samba - Dec 2023 - winbind offline logon

Hi all!

As a die hard slackware user and as a part of my learning pam process I
installed debian bookworm (12.4.0) in a vm and setup a domain member server per
the instructions in the wiki trying to figure out how debian does it so I can
correct some issues I have with how it's done in slackware.

Everything seems to be working fine except for the winbind offline logons, what
I tried was to start session with my user, SAMDOM\dave and then logout to make
sure my password is cached. After that I disconnected the vm's nic from the
network and tried to log back in and I got an error stating that "password
authentication didn't work"

Here's the content of smb.conf
[global]
        kerberos method = secrets and keytab
        realm = SAMDOM.EXAMPLE.COM
        security = ADS
        server role = member server
        username map = /etc/samba/user.map
        winbind refresh tickets = Yes
        workgroup = SAMDOM
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        idmap config samdom:unix_primary_group = Yes
        idmap config samdom:unix_nss_info = Yes
        idmap config samdom:range = 10000-999999
        idmap config smadom:schema_mode = rfc2307
        idmap config samdom:backend=ad
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr
        min domain uid = 0
        winbind offline logon = Yes
        winbind request timeout = 10

/etc/security/pam_winbind.conf
[global]
        cached_login = Yes
        #krb5_auth = Yes          # <= Commented since it's part of
/etc/pam.d/common-auth
        #krb5_ccache_type = FILE  # <= Commented since it's part of
/etc/pam.d/common-auth

/etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok
auth    [success=1 default=ignore]      pam_winbind.so cached_login krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass   # <= added cached_login,
just in case
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

And this is the only relevant piece of information I find in the system logs
Dec 28 14:53:17 debian gdm-password][3563]: pam_unix(gdm-password:auth): check
pass; user unknown
Dec 28 14:53:17 debian gdm-password][3563]: pam_unix(gdm-password:auth):
authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhostDec 28
14:53:17 debian gdm-password][3563]: pam_winbind(gdm-password:auth): getting
password (0x00000388)
Dec 28 14:53:17 debian gdm-password][3563]: pam_winbind(gdm-password:auth):
pam_get_item returned a password
Dec 28 14:53:40 debian nmbd[679]: [2023/12/28 14:53:40.843955,  0]
../../source3/libsmb/nmblib.c:923(send_udp)
Dec 28 14:53:40 debian nmbd[679]:   Packet send failed to 192.168.123.255(137)
ERRNO=Network is unreachable
Dec 28 14:53:40 debian nmbd[679]: [2023/12/28 14:53:40.844109,  0]
../../source3/nmbd/nmbd_packets.c:180(send_netbios_packet)
Dec 28 14:53:40 debian nmbd[679]:   send_netbios_packet: send_packet() to IP
192.168.123.255 port 137 failed
Dec 28 14:53:40 debian nmbd[679]: [2023/12/28 14:53:40.844121,  0]
../../source3/nmbd/nmbd_namequery.c:245(query_name)
Dec 28 14:53:40 debian nmbd[679]:   query_name: Failed to send packet trying to
query name SAMDOM<1d>
Dec 28 14:53:47 debian gdm-password][3594]: accountsservice: ActUserManager:
user (null) has no username (uid: -1)
Dec 28 14:53:50 debian nmbd[679]: [2023/12/28 14:53:50.854572,  0]
../../source3/nmbd/nmbd.c:359(reload_interfaces)
Dec 28 14:53:50 debian nmbd[679]:   reload_interfaces: No subnets to listen to.
Waiting..

Thanks in advance!
Best regards,
Dave.

Sent with Proton Mail secure email.

On Thu, 28 Dec 2023 18:18:22 +0000
bd730c5053df9efb via samba <samba at lists.samba.org> wrote:
> Hi all!
> 
> As a die hard slackware user and as a part of my learning pam process
> I installed debian bookworm (12.4.0) in a vm and setup a domain
> member server per the instructions in the wiki trying to figure out
> how debian does it so I can correct some issues I have with how it's
> done in slackware.
> 
> Everything seems to be working fine except for the winbind offline
> logons, what I tried was to start session with my user, SAMDOM\dave
> and then logout to make sure my password is cached. After that I
> disconnected the vm's nic from the network and tried to log back in
> and I got an error stating that "password authentication didn't
work"
> 
> Here's the content of smb.conf
> [global]
>         kerberos method = secrets and keytab
>         realm = SAMDOM.EXAMPLE.COM
>         security = ADS
>         server role = member server
>         username map = /etc/samba/user.map
>         winbind refresh tickets = Yes
>         workgroup = SAMDOM
>         idmap config * : range = 3000-7999
>         idmap config * : backend = tdb
>         idmap config samdom:unix_primary_group = Yes
>         idmap config samdom:unix_nss_info = Yes
>         idmap config samdom:range = 10000-999999
>         idmap config smadom:schema_mode = rfc2307
>         idmap config samdom:backend=ad
>         map acl inherit = Yes
>         store dos attributes = Yes
>         vfs objects = acl_xattr
>         min domain uid = 0
>         winbind offline logon = Yes
>         winbind request timeout = 10
> 
> /etc/security/pam_winbind.conf
> [global]
>         cached_login = Yes
>         #krb5_auth = Yes          # <= Commented since it's part of
> /etc/pam.d/common-auth #krb5_ccache_type = FILE  # <= Commented since
> it's part of /etc/pam.d/common-auth
You do not need /etc/security/pam_winbind.conf if the settings are in
/etc/pam.d/common-auth (which they are on Debian by default).
> 
> /etc/pam.d/common-auth
> #
> # /etc/pam.d/common-auth - authentication settings common to all
> services #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authentication modules that define
> # the central authentication scheme for use on the system
> # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use
> the # traditional Unix authentication mechanisms.
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by
> default. # To take advantage of this, it is recommended that you
> configure any # local modules either before or after the default
> block, and use # pam-auth-update to manage selection of other
> modules.  See # pam-auth-update(8) for details.
> 
> # here are the per-package modules (the "Primary" block)
> auth    [success=2 default=ignore]      pam_unix.so nullok
> auth    [success=1 default=ignore]      pam_winbind.so cached_login
> krb5_auth krb5_ccache_type=FILE cached_login try_first_pass   # <>
added cached_login, just in case # here's the fallback if no module
Which one did you add ? The one after 'pam_winbind.so' or the other one
?

Try reading this:

https://wiki.samba.org/index.php/PAM_Offline_Authentication

Rowland

Mandi! bd730c5053df9efb via samba
  In chel di` si favelave...
>         idmap config smadom:schema_mode = rfc2307
Sorry but is a bug of RFC2307:

	https://bugzilla.samba.org/show_bug.cgi?id=15405

offline logon does NON work on RFC2307, simply. You have to switch to RID
(if possible) or hope that Samba developer fix this issue. ;-)

-- 
  Chiamare 'Sbruffoncella' una donna che v?ola le leggi di un Paese
ostile
  solo per portare in salvo 42 naufraghi ? come chiamare 'Onesto' un
tizio
  che ha rubato 49 milioni di euro.				(Dek)