samba - Jan 2019 - Winbind, cached logons and 'user persistency'...

On Tue, 29 Jan 2019 18:47:45 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > Now this is what I do not understand, my understanding is that
> > 'PAM' is used to find the correct authentication system and
'NSS'
> > just connects to that authentication system.
> 
> No. NSS, roughly, 'extend the user database':
> 
https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html
> 
Your meaning and my meaning, roughly mean the same ;-)
> > For instance, in /etc/pam.d/common-auth I have:
> > auth    [success=3 default=ignore]      pam_krb5.so
> > minimum_uid=10000 auth    [success=2 default=ignore]
> > pam_unix.so nullok_secure try_first_pass auth    [success=1
> > default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE
> > cached_login try_first_pass
> 
> Putting 'cached_login' here is the same of putting:
> 
> 	[global]
> 	cached_login = yes
> 
> in /etc/security/pam_winbind.conf .
I do not even have that file.
> 
> 
> > If I go anywhere (away from the domain), I can still log into the
> > laptop as my domain user, read and save files etc. All files are
> > saved as the domain user and when I do re-connect to the domain, it
> > is if I haven't been anywhere.
> 
> This is what i supposed to work mee too. Seems not.
> 
> You have also your user in /etc/passwd? O;-)
No, you cannot have a user in /etc/passwd and AD.
> 
> 
> > You seem to be doing something wrong ;-)
> 
> Probably. But i don't understand what. Authentication works as
> expected:
> 
>  root at vdmsv2:~# wbinfo -K LNFFVG\\gaio
>  Enter LNFFVG\gaio's password: 
>  plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE) credentials were put in:
> FILE:/tmp/krb5cc_0 root at vdmsv2:~# smbcontrol winbind offline
>  root at vdmsv2:~# wbinfo -K LNFFVG\\gaio
>  Enter LNFFVG\gaio's password: 
>  plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT
>  credentials were put in: FILE:/tmp/krb5cc_0
> 
> a simple 'getent' seems to work:
> 
>  root at vdmsv2:~# getent passwd LNFFVG\\gaio; smbcontrol winbind
> offline; sleep 65; getent passwd LNFFVG\\gaio; smbcontrol winbind
> online gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash
> gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash
That all works for myself.
> 
> but, i just stated that, if i disconnect DM from DC for more then a
> minute, NSS start to reply that user does not exist (seems that).
>
There must be some reason for this, what is in /etc/nsswitch.conf ?

Do you have libpam-winbind libnss-winbind libpam-krb5 installed ?
 
> 
> [nscd and windbind]
> > Not entirely true that you cannot run nscd with winbind, you just
> > have to stop nscd caching everything that winbind does and by the
> > time you do that, there isn't much left.
> 
> Ahem, sorry i've not understood you...
nscd caches certain things, as does winbind, if you want to run nscd
with winbind, you need to stop nscd caching the things that winbind
does, when you do this, nscd isn't caching very much, so you might as
well not use it.
> 
> 
> > I think the time has come to ask, what isn't working if you
> > disconnect from the domain e.g. walk away with a laptop, also why
> > is it not working, what can it not find ?
> 
> Ahem, again i've not understood...
> 
That basically says 'why isn't it working for you'

Have you tried turning up the Samba logging and seeing if anything
'pops' out.
> 
> But, clearly, i've found 'exim' that reply 'user not
found', so
> probably winbind cache effectvaly data, but in a way that exim does
> not find... seems REALLY strange...
AH, how does 'exim' look for the user ?

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> nscd caches certain things, as does winbind, if you want to run nscd
> with winbind, you need to stop nscd caching the things that winbind
> does, when you do this, nscd isn't caching very much, so you might as
> well not use it.
Ok. But for some ''incompatibilities'', or because
double-caching some
data is not smart and error prone (in the case of a negative cache,
both cache have to be cleaned...)?

> AH, how does 'exim' look for the user ?
I've just asked in exim list.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Wed, 30 Jan 2019 17:25:19 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > nscd caches certain things, as does winbind, if you want to run nscd
> > with winbind, you need to stop nscd caching the things that winbind
> > does, when you do this, nscd isn't caching very much, so you might
> > as well not use it.
> 
> Ok. But for some ''incompatibilities'', or because
double-caching some
> data is not smart and error prone (in the case of a negative cache,
> both cache have to be cleaned...)?
From memory, nscd caches /etc/passwd, /etc/group and /etc/hosts.

Winbind caches the first two and this is a Unix domain member, so all
there should be in /etc/hosts is the computers own info & localhost and
if the computer is using DHCP, there only needs to be local host.
So you do not need nscd
> 
> 
> > AH, how does 'exim' look for the user ?
> 
> I've just asked in exim list.
I was wondering if it was being done by an LDAP lookup, you would
definitely need the LDAP server for that, no amount of caching would
work for that ;-)

Rowland