I'm using samba 4.5 on a debian jessie (Louis packages).
Rarely it happen that a power outgage tear down all the stuff, here.
I've noticed that if the DM start before the DC, clearly all account
data are inaccessible.
To prevent or minimize that, the ''offline mode'' of winbind can
be
safely used also on DM servers? Or is tailoread against roaming client
(portables, ...)?
What benefit and/or drawbacks?
I've seen:
https://wiki.samba.org/index.php/PAM_Offline_Authentication
and seems clear to me. but still... some question:
a) there's no info about the persistence of the cache; so seems to me
that the cache are ''persistent'', eg data are kept
indefinitely and
updated only on successful logons against the DC. Right?
b) the doc speaks about ''passwords'' (PAM) but not mention at
all
''account'' (eg, NSS); seems to me obvious that all stuff
(password
and account) get cached; really, in a server i need more the latter
then the former...
c) also password expiration data are cached? Seems to me ''no'',
because in this way also the policy (eg, 'samba-tool domain
passwordsettings') have to be cached...
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> I've seen: > https://wiki.samba.org/index.php/PAM_Offline_AuthenticationI've tried to enable offline logon, and seems to work as expected. I've only found a little strange thing, i think related to the fact that in my DM i've set 'winbind use default domain = yes'. Folowing the wiki, i've enabled offline logon and then done: ['smbcontrol winbind online' root at vdmsv1:~# wbinfo -K LNFFVG\\gaio Enter LNFFVG\gaio's password: plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 ['smbcontrol winbind offline'] root at vdmsv1:~# wbinfo -K LNFFVG\\gaio Enter LNFFVG\gaio's password: plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT credentials were put in: FILE:/tmp/krb5cc_0 Goot. But still in 'smbcontrol winbind offline' i've done also a: root at vdmsv1:~# wbinfo -K gaio Enter gaio's password: plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 and there's no 'user_flgs'. Boh... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
What you show below is correct.
In linux, DOM\user != user
If you want that. See:
https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
[realms]
SAMDOM.EXAMPLE.COM = {
auth_to_local = RULE:[1:SAMDOM\$1]
}
Now, since im not sure this works ok, i dont use it on my debian servers, i use
option2.
option2 is ignore the "not recommended setting : "winbind use default
domain = yes"
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: maandag 18 december 2017 15:52
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DM and ''offline'' PAM (and NSS?)...
>
>
> > I've seen:
> > https://wiki.samba.org/index.php/PAM_Offline_Authentication
>
> I've tried to enable offline logon, and seems to work as expected.
>
> I've only found a little strange thing, i think related to the fact
> that in my DM i've set 'winbind use default domain = yes'.
>
>
> Folowing the wiki, i've enabled offline logon and then done:
>
> ['smbcontrol winbind online'
> root at vdmsv1:~# wbinfo -K LNFFVG\\gaio
> Enter LNFFVG\gaio's password:
> plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE)
> credentials were put in: FILE:/tmp/krb5cc_0
>
> ['smbcontrol winbind offline']
> root at vdmsv1:~# wbinfo -K LNFFVG\\gaio
> Enter LNFFVG\gaio's password:
> plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE)
> user_flgs: NETLOGON_CACHED_ACCOUNT
> credentials were put in: FILE:/tmp/krb5cc_0
>
> Goot. But still in 'smbcontrol winbind offline' i've done also
a:
>
> root at vdmsv1:~# wbinfo -K gaio
> Enter gaio's password:
> plaintext kerberos password authentication for [gaio]
> succeeded (requesting cctype: FILE)
> credentials were put in: FILE:/tmp/krb5cc_0
>
> and there's no 'user_flgs'. Boh...
>
> --
> dott. Marco Gaiarin GNUPG
> Key ID: 240A3D66
> Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
> Polo FVG - Via della Bontà, 7 - 33078 - San Vito al
> Tagliamento (PN)
> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
On Mon, 18 Dec 2017 15:51:47 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > > I've seen: > > https://wiki.samba.org/index.php/PAM_Offline_Authentication > > I've tried to enable offline logon, and seems to work as expected. > > I've only found a little strange thing, i think related to the fact > that in my DM i've set 'winbind use default domain = yes'. > > > Folowing the wiki, i've enabled offline logon and then done: > > ['smbcontrol winbind online' > root at vdmsv1:~# wbinfo -K LNFFVG\\gaio > Enter LNFFVG\gaio's password: > plaintext kerberos password authentication for [LNFFVG\gaio] > succeeded (requesting cctype: FILE) credentials were put in: > FILE:/tmp/krb5cc_0 > > ['smbcontrol winbind offline'] > root at vdmsv1:~# wbinfo -K LNFFVG\\gaio > Enter LNFFVG\gaio's password: > plaintext kerberos password authentication for [LNFFVG\gaio] > succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT > credentials were put in: FILE:/tmp/krb5cc_0 > > Goot. But still in 'smbcontrol winbind offline' i've done also a: > > root at vdmsv1:~# wbinfo -K gaio > Enter gaio's password: > plaintext kerberos password authentication for [gaio] succeeded > (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 > > and there's no 'user_flgs'. Boh... >If you have the 'winbind use default domain = yes', winbind strips off the domain name, so 'LNFFVG\\gaio' becomes 'gaio', or to put it another way, you do not need to use the domain name with 'getent passwd' etc Rowland
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> What you show below is correct. > In linux, DOM\user != userI know. And i was using 'wbinfo', that, AFAIK query directly winbind and no POSIX stuff...> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on > [realms] > SAMDOM.EXAMPLE.COM = { > auth_to_local = RULE:[1:SAMDOM\$1] > }Interesting! I've looked at that in the past, but i was not interested in SSO so i've probably skipped. Anyway, i've tried to comment out 'winbind use default domain = yes' and add this stanza to /etc/krb5.conf but seems does not work, eg: root at vdmsv1:~# getent passwd gaio root at vdmsv1:~# getent passwd LNFFVG\\gaio LNFFVG\gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash only the 'domainful' version of the account work.> Now, since im not sure this works ok, i dont use it on my debian servers, i use option2. > option2 is ignore the "not recommended setting : "winbind use default domain = yes"Also i, option 2. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)