samba - Nov 2024 - Working through the PAM Offline Authentication Wiki page, but...

On 11/19/24 12:56, Rowland Penny via samba wrote:
> At a guess, your PAM stack is incorrect, it doesn't seem to be using
> winbind, I would expect to see lines like this:
>
> 2024-11-19T17:48:38.678440+00:00 devstation sshd[9437]:
pam_winbind(sshd:auth): getting password (0x00000388)
>
> Rowland
Yes, that was it. Thank you! That was a deeper rabbit hole than I had 
anticipated, requiring learning YASMCL (Yet Another State Machine 
Configuration Language). I have a PAM configuration working except for a 
few corner cases and a few puzzling things. The first of the latter is 
that bringing the winbind daemon offline with

 ??? smbcontrol winbind offline

doesn't appear do do anything. Commands like

 ??? wbinfo --ping-dc

still show the DC as reachable. I ended up doing my testing with an 
unplugged network cable but encountered some rather long network 
timeouts as a result, by which I conclude that an explicit offline state 
is beneficial.

- John

On 11/25/24 09:57, John R. Graham via samba wrote:
> On 11/19/24 12:56, Rowland Penny via samba wrote:
>> At a guess, your PAM stack is incorrect, it doesn't seem to be
using
>> winbind, I would expect to see lines like this:
>>
>> 2024-11-19T17:48:38.678440+00:00 devstation sshd[9437]: 
>> pam_winbind(sshd:auth): getting password (0x00000388)
>>
>> Rowland
>
> Yes, that was it. Thank you! That was a deeper rabbit hole than I had 
> anticipated, requiring learning YASMCL (Yet Another State Machine 
> Configuration Language). I have a PAM configuration working except for 
> a few corner cases and a few puzzling things. The first of the latter 
> is that bringing the winbind daemon offline with
>
> ??? smbcontrol winbind offline
>
> doesn't appear do do anything. Commands like
>
> ??? wbinfo --ping-dc
>
> still show the DC as reachable. I ended up doing my testing with an 
> unplugged network cable but encountered some rather long network 
> timeouts as a result, by which I conclude that an explicit offline 
> state is beneficial.
>
> - John
>
I guess I should've added that, when offline,

 ??? wbinfo -K YOURDOM\\youruser%password

does show a cached account being used.

On Mon, 25 Nov 2024 09:57:06 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 11/19/24 12:56, Rowland Penny via samba wrote:
> > At a guess, your PAM stack is incorrect, it doesn't seem to be
using
> > winbind, I would expect to see lines like this:
> >
> > 2024-11-19T17:48:38.678440+00:00 devstation sshd[9437]:
> > pam_winbind(sshd:auth): getting password (0x00000388)
> >
> > Rowland
> 
> Yes, that was it. Thank you! That was a deeper rabbit hole than I had 
> anticipated, requiring learning YASMCL (Yet Another State Machine 
> Configuration Language). I have a PAM configuration working except
> for a few corner cases and a few puzzling things. The first of the
> latter is that bringing the winbind daemon offline with
> 
>  ??? smbcontrol winbind offline
> 
> doesn't appear do do anything.
On a DC it doesn't, you cannot take winbind offline on a DC. When it
comes to a DC 'smbcontrol' does nothing, you can only stop the
'samba'
deamon (which turns off smbd & winbindd), start it (which starts smbd &
winbindd) or restart it (which stops, then starts smbd & winbindd).

If you stop and think about it, I feel it will come to you why you
cannot take a major part of a DC offline ;-)

This, along with numerous other reasons, is why it is not recommended to
use a Samba AD DC as a fileserver.

Rowland