John R. Graham
2024-Nov-27 16:39 UTC
[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
On 11/27/24 11:10, Rowland Penny via samba wrote:> I am not having a good day, I now seem to have replied to the wrong > thread :-( > > Lets try again: > > If I remember correctly, this is on Gentoo, Debian sets up PAM for you, > so can we see your PAM config files. Putting winbindd (or is it winbind > ?) offline is supposed to be the same as pulling the ethernet cable or > the network going down, it should move to a cache (provided the user > has logged in at least once. > > RowlandApologies for the somewhat double post; I thought the other one might have dropped off the radar. You can see from the provided logs that pam_winbindf has been brought offline and is using cached credentials. And, yes, it's Gentoo, and its out-of-box PAM winbind configuration apparently hasn't evolved with the times, which I'm trying to correct. PAM 1.6.1 in use here; the following files are in /etc/pam.d/ as usual: sshd: ??? auth?????? include? system-remote-login ??? account??? include? system-remote-login ??? password?? include? system-remote-login ??? session??? include? system-remote-login system-remote-login: ??? auth??????? include???? system-login ??? account???? include???? system-login ??? password??? include???? system-login ??? session???? include???? system-login system-login: ??? auth??????? required??? pam_shells.so ??? auth??????? required??? pam_nologin.so ??? auth??????? include???? system-auth ??? account???? required??? pam_access.so ??? account???? required??? pam_nologin.so ??? account???? required??? pam_time.so ??? account???? include???? system-auth ??? password??? include???? system-auth ??? session???? optional??? pam_loginuid.so ??? session???? required??? pam_env.so envfile=/etc/profile.env ??? session???? optional??? pam_lastlog.so silent ??? session???? include???? system-auth ??? session???? optional??? pam_motd.so motd=/etc/motd ??? session???? optional??? pam_mail.so ??? -session??? optional??? pam_elogind.so system-auth: ??? auth required pam_env.so ??? auth requisite pam_faillock.so preauth ??? auth??????? [success=2 default=ignore]????????????????????????????????? pam_winbind.so try_first_pass ??? auth??????? [success=1 new_authtok_reqd=1 ignore=ignore default=bad]??? pam_unix.so nullok try_first_pass ??? auth [default=die] pam_faillock.so authfail ??? account???? [default=bad success=ok user_unknown=ignore]??????????????? pam_winbind.so ??? account required pam_unix.so ??? account required pam_faillock.so ??? password required pam_passwdqc.so config=/etc/security/passwdqc.conf ??? password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow ??? password sufficient pam_winbind.so use_authtok ??? session required pam_limits.so ??? session required pam_env.so ??? session required pam_unix.so All are Gentoo standard except system-auth, which is my own work in progress. - John
John R. Graham
2024-Nov-27 16:52 UTC
[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
On 11/27/24 11:39, John R. Graham wrote:> On 11/27/24 11:10, Rowland Penny via samba wrote: >> I am not having a good day, I now seem to have replied to the wrong >> thread :-( >> >> Lets try again: >> >> If I remember correctly, this is on Gentoo, Debian sets up PAM for you, >> so can we see your PAM config files. Putting winbindd (or is it winbind >> ?) offline is supposed to be the same as pulling the ethernet cable or >> the network going down, it should move to a cache (provided the user >> has logged in at least once. >> >> Rowland >Ugh. Expanded tabs version of system-auth file: ??? auth required pam_env.so ??? auth requisite pam_faillock.so preauth ??? auth??????? [success=2 default=ignore]????????????????????????????????? pam_winbind.so try_first_pass ??? auth??????? [success=1 new_authtok_reqd=1 ignore=ignore default=bad]??? pam_unix.so nullok try_first_pass ??? auth [default=die] pam_faillock.so authfail ??? account???? [default=bad success=ok user_unknown=ignore]??????????????? pam_winbind.so ??? account required pam_unix.so ??? account required pam_faillock.so ??? password required pam_passwdqc.so config=/etc/security/passwdqc.conf ??? password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow ??? password sufficient pam_winbind.so use_authtok ??? session required pam_limits.so ??? session required pam_env.so ??? session required pam_unix.so