On 22/05/2023 10:14, Marco Gaiarin via samba wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > >> I would undo that, it appears to be wrong. > > OK, i've undo also i. > > >> I have tested this on a Ubuntu 22.04 computer and it works, so I have >> updated the wiki page: >> https://wiki.samba.org/index.php/PAM_Offline_Authentication > > Apparently works as expected: > > root at dane:~# wbinfo -K gaio > Enter gaio's password: > plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) > credentials were put in: FILE:/tmp/krb5cc_0 > root at dane:~# smbcontrol winbind offline > root at dane:~# wbinfo -K gaio > Enter gaio's password: > plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) > user_flgs: NETLOGON_CACHED_ACCOUNT > credentials were put in: FILE:/tmp/krb5cc_0 > root at dane:~# ssh gaio at localhost > gaio at localhost's password: > Warning: Your password will expire in 36 days on Tue Jun 27 18:19:27 2023 > Warning: Your password will expire in 36 days on Tue Jun 27 18:19:27 2023 > Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-41-generic x86_64) > > * Documentation: https://help.ubuntu.com > * Management: https://landscape.canonical.com > * Support: https://ubuntu.com/advantage > > La manutenzione della sicurezza estesa per Applications non ? abilitata. > > 0 aggiornamenti possono essere applicati immediatamente. > > Abilita ESM Apps per ricevere ulteriori aggiornamenti di sicurezza futuri. > Vedi https://ubuntu.com/esm o esegui: sudo pro status > > > 1 updates could not be installed automatically. For more details, > see /var/log/unattended-upgrades/unattended-upgrades.log > Last login: Fri May 19 12:33:09 2023 from 10.5.1.44 > gaio at dane:~$ > > > I've also tried to shut off the wireless (and clearly not connect ethernet > cable ;) and i can confirm that i have the same response: > > plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) > user_flgs: NETLOGON_CACHED_ACCOUNT > > BUT a simple: > > getent passwd gaioI have Ubuntu 22.04 with Samba 4.15.13 running in a VM and it just works for myself. If I disconnect the network and try to ping a DC, I get: ping: rpidc1: Temporary failure in name resolution So the DC cannot be found But, if I run 'getent passwd rowland' I instantly get this: rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash I can log out from 'rowland' and then log in again, though I do appear to get a message from lightdm, but it goes past that fast it that I cannot read it.> > took 60 seconds to run, and return nothing. So login does not work, because > obviously user 'gaio' does not exist.Had the user 'gaio' logged in previously, it will not work if the user hasn't logged in at least once before the network has disconnected.> > > The strange thing is that the same portable was on a Ubuntu 16.04, with the > same configuration, and worked as expected. > > Seems to me that simply winbind loose the ability to do NSS cache... i've > googled a bit, and Samba in Xenial was 4.3.11+dfsg-0ubuntu0.16.04.34 . > > > It is worth a try to update samba to the later versions? There was updates > in this fields? >It is always worth upgrading Samba if possible and easy, but as I say, it works for myself. Rowland
Joachim Lindenberg
2023-May-25 17:24 UTC
[Samba] PAM Offline Authentication in Ubuntu 22.04...
Quick question related to the topic... Does offline work with windows credentials only or even with kerberos authentication in ssh? Thanks, Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba Gesendet: Montag, 22. Mai 2023 12:12 An: samba at lists.samba.org Cc: Rowland Penny <rpenny at samba.org> Betreff: Re: [Samba] PAM Offline Authentication in Ubuntu 22.04... On 22/05/2023 10:14, Marco Gaiarin via samba wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > >> I would undo that, it appears to be wrong. > > OK, i've undo also i. > > >> I have tested this on a Ubuntu 22.04 computer and it works, so I have >> updated the wiki page: >> https://wiki.samba.org/index.php/PAM_Offline_Authentication > > Apparently works as expected: > > root at dane:~# wbinfo -K gaio > Enter gaio's password: > plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) > credentials were put in: FILE:/tmp/krb5cc_0 > root at dane:~# smbcontrol winbind offline > root at dane:~# wbinfo -K gaio > Enter gaio's password: > plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) > user_flgs: NETLOGON_CACHED_ACCOUNT > credentials were put in: FILE:/tmp/krb5cc_0 > root at dane:~# ssh gaio at localhost > gaio at localhost's password: > Warning: Your password will expire in 36 days on Tue Jun 27 18:19:27 2023 > Warning: Your password will expire in 36 days on Tue Jun 27 18:19:27 2023 > Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-41-generic x86_64) > > * Documentation: https://help.ubuntu.com > * Management: https://landscape.canonical.com > * Support: https://ubuntu.com/advantage > > La manutenzione della sicurezza estesa per Applications non ? abilitata. > > 0 aggiornamenti possono essere applicati immediatamente. > > Abilita ESM Apps per ricevere ulteriori aggiornamenti di sicurezza futuri. > Vedi https://ubuntu.com/esm o esegui: sudo pro status > > > 1 updates could not be installed automatically. For more details, > see /var/log/unattended-upgrades/unattended-upgrades.log > Last login: Fri May 19 12:33:09 2023 from 10.5.1.44 > gaio at dane:~$ > > > I've also tried to shut off the wireless (and clearly not connect > ethernet cable ;) and i can confirm that i have the same response: > > plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) > user_flgs: NETLOGON_CACHED_ACCOUNT > > BUT a simple: > > getent passwd gaioI have Ubuntu 22.04 with Samba 4.15.13 running in a VM and it just works for myself. If I disconnect the network and try to ping a DC, I get: ping: rpidc1: Temporary failure in name resolution So the DC cannot be found But, if I run 'getent passwd rowland' I instantly get this: rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash I can log out from 'rowland' and then log in again, though I do appear to get a message from lightdm, but it goes past that fast it that I cannot read it.> > took 60 seconds to run, and return nothing. So login does not work, > because obviously user 'gaio' does not exist.Had the user 'gaio' logged in previously, it will not work if the user hasn't logged in at least once before the network has disconnected.> > > The strange thing is that the same portable was on a Ubuntu 16.04, > with the same configuration, and worked as expected. > > Seems to me that simply winbind loose the ability to do NSS cache... > i've googled a bit, and Samba in Xenial was 4.3.11+dfsg-0ubuntu0.16.04.34 . > > > It is worth a try to update samba to the later versions? There was > updates in this fields? >It is always worth upgrading Samba if possible and easy, but as I say, it works for myself. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Mandi! Rowland Penny via samba In chel di` si favelave... Sorry for the late answer.> I have Ubuntu 22.04 with Samba 4.15.13 running in a VM and it just works > for myself.Exactly the same, but on a real hardware.> Had the user 'gaio' logged in previously, it will not work if the user > hasn't logged in at least once before the network has disconnected.Sure! I've tried everytime a logon before disconnecting the network, also with different account, same result.> It is always worth upgrading Samba if possible and easy, but as I say, > it works for myself.Ok, i've upgraded to 4.16 using Michael pakages (thanks Michael!). It works exactly as before, i try to explain: 1) boot; the PC had wireless on and connect automatically 2) login with AD account, OK. 3) i shut off the wireless. 4) machine became totally irresponsive: - a terminal open in 2 minutes - i cannot re-enable wireless - i cannot logoff or reboot The only options available is to wait for a terminal tu open, su to root (not sudo!) and do a 'reboot'. Or connect the ethernet cable and wait an insane amount of time. What i'm doing wrong? How can i debug this?! I restate: /etc/samba/smb.conf [global] client min protocol = NT1 disable spoolss = Yes load printers = No log file = /var/log/samba/log.%m map to guest = Bad User panic action = /usr/share/samba/panic-action %d printcap name = /dev/null realm = AD.FVG.LNF.IT security = ADS syslog = 0 username map = /etc/samba/user.map usershare max shares = 0 winbind offline logon = Yes winbind use default domain = Yes workgroup = LNFFVG idmap config lnffvg : unix_primary_group = yes idmap config lnffvg : unix_nss_info = yes idmap config lnffvg : schema_mode = rfc2307 idmap config lnffvg : range = 10000-49999 idmap config lnffvg : backend = ad idmap config * : range = 5000-9999 idmap config * : backend = tdb printing = bsd /etc/security/pam_winbind.conf [global] cached_login = yes /etc/krb5.conf [libdefaults] default_realm = AD.FVG.LNF.IT kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Thanks. -- C'? solo la strada su cui puoi contare, la strada ? l'unica salvezza. (Gaber)