when only wlan is available or to start vpn after > login to get > >> access to shares) > > cat /etc/pam.d/common-auth > > Verify if you see. > > > > # here are the per-package modules (the "Primary" block) > > auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 > > I change the '1000' to the DOMAIN low range number I set in smb.conf, > otherwise you cannot change the password for any local users. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 09.07.20 10:29, L.P.H. van Belle via samba wrote:> Hai Basti, > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> basti via samba >> Verzonden: donderdag 9 juli 2020 10:20 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] AD Users on Linux Laptop >> >> Hello, >> I have setup a laptop with debian10, where samba ad users >> should able to >> login. I also setup PAM_Offline_Authentication, so far so good. >> >> There are several Problems: >> >> - After Reboot winbind seem to start before network is redy, >> so winbind >> can't get user info via getent passwd <username>, after >> restart winbind >> it works > > Quick fix : > systemctl edit winbind.service > Add: > Unit > After=network.target network-online.target > > Save, reboot. (wait, do below first) >Start winbind, after network online target is not a good option in my opinion. when there is only wlan available that must connect manually winbind would never start so user can't never login, i guess. There must be a way to cache login infos between reboot. sssd or somethink like that?>> >> - How can I cache logins infos, for offline login >> (e.g. when only wlan is available or to start vpn after login to get >> access to shares) > > cat /etc/pam.d/common-auth > Verify if you see. > > # here are the per-package modules (the "Primary" block) > auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 > auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass > auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass >the krb5_ccache file is saved on /tmp/ is there a way to save that to an other folder, thats not cleanup on reboot? /usr/lib .... for example.> If not, run : pam-auth-update ( even if you dont see it, run it, it sets everything correct.) > > And im sure you have this in smb.conf : > But i have to ask/show it. > # Renew the kerberos tickets > winbind refresh tickets = yes > > # Enable offline logins > winbind offline logon = yes > > Try above and report back. > Thats all i do on debian. > > > Greetz, > > Louis > >
Just so I understand- Do you have a samba domain controller? Is the Linux laptop itself a Samba server? If you are logging in to the linux laptop using your AD credentials, the SSSD will be sufficient for caching. You should not need to use winbind at all. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of basti via samba Sent: Thursday, July 9, 2020 4:20 AM To: samba at lists.samba.org Subject: [Samba] AD Users on Linux Laptop Hello, I have setup a laptop with debian10, where samba ad users should able to login. I also setup PAM_Offline_Authentication, so far so good. There are several Problems: - After Reboot winbind seem to start before network is redy, so winbind can't get user info via getent passwd <username>, after restart winbind it works - How can I cache logins infos, for offline login (e.g. when only wlan is available or to start vpn after login to get access to shares) Best regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 13/07/2020 00:33, Gaiseric Vandal via samba wrote:> Just so I understand- > > > Do you have a samba domain controller? > > Is the Linux laptop itself a Samba server? > > > If you are logging in to the linux laptop using your AD credentials, the > SSSD will be sufficient for caching. You should not need to use winbind at > all. >If you are using Samba >= 4.8.0 and only authentication on the laptop is required, you can use sssd, but if you require shares, then you must use winbind and winbind and sssd are incompatible. Rowland
Apparently Analagous Threads
- AD Users on Linux Laptop
- AD Users on Linux Laptop
- getting error Ignoring parameter browse directory and winbind sequence directory
- getting error Ignoring parameter browse directory and winbind sequence directory
- Winbind, cached logons and 'user persistency'...