samba - Jan 2021 - winbind offline logon

Reading this[?] samba wiki and applying it, offline authentication seems 
to work but on the real world doesn't work at all... let me explain. If 
I put winbind offline using smbcontrol, offline authentication works 
flowlessy:
> $ wbinfo -K <domain>\\<username>
> Enter <domain>\<username>'s password:
> plaintext kerberos password authentication for
[<domain>\<username>]
> succeeded (requesting cctype: FILE)
> credentials were put in: FILE:/tmp/krb5cc_21046
> $ sudo smbcontrol winbind offline
> $ wbinfo -K <domain>\\<username>
> Enter <domain>\<username>'s password:
> plaintext kerberos password authentication for
[<domain>\<username>]
> succeeded (requesting cctype: FILE)
> user_flgs: NETLOGON_CACHED_ACCOUNT
> credentials were put in: FILE:/tmp/krb5cc_21046
But offline authentication should work when the PC can't connect to the 
AD. So I have disconnected the PC from the LAN and all seems to work:
> $ wbinfo -K <domain>\\<username>
> Enter <domain>\<username>'s password:
> plaintext kerberos password authentication for
[<domain>\<username>]
> succeeded (requesting cctype: FILE)
> user_flgs: NETLOGON_CACHED_ACCOUNT
> credentials were put in: FILE:/tmp/krb5cc_21046

But if I restart the PC without the LAN cable:
> $ wbinfo -K <domain>\\<username>
> Enter <domain>\<username>'s password:
> plaintext kerberos password authentication for
[<domain>\<username>]
> failed (requesting cctype: FILE)
> wbcLogonUser(DOMINIOCSA\psala): error code was NT_STATUS_NO_SUCH_USER 
> (0xc0000064)
> error message was: The specified account does not exist.
> Could not authenticate user [<domain>\<username>] with Kerberos
> (ccache: FILE)
> $ getent passwd <domain>\\<username>
> <domain>\\<username>:*:21046:10513:User 
> Name:/home/domain/username:/bin/bash
So the account seems to exixts (getent passwd seems to work correctly) 
but cached login doesn't...

Someone can help me to troubleshoot this problem?

Piviul

[?] https://wiki.samba.org/index.php/PAM_Offline_Authentication

Try changing the location of the kerberos cached files.. 

This: FILE:/tmp/krb5cc_21046 

/tmp is emptied after a reboot, to yeah, logical you cant login.. 

And beware, some also have /var/tmp linked to /tmp.
So, create a custom folder point it to that. 
login, reboot retry. 

;-) 
Good luck.. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Piviul via
samba
> Verzonden: woensdag 20 januari 2021 9:21
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] winbind offline logon
> 
> Reading this[?] samba wiki and applying it, offline authentication seems
> to work but on the real world doesn't work at all... let me explain. If
> I put winbind offline using smbcontrol, offline authentication works
> flowlessy:
> 
> > $ wbinfo -K <domain>\\<username>
> > Enter <domain>\<username>'s password:
> > plaintext kerberos password authentication for
[<domain>\<username>]
> > succeeded (requesting cctype: FILE)
> > credentials were put in: FILE:/tmp/krb5cc_21046
> > $ sudo smbcontrol winbind offline
> > $ wbinfo -K <domain>\\<username>
> > Enter <domain>\<username>'s password:
> > plaintext kerberos password authentication for
[<domain>\<username>]
> > succeeded (requesting cctype: FILE)
> > user_flgs: NETLOGON_CACHED_ACCOUNT
> > credentials were put in: FILE:/tmp/krb5cc_21046
> 
> But offline authentication should work when the PC can't connect to the
> AD. So I have disconnected the PC from the LAN and all seems to work:
> 
> > $ wbinfo -K <domain>\\<username>
> > Enter <domain>\<username>'s password:
> > plaintext kerberos password authentication for
[<domain>\<username>]
> > succeeded (requesting cctype: FILE)
> > user_flgs: NETLOGON_CACHED_ACCOUNT
> > credentials were put in: FILE:/tmp/krb5cc_21046
> 
> 
> But if I restart the PC without the LAN cable:
> 
> > $ wbinfo -K <domain>\\<username>
> > Enter <domain>\<username>'s password:
> > plaintext kerberos password authentication for
[<domain>\<username>]
> > failed (requesting cctype: FILE)
> > wbcLogonUser(DOMINIOCSA\psala): error code was NT_STATUS_NO_SUCH_USER
> > (0xc0000064)
> > error message was: The specified account does not exist.
> > Could not authenticate user [<domain>\<username>] with
Kerberos
> > (ccache: FILE)
> > $ getent passwd <domain>\\<username>
> > <domain>\\<username>:*:21046:10513:User
> > Name:/home/domain/username:/bin/bash
> So the account seems to exixts (getent passwd seems to work correctly)
> but cached login doesn't...
> 
> Someone can help me to troubleshoot this problem?
> 
> Piviul
> 
> [?] https://wiki.samba.org/index.php/PAM_Offline_Authentication
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba