Sent with Proton Mail secure email.
On Thursday, December 28th, 2023 at 15:59, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> On Thu, 28 Dec 2023 18:18:22 +0000
> bd730c5053df9efb via samba samba at lists.samba.org wrote:
>
> > Hi all!
> >
> > As a die hard slackware user and as a part of my learning pam process
> > I installed debian bookworm (12.4.0) in a vm and setup a domain
> > member server per the instructions in the wiki trying to figure out
> > how debian does it so I can correct some issues I have with how
it's
> > done in slackware.
> >
> > Everything seems to be working fine except for the winbind offline
> > logons, what I tried was to start session with my user, SAMDOM\dave
> > and then logout to make sure my password is cached. After that I
> > disconnected the vm's nic from the network and tried to log back
in
> > and I got an error stating that "password authentication
didn't work"
> >
> > Here's the content of smb.conf
> > [global]
> > kerberos method = secrets and keytab
> > realm = SAMDOM.EXAMPLE.COM
> > security = ADS
> > server role = member server
> > username map = /etc/samba/user.map
> > winbind refresh tickets = Yes
> > workgroup = SAMDOM
> > idmap config * : range = 3000-7999
> > idmap config * : backend = tdb
> > idmap config samdom:unix_primary_group = Yes
> > idmap config samdom:unix_nss_info = Yes
> > idmap config samdom:range = 10000-999999
> > idmap config smadom:schema_mode = rfc2307
> > idmap config samdom:backend=ad
> > map acl inherit = Yes
> > store dos attributes = Yes
> > vfs objects = acl_xattr
> > min domain uid = 0
> > winbind offline logon = Yes
> > winbind request timeout = 10
> >
> > /etc/security/pam_winbind.conf
> > [global]
> > cached_login = Yes
> > #krb5_auth = Yes # <= Commented since it's part of
> > /etc/pam.d/common-auth #krb5_ccache_type = FILE # <= Commented
since
> > it's part of /etc/pam.d/common-auth
>
>
> You do not need /etc/security/pam_winbind.conf if the settings are in
> /etc/pam.d/common-auth (which they are on Debian by default).
>
> > /etc/pam.d/common-auth
> > #
> > # /etc/pam.d/common-auth - authentication settings common to all
> > services #
> > # This file is included from other service-specific PAM config files,
> > # and should contain a list of the authentication modules that define
> > # the central authentication scheme for use on the system
> > # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use
> > the # traditional Unix authentication mechanisms.
> > #
> > # As of pam 1.0.1-6, this file is managed by pam-auth-update by
> > default. # To take advantage of this, it is recommended that you
> > configure any # local modules either before or after the default
> > block, and use # pam-auth-update to manage selection of other
> > modules. See # pam-auth-update(8) for details.
> >
> > # here are the per-package modules (the "Primary" block)
> > auth [success=2 default=ignore] pam_unix.so nullok
> > auth [success=1 default=ignore] pam_winbind.so cached_login
> > krb5_auth krb5_ccache_type=FILE cached_login try_first_pass # <>
> added cached_login, just in case # here's the fallback if no module
>
>
> Which one did you add ? The one after 'pam_winbind.so' or the other
one
> ?
I added the cached_login parameter to the pam_winbind.so line in common-auth,
it's also in /etc/security/pam_winbind.conf>
> Try reading this:
>
> https://wiki.samba.org/index.php/PAM_Offline_Authentication
I did follow the steps and if there's a step missing I'm not seeing it.
I haven't performed the tests mentioned, I went stright to trying to log in
without a network connection. I'll try those and report
back.>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Thanks!
Best regards,
Dave.