May I add one more question to this topic of "winbind offline logon".
Thanks to the first question from Dave, I began thinking about this as
well. I actually plan to setup an AD in my home network, to have the same
credentials all my computers (and the laptop).
Will also make this accessible via VPN, so that I cann access my home (nas
fileserver, for example) from abroad.
However, especially the laptop is maybe not connected to the network at all
times, so login needs to be possible even when it is completely offline or
when the VPN is not yet connected.
So I configured pam_winbind and winbind offline logon. I also use, as
Rowland suggests, the rid backend.
It sort-of works. I tested it by shutting down my DCs and then try to SSH
into my laptop.
However here comes the strange behaviour:
SSH authentication works perfectly fine when at least one DC is reachable.
This is great. But when both are not reachable, SSH asks for the password
for the first time. I enter the password. Then, after a delay of ~10sec, it
asks again for the password. This happens 3 times, after that, SSH tells
"permission denied (password)". Then, when I try again, after the
first
password trial, it succeeds, with the message "the domain controller could
not be contacted, using cached credentials". This is fine. But why does it
need so many trials first before it uses the cached credentials?
(note that I previously logged in with the same account already at least
once before, while the DCs were online, so the credentials could be cached).
Then, during this time, as long as I don't reboot the laptop, I can login
and logout as many times as I want and it works quickly. However, when I
reboot, the first login attempt always fails and I have to retry a couple
times again until it remembers the cached credentials.
I wonder if this is intended behaviour or a misconfiguration.
All I configured was
winbind offline logon = yes
winbind request timeout = 10
as suggested in the wiki, and further I created the
/etc/security/pam_winbind.conf with the only contents
[global]
cached_login = yes
so I believe this is everything as the wiki advises.
Further I also checked that I have the line
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
present in /etc/pam.d/common-auth. It was already there, I believe this is
because I use debian, therefore this line was configured automatically with
the installation of pam_winbind.
To speed up the login a bit, I also tried to decrease the winbind request
timeout, to 5 for example, but noticed no improvement. So I wonder if this
has something to do with one of the previous messages by Marco, who says
that offline logon is not possible when RFC2307 is configured. Indeed, I
have provisioned my DC using
samba-tool domain provision --use-rfc2307 --interactive
because I read that it is wise to use RFC2307 from the beginning on,
apparently it seems to be complicated to add later. I am unsure if I really
need RFC2307, but, I thought adding it for the provision should do no harm.
I know that offline logon on windows can also take long time, but at least
it asks only once for the password, which is fine.
Any hints why I have to enter my password at least 4 times until the
credentials cache kicks in?
thanks
best
Tobias
On Sun, Jan 7, 2024 at 3:21?PM Marco Gaiarin via samba <
samba at lists.samba.org> wrote:
> Mandi! bd730c5053df9efb via samba
> In chel di` si favelave...
>
> > idmap config smadom:schema_mode = rfc2307
>
> Sorry but is a bug of RFC2307:
>
> https://bugzilla.samba.org/show_bug.cgi?id=15405
>
> offline logon does NON work on RFC2307, simply. You have to switch to RID
> (if possible) or hope that Samba developer fix this issue. ;-)
>
> --
> Chiamare 'Sbruffoncella' una donna che v?ola le leggi di un Paese
ostile
> solo per portare in salvo 42 naufraghi ? come chiamare 'Onesto'
un tizio
> che ha rubato 49 milioni di euro. (Dek)
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>