Dear Rowland,
Have you read this:
https://wiki.samba.org/index.php/PAM_Offline_Authentication --> yes
You will also need the pam kerberos lib installed (libpam-krb5 on Debian) -->
yes it is installed
Samba DC present
------------------------
root at client:~# wbinfo -K CHAPINS-TEST\\paul%angel
plaintext kerberos password authentication for [CHAPINS-TEST\paul%angel]
succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
root at client:~#
root at client:~# smbcontrol winbind offline
root at client:~#
root at client:~# wbinfo -K CHAPINS-TEST\\paul%angel
plaintext kerberos password authentication for [CHAPINS-TEST\paul%angel]
succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0
root at client:~#
root at client:~# ssh CHAPINS-TEST\\paul at localhost
CHAPINS-TEST\paul at localhost's password:
Linux client 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jan 8 17:39:51 2021 from ::1
paul at client:~$
paul at client:~$ exit
d?connexion
Samba DC is switched off
------------------------
root at client:~# wbinfo -K CHAPINS-TEST\\paul%angel
plaintext kerberos password authentication for [CHAPINS-TEST\paul%angel]
succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0
root at client:~#
root at client:~# ssh CHAPINS-TEST\\paul at localhost
CHAPINS-TEST\paul at localhost's password:
Connection closed by ::1 port 22
root at client:~#
I reboot the client, DC still off
---------------------------------------
>From the TTY1
-------------
Debian GNU/Linux 10 client tty1
client login: paul
password: (password entered en press enter)
... after one minute
Debian GNU/Linux 10 client tty1
client login:
>From the graphical greeter
-----------------------------------
paul
angel
... and two minutes after, the session opens
If you have an idea of what's going wrong, but maybe outside the scope of
samba.
Thanks a lot
Rapha?l