Try changing the location of the kerberos cached files.. This: FILE:/tmp/krb5cc_21046 /tmp is emptied after a reboot, to yeah, logical you cant login.. And beware, some also have /var/tmp linked to /tmp. So, create a custom folder point it to that. login, reboot retry. ;-) Good luck.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Piviul via samba > Verzonden: woensdag 20 januari 2021 9:21 > Aan: samba at lists.samba.org > Onderwerp: [Samba] winbind offline logon > > Reading this[?] samba wiki and applying it, offline authentication seems > to work but on the real world doesn't work at all... let me explain. If > I put winbind offline using smbcontrol, offline authentication works > flowlessy: > > > $ wbinfo -K <domain>\\<username> > > Enter <domain>\<username>'s password: > > plaintext kerberos password authentication for [<domain>\<username>] > > succeeded (requesting cctype: FILE) > > credentials were put in: FILE:/tmp/krb5cc_21046 > > $ sudo smbcontrol winbind offline > > $ wbinfo -K <domain>\\<username> > > Enter <domain>\<username>'s password: > > plaintext kerberos password authentication for [<domain>\<username>] > > succeeded (requesting cctype: FILE) > > user_flgs: NETLOGON_CACHED_ACCOUNT > > credentials were put in: FILE:/tmp/krb5cc_21046 > > But offline authentication should work when the PC can't connect to the > AD. So I have disconnected the PC from the LAN and all seems to work: > > > $ wbinfo -K <domain>\\<username> > > Enter <domain>\<username>'s password: > > plaintext kerberos password authentication for [<domain>\<username>] > > succeeded (requesting cctype: FILE) > > user_flgs: NETLOGON_CACHED_ACCOUNT > > credentials were put in: FILE:/tmp/krb5cc_21046 > > > But if I restart the PC without the LAN cable: > > > $ wbinfo -K <domain>\\<username> > > Enter <domain>\<username>'s password: > > plaintext kerberos password authentication for [<domain>\<username>] > > failed (requesting cctype: FILE) > > wbcLogonUser(DOMINIOCSA\psala): error code was NT_STATUS_NO_SUCH_USER > > (0xc0000064) > > error message was: The specified account does not exist. > > Could not authenticate user [<domain>\<username>] with Kerberos > > (ccache: FILE) > > $ getent passwd <domain>\\<username> > > <domain>\\<username>:*:21046:10513:User > > Name:/home/domain/username:/bin/bash > So the account seems to exixts (getent passwd seems to work correctly) > but cached login doesn't... > > Someone can help me to troubleshoot this problem? > > Piviul > > [?] https://wiki.samba.org/index.php/PAM_Offline_Authentication > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Il 20/01/21 10:57, L.P.H. van Belle via samba ha scritto:> Try changing the location of the kerberos cached files.. > > This: FILE:/tmp/krb5cc_21046 > > /tmp is emptied after a reboot, to yeah, logical you cant login..Thanks a lot Louis, now it's all more clear...> And beware, some also have /var/tmp linked to /tmp. > So, create a custom folder point it to that. > login, reboot retry.but this way all the content of tmp folder will not be clean at boot time, isn't it? There is no way to put only the kerberos credential cache in /var/tmp? Piviul
Louis,
Could you provide a hint?? I found the following on MIT's website =>
"The default credential cache name is determined by the following, in
descending order of priority:
1. The *KRB5CCNAME* environment variable. For example,
KRB5CCNAME=DIR:/mydir/.
2. The *default_ccache_name* profile variable in /[libdefaults]/
<https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults>.
3. The hardcoded default, /DEFCCNAME/
<https://web.mit.edu/kerberos/krb5-1.12/doc/mitK5defaults.html#paths>."
#2 is not working for me and I have no idea where to look for #1, if it
even exists. ? For #2, I used
default_ccache_name = File:/path/to/cache_dir/krb5cc_%{uid} as shown by MIT.
My, only guess for #1, /etc/environment and /etc/environment.d have
nothing related to kerberos in them.
I also tried enabling in pam_winbind.conf the krb5_auth and
krb5_ccache_type variables.? That also did not work.
Thanks,
Dale
On 1/20/21 3:57 AM, L.P.H. van Belle via samba wrote:> Try changing the location of the kerberos cached files..
>
> This: FILE:/tmp/krb5cc_21046
>
> /tmp is emptied after a reboot, to yeah, logical you cant login..
>
> And beware, some also have /var/tmp linked to /tmp.
> So, create a custom folder point it to that.
> login, reboot retry.
>
> ;-)
> Good luck..
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Piviul via
samba
>> Verzonden: woensdag 20 januari 2021 9:21
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] winbind offline logon
>>
>> Reading this[?] samba wiki and applying it, offline authentication
seems
>> to work but on the real world doesn't work at all... let me
explain. If
>> I put winbind offline using smbcontrol, offline authentication works
>> flowlessy:
>>
>>> $ wbinfo -K <domain>\\<username>
>>> Enter <domain>\<username>'s password:
>>> plaintext kerberos password authentication for
[<domain>\<username>]
>>> succeeded (requesting cctype: FILE)
>>> credentials were put in: FILE:/tmp/krb5cc_21046
>>> $ sudo smbcontrol winbind offline
>>> $ wbinfo -K <domain>\\<username>
>>> Enter <domain>\<username>'s password:
>>> plaintext kerberos password authentication for
[<domain>\<username>]
>>> succeeded (requesting cctype: FILE)
>>> user_flgs: NETLOGON_CACHED_ACCOUNT
>>> credentials were put in: FILE:/tmp/krb5cc_21046
>> But offline authentication should work when the PC can't connect to
the
>> AD. So I have disconnected the PC from the LAN and all seems to work:
>>
>>> $ wbinfo -K <domain>\\<username>
>>> Enter <domain>\<username>'s password:
>>> plaintext kerberos password authentication for
[<domain>\<username>]
>>> succeeded (requesting cctype: FILE)
>>> user_flgs: NETLOGON_CACHED_ACCOUNT
>>> credentials were put in: FILE:/tmp/krb5cc_21046
>>
>> But if I restart the PC without the LAN cable:
>>
>>> $ wbinfo -K <domain>\\<username>
>>> Enter <domain>\<username>'s password:
>>> plaintext kerberos password authentication for
[<domain>\<username>]
>>> failed (requesting cctype: FILE)
>>> wbcLogonUser(DOMINIOCSA\psala): error code was
NT_STATUS_NO_SUCH_USER
>>> (0xc0000064)
>>> error message was: The specified account does not exist.
>>> Could not authenticate user [<domain>\<username>] with
Kerberos
>>> (ccache: FILE)
>>> $ getent passwd <domain>\\<username>
>>> <domain>\\<username>:*:21046:10513:User
>>> Name:/home/domain/username:/bin/bash
>> So the account seems to exixts (getent passwd seems to work correctly)
>> but cached login doesn't...
>>
>> Someone can help me to troubleshoot this problem?
>>
>> Piviul
>>
>> [?] https://wiki.samba.org/index.php/PAM_Offline_Authentication
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
On Wednesday, 20 January 2021 01:57:24 PST L.P.H. van Belle via samba wrote:> /tmp is emptied after a reboot, to yeah, logical you cant login.. >Unless the system is configured to mount tmpfs in /tmp that's not always the case. Debian and debian-based distros certainly like to clean /tmp on boot, but there are plenty other distros (I believe most fedora/rhel-based) that preserve /tmp contents on reboot. On Wednesday, 20 January 2021 01:57:24 PST L.P.H. van Belle via samba wrote:> And beware, some also have /var/tmp linked to /tmp. > So, create a custom folder point it to that.While I have to agree that's something to watch out for, the practice is frankly not the best, since the intended use case between the two is rather different. On Wednesday, 20 January 2021 09:33:14 PST Dale via samba wrote:> Could you provide a hint? I found the following on MIT's website => > > "The default credential cache name is determined by the following, in > descending order of priority: > > 1. The *KRB5CCNAME* environment variable. For example, > KRB5CCNAME=DIR:/mydir/. > 2. The *default_ccache_name* profile variable in /[libdefaults]/ > <https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults>. > 3. The hardcoded default, /DEFCCNAME/ > <https://web.mit.edu/kerberos/krb5-1.12/doc/mitK5defaults.html#paths>." > > #2 is not working for me and I have no idea where to look for #1, if it > even exists. For #2, I used > > default_ccache_name = File:/path/to/cache_dir/krb5cc_%{uid} as shown by MIT. > > My, only guess for #1, /etc/environment and /etc/environment.d have > nothing related to kerberos in them. > > I also tried enabling in pam_winbind.conf the krb5_auth and > krb5_ccache_type variables. That also did not work. >There are three configuration locations you need to check: * krb5_ccache_type in pam_winbind.conf (on fedora-based distros should be in /etc/security/pam_winbind.conf) * default_ccache_name in /etc/krb5.conf * krb5_ccache_type parameters in /etc/pam.d/* (distros like CentOS 7 and AL2 are guilty of overriding pam_winbind.conf in PAM stacks) AFAIK krb5_ccache_type is what drives KRB5CCNAME when pam_winbind is used for authentication, default_ccache_name in krb5.conf should match krb5_ccache_type, but if it doesn't you shouldn't run into any major issues. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20210120/2b2890d2/signature.sig>