Rowland Penny
2024-Nov-25 15:56 UTC
[Samba] Working through the PAM Offline Authentication Wiki page, but...
On Mon, 25 Nov 2024 09:57:06 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote:> On 11/19/24 12:56, Rowland Penny via samba wrote: > > At a guess, your PAM stack is incorrect, it doesn't seem to be using > > winbind, I would expect to see lines like this: > > > > 2024-11-19T17:48:38.678440+00:00 devstation sshd[9437]: > > pam_winbind(sshd:auth): getting password (0x00000388) > > > > Rowland > > Yes, that was it. Thank you! That was a deeper rabbit hole than I had > anticipated, requiring learning YASMCL (Yet Another State Machine > Configuration Language). I have a PAM configuration working except > for a few corner cases and a few puzzling things. The first of the > latter is that bringing the winbind daemon offline with > > ??? smbcontrol winbind offline > > doesn't appear do do anything.On a DC it doesn't, you cannot take winbind offline on a DC. When it comes to a DC 'smbcontrol' does nothing, you can only stop the 'samba' deamon (which turns off smbd & winbindd), start it (which starts smbd & winbindd) or restart it (which stops, then starts smbd & winbindd). If you stop and think about it, I feel it will come to you why you cannot take a major part of a DC offline ;-) This, along with numerous other reasons, is why it is not recommended to use a Samba AD DC as a fileserver. Rowland
John R. Graham
2024-Nov-25 16:09 UTC
[Samba] Working through the PAM Offline Authentication Wiki page, but...
On 11/25/24 10:56, Rowland Penny via samba wrote:> On a DC it doesn't, you cannot take winbind offline on a DC. When it > comes to a DC 'smbcontrol' does nothing, you can only stop the 'samba' > deamon (which turns off smbd & winbindd), start it (which starts smbd & > winbindd) or restart it (which stops, then starts smbd & winbindd). > > If you stop and think about it, I feel it will come to you why you > cannot take a major part of a DC offline ;-) > > This, along with numerous other reasons, is why it is not recommended to > use a Samba AD DC as a fileserver. > > RowlandThis isn't on a DC. This is on a Linux machine I have joined to the domain. - John