On 21/01/2021 15:34, Piviul via samba wrote:> Il 21/01/21 16:05, Rowland penny via samba ha scritto:
>> OK, can you try this (tested on Debian Buster with Samba 4.12.9):
>>
>> As root, create a directory
>>
>> mkdir /temp
>>
>> Alter /etc/krb5.conf to match this:
>>
>> [libdefaults]
>> ??????? default_realm = SAMDOM.EXAMPLE.COM
>> ??????? dns_lookup_realm = false
>> ??????? dns_lookup_kdc = true
>>
>> [appdefaults]
>> ??????? ccache = krb5cc_%u
>> ??????? ccache_dir = FILE:/temp
>>
>> Replace 'SAMDOM.EXAMPLE.COM' with your realm.
>>
>> Alter /etc/pam.d/common-auth
>>
>> Change:
>>
>> auth??? [success=3 default=ignore]????? pam_krb5.so minimum_uid=10000
>> auth??? [success=2 default=ignore]????? pam_unix.so nullok_secure
>> try_first_pass
>> auth??? [success=1 default=ignore]????? pam_winbind.so krb5_auth
>> krb5_ccache_type=FILE cached_login try_first_pass
>>
>> To:
>>
>> auth??? [success=3 default=ignore]????? pam_winbind.so krb5_auth
>> krb5_ccache_type=FILE:/temp/krb5cc_%u cached_login try_first_pass
>> auth??? [success=2 default=ignore]????? pam_krb5.so minimum_uid=1000
>> auth??? [success=1 default=ignore]????? pam_unix.so nullok_secure
>> try_first_pass
>>
>> Now log out and log in as a domain user, you should now find a
>> kerberos ticket in temp.
>>
>> Log out again and disconnect from network, then log in again as the
>> user.
>
> Yes, I can confirm that works even on debian with samba 4.13.3... but
> have you tried to reboot the machine? On my debian if I reboot, the
> cache file disappears from /temp e cached login doesn't work :(
>
> Piviul
>
>
I was sure I had rebooted, but when I did reboot again (to be certain),
the cache disappeared. There is 'retain_after_close = true' which stops
the ccache being removed, but now winbind doesn't seem to want to work
offline ?
Rowland