On 09.07.20 10:29, L.P.H. van Belle via samba wrote:> Hai Basti, > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> basti via samba >> Verzonden: donderdag 9 juli 2020 10:20 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] AD Users on Linux Laptop >> >> Hello, >> I have setup a laptop with debian10, where samba ad users >> should able to >> login. I also setup PAM_Offline_Authentication, so far so good. >> >> There are several Problems: >> >> - After Reboot winbind seem to start before network is redy, >> so winbind >> can't get user info via getent passwd <username>, after >> restart winbind >> it works > > Quick fix : > systemctl edit winbind.service > Add: > Unit > After=network.target network-online.target > > Save, reboot. (wait, do below first) >Start winbind, after network online target is not a good option in my opinion. when there is only wlan available that must connect manually winbind would never start so user can't never login, i guess. There must be a way to cache login infos between reboot. sssd or somethink like that?>> >> - How can I cache logins infos, for offline login >> (e.g. when only wlan is available or to start vpn after login to get >> access to shares) > > cat /etc/pam.d/common-auth > Verify if you see. > > # here are the per-package modules (the "Primary" block) > auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 > auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass > auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass >the krb5_ccache file is saved on /tmp/ is there a way to save that to an other folder, thats not cleanup on reboot? /usr/lib .... for example.> If not, run : pam-auth-update ( even if you dont see it, run it, it sets everything correct.) > > And im sure you have this in smb.conf : > But i have to ask/show it. > # Renew the kerberos tickets > winbind refresh tickets = yes > > # Enable offline logins > winbind offline logon = yes > > Try above and report back. > Thats all i do on debian. > > > Greetz, > > Louis > >
On 09.07.20 11:06, basti via samba wrote:> There must be a way to cache login infos between reboot. > > sssd or somethink like that?sssd can do it, but windbind's own cache should work just as well. But yes, network-online.target is counterproductive here.> the krb5_ccache file is saved on /tmp/ is there a way to save that to an > other folder, thats not cleanup on reboot? /usr/lib .... for example.As far as I understand the manpages, krb5_ccache is unrelated to offline logon. The stuff you need is controlled by the cached_login PAM parameter and the "winbind offline logon" and "winbind cache time" smb.conf parameters.>> # Renew the kerberos tickets >> winbind refresh tickets = yesLPH, could you elaborate on all the kerberos stuff? It looks like a totally unrelated tangent for what basti is trying to do. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20200709/b74992d5/signature.sig>
On 09/07/2020 10:39, Sven Schwedas via samba wrote:> On 09.07.20 11:06, basti via samba wrote: >> There must be a way to cache login infos between reboot. >> >> sssd or somethink like that? > sssd can do it, but windbind's own cache should work just as well. But > yes, network-online.target is counterproductive here.Yes, quite correct, sssd will do it, but only for authentication, you cannot have shares with Samba >= 4.8.0 and sssd> >> the krb5_ccache file is saved on /tmp/ is there a way to save that to an >> other folder, thats not cleanup on reboot? /usr/lib .... for example. > As far as I understand the manpages, krb5_ccache is unrelated to offline > logon. The stuff you need is controlled by the cached_login PAM > parameter and the "winbind offline logon" and "winbind cache time" > smb.conf parameters.If you are using kerberos, then the kerberos cache will be used if it exists. Samba does have its own cache's, have a look in /var/cache/samba Rowland
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven > Schwedas via samba > Verzonden: donderdag 9 juli 2020 11:40 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] AD Users on Linux Laptop > > On 09.07.20 11:06, basti via samba wrote: > > There must be a way to cache login infos between reboot. > > > > sssd or somethink like that? > > sssd can do it, but windbind's own cache should work just as well. But > yes, network-online.target is counterproductive here. > > > the krb5_ccache file is saved on /tmp/ is there a way to > save that to an > > other folder, thats not cleanup on reboot? /usr/lib .... > for example. > > As far as I understand the manpages, krb5_ccache is unrelated > to offline > logon. The stuff you need is controlled by the cached_login PAM > parameter and the "winbind offline logon" and "winbind cache time" > smb.conf parameters. > > >> # Renew the kerberos tickets > >> winbind refresh tickets = yes > > LPH, could you elaborate on all the kerberos stuff? It looks like a > totally unrelated tangent for what basti is trying to do.Its only that "packaged" samba does support sssd but then you will use the "older" samba versions. If you using up2date packages from my repo, you cant use sssd, not supported. Well, if you cache all you logins correctly, you should be able to login the laptop. Basti its first messages showed .. If VPN.. And assuming VPN, you must have network. And yes, the network-online.target might be overkill if you dont use/have network at all, but it long ago that i seen people working without internet/network connection. Only, you need to increase all cache time values where needed, like. Why i add the Kerberos parts also, because its used, that simple. winbind cache time (G) ( default 5 min ) increase to x days at least. Change the kerberos cache location through the variable : KRB5CCNAME=DIR:/mydir/ But there is most probely more you need to set to integrate it all. That can be found in `man pam_krb5` Greetz, Louis