thr3ads.net - samba - [Samba] winbind offline logon [Jan 2021]

If this information is useful, please help other people find it:
Share via:

Dale

2021-Jan-20 17:33 UTC

[Samba] winbind offline logon

Louis,

Could you provide a hint?? I found the following on MIT's website =>

"The default credential cache name is determined by the following, in 
descending order of priority:

 1. The *KRB5CCNAME* environment variable. For example,
    KRB5CCNAME=DIR:/mydir/.
 2. The *default_ccache_name* profile variable in /[libdefaults]/
   
<https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults>.
 3. The hardcoded default, /DEFCCNAME/
   
<https://web.mit.edu/kerberos/krb5-1.12/doc/mitK5defaults.html#paths>."

#2 is not working for me and I have no idea where to look for #1, if it 
even exists. ? For #2, I used

default_ccache_name = File:/path/to/cache_dir/krb5cc_%{uid} as shown by MIT.

My, only guess for #1, /etc/environment and /etc/environment.d have 
nothing related to kerberos in them.

I also tried enabling in pam_winbind.conf the krb5_auth and 
krb5_ccache_type variables.? That also did not work.

Thanks,

Dale


On 1/20/21 3:57 AM, L.P.H. van Belle via samba wrote:> Try changing the location of the kerberos cached files..
>
> This: FILE:/tmp/krb5cc_21046
>
> /tmp is emptied after a reboot, to yeah, logical you cant login..
>
> And beware, some also have /var/tmp linked to /tmp.
> So, create a custom folder point it to that.
> login, reboot retry.
>
> ;-)
> Good luck..
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Piviul via
samba
>> Verzonden: woensdag 20 januari 2021 9:21
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] winbind offline logon
>>
>> Reading this[?] samba wiki and applying it, offline authentication
seems
>> to work but on the real world doesn't work at all... let me
explain. If
>> I put winbind offline using smbcontrol, offline authentication works
>> flowlessy:
>>
>>> $ wbinfo -K <domain>\\<username>
>>> Enter <domain>\<username>'s password:
>>> plaintext kerberos password authentication for
[<domain>\<username>]
>>> succeeded (requesting cctype: FILE)
>>> credentials were put in: FILE:/tmp/krb5cc_21046
>>> $ sudo smbcontrol winbind offline
>>> $ wbinfo -K <domain>\\<username>
>>> Enter <domain>\<username>'s password:
>>> plaintext kerberos password authentication for
[<domain>\<username>]
>>> succeeded (requesting cctype: FILE)
>>> user_flgs: NETLOGON_CACHED_ACCOUNT
>>> credentials were put in: FILE:/tmp/krb5cc_21046
>> But offline authentication should work when the PC can't connect to
the
>> AD. So I have disconnected the PC from the LAN and all seems to work:
>>
>>> $ wbinfo -K <domain>\\<username>
>>> Enter <domain>\<username>'s password:
>>> plaintext kerberos password authentication for
[<domain>\<username>]
>>> succeeded (requesting cctype: FILE)
>>> user_flgs: NETLOGON_CACHED_ACCOUNT
>>> credentials were put in: FILE:/tmp/krb5cc_21046
>>
>> But if I restart the PC without the LAN cable:
>>
>>> $ wbinfo -K <domain>\\<username>
>>> Enter <domain>\<username>'s password:
>>> plaintext kerberos password authentication for
[<domain>\<username>]
>>> failed (requesting cctype: FILE)
>>> wbcLogonUser(DOMINIOCSA\psala): error code was
NT_STATUS_NO_SUCH_USER
>>> (0xc0000064)
>>> error message was: The specified account does not exist.
>>> Could not authenticate user [<domain>\<username>] with
Kerberos
>>> (ccache: FILE)
>>> $ getent passwd <domain>\\<username>
>>> <domain>\\<username>:*:21046:10513:User
>>> Name:/home/domain/username:/bin/bash
>> So the account seems to exixts (getent passwd seems to work correctly)
>> but cached login doesn't...
>>
>> Someone can help me to troubleshoot this problem?
>>
>> Piviul
>>
>> [?] https://wiki.samba.org/index.php/PAM_Offline_Authentication
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

Jon Gerdes

2021-Jan-21 13:28 UTC

head link

[Samba] winbind offline logon

Dale

I have just been down this rabbit hole.  Winbind sets KRB5CCNAME when you use
pam_winbind.  If you set eg

krb5_ccache_type = FILE:/var/lib/krb5cc/krb5cc_%u

in pam_winbind.conf then it should work.  For me it doesn't 8( . The code is
in source3/winbindd/winbindd_pam.c and it
looks correct.  I can see the %u thing mentioned in the code that looks for
FILE:/ at the start of krb5_ccache_type.  My
systemd journal reports:?

login[5550]: pam_winbind(login:auth): CONFIG file: krb5_ccache_type
'FILE:/var/lib/krb5cc/krb5cc_%u'

If I set this in /etc/krb5.conf:

[libdefaults]
    default_ccache_name = FILE:/var/lib/krb5cc/krb5cc_%{uid}

then kinit creates the cache correctly.  Winbind ignores that I think and does
its own thing instead and sets KRB5CCNAME
to override krb5.conf.

Cheers
Jon



On Wed, 2021-01-20 at 11:33 -0600, Dale via samba wrote:> Louis,
> 
> Could you provide a hint?? I found the following on MIT's website =>
> 
> "The default credential cache name is determined by the following, in 
> descending order of priority:
> 
> ?1. The *KRB5CCNAME* environment variable. For example,
> ??? KRB5CCNAME=DIR:/mydir/.
> ?2. The *default_ccache_name* profile variable in /[libdefaults]/
> ???
<https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults>.
> ?3. The hardcoded default, /DEFCCNAME/
> ???
<https://web.mit.edu/kerberos/krb5-1.12/doc/mitK5defaults.html#paths>."
> 
> #2 is not working for me and I have no idea where to look for #1, if it 
> even exists. ? For #2, I used
> 
> default_ccache_name = File:/path/to/cache_dir/krb5cc_%{uid} as shown by
MIT.
> 
> My, only guess for #1, /etc/environment and /etc/environment.d have 
> nothing related to kerberos in them.
> 
> I also tried enabling in pam_winbind.conf the krb5_auth and 
> krb5_ccache_type variables.? That also did not work.
> 
> Thanks,
> 
> Dale
> 
> 
> On 1/20/21 3:57 AM, L.P.H. van Belle via samba wrote:
> > Try changing the location of the kerberos cached files..
> > 
> > This: FILE:/tmp/krb5cc_21046
> > 
> > /tmp is emptied after a reboot, to yeah, logical you cant login..
> > 
> > And beware, some also have /var/tmp linked to /tmp.
> > So, create a custom folder point it to that.
> > login, reboot retry.
> > 
> > ;-)
> > Good luck..
> > 
> > 
> > Greetz,
> > 
> > Louis
> > 
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Piviul via samba
> > > Verzonden: woensdag 20 januari 2021 9:21
> > > Aan: samba at lists.samba.org
> > > Onderwerp: [Samba] winbind offline logon
> > > 
> > > Reading this[?] samba wiki and applying it, offline
authentication seems
> > > to work but on the real world doesn't work at all... let me
explain. If
> > > I put winbind offline using smbcontrol, offline authentication
works
> > > flowlessy:
> > > 
> > > > $ wbinfo -K <domain>\\<username>
> > > > Enter <domain>\<username>'s password:
> > > > plaintext kerberos password authentication for
[<domain>\<username>]
> > > > succeeded (requesting cctype: FILE)
> > > > credentials were put in: FILE:/tmp/krb5cc_21046
> > > > $ sudo smbcontrol winbind offline
> > > > $ wbinfo -K <domain>\\<username>
> > > > Enter <domain>\<username>'s password:
> > > > plaintext kerberos password authentication for
[<domain>\<username>]
> > > > succeeded (requesting cctype: FILE)
> > > > user_flgs: NETLOGON_CACHED_ACCOUNT
> > > > credentials were put in: FILE:/tmp/krb5cc_21046
> > > But offline authentication should work when the PC can't
connect to the
> > > AD. So I have disconnected the PC from the LAN and all seems to
work:
> > > 
> > > > $ wbinfo -K <domain>\\<username>
> > > > Enter <domain>\<username>'s password:
> > > > plaintext kerberos password authentication for
[<domain>\<username>]
> > > > succeeded (requesting cctype: FILE)
> > > > user_flgs: NETLOGON_CACHED_ACCOUNT
> > > > credentials were put in: FILE:/tmp/krb5cc_21046
> > > 
> > > But if I restart the PC without the LAN cable:
> > > 
> > > > $ wbinfo -K <domain>\\<username>
> > > > Enter <domain>\<username>'s password:
> > > > plaintext kerberos password authentication for
[<domain>\<username>]
> > > > failed (requesting cctype: FILE)
> > > > wbcLogonUser(DOMINIOCSA\psala): error code was
NT_STATUS_NO_SUCH_USER
> > > > (0xc0000064)
> > > > error message was: The specified account does not exist.
> > > > Could not authenticate user
[<domain>\<username>] with Kerberos
> > > > (ccache: FILE)
> > > > $ getent passwd <domain>\\<username>
> > > > <domain>\\<username>:*:21046:10513:User
> > > > Name:/home/domain/username:/bin/bash
> > > So the account seems to exixts (getent passwd seems to work
correctly)
> > > but cached login doesn't...
> > > 
> > > Someone can help me to troubleshoot this problem?
> > > 
> > > Piviul
> > > 
> > > [?] https://wiki.samba.org/index.php/PAM_Offline_Authentication
> > > 
> > > 
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:? https://lists.samba.org/mailman/options/samba
> > 
> > 
>

samba - Jan 2021 - winbind offline logon

[Samba] winbind offline logon

[Samba] winbind offline logon