samba - Nov 2024 - Working through the PAM Offline Authentication Wiki page, but...

On Mon, 25 Nov 2024 11:09:38 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 11/25/24 10:56, Rowland Penny via samba wrote:
> > On a DC it doesn't, you cannot take winbind offline on a DC. When
it
> > comes to a DC 'smbcontrol' does nothing, you can only stop the
> > 'samba' deamon (which turns off smbd & winbindd), start it
(which
> > starts smbd & winbindd) or restart it (which stops, then starts
> > smbd & winbindd).
> >
> > If you stop and think about it, I feel it will come to you why you
> > cannot take a major part of a DC offline ;-)
> >
> > This, along with numerous other reasons, is why it is not
> > recommended to use a Samba AD DC as a fileserver.
> >
> > Rowland
> 
> This isn't on a DC. This is on a Linux machine I have joined to the
> domain.
> 
D, I must go to specsavers, I appear to be going blind ;-)

you wrote 'smbcontrol winbind offline' and I missed it, the extra
'd'
that is, it should have been:

smbcontrol winbindd offline

Rowland

On 11/25/24 11:26, Rowland Penny via samba wrote:
> D, I must go to specsavers, I appear to be going blind ;-)
>
> you wrote 'smbcontrol winbind offline' and I missed it, the extra
'd'
> that is, it should have been:
>
> smbcontrol winbindd offline
>
> Rowland
Okay, thanks, but I'm going to start over as I appear to have related 
some incorrect information.

Running

 ??? smbcontrol winbind offline

contrary to previous report does do something

 ??? wbinfo -K SAMDOM\\jgraham%password

returns

 ??? plaintext kerberos password authentication for [SAMDOM\\jgraham] 
succeeded (requesting cctype: FILE)
 ??? user_flgs: NETLOGON_CACHED_ACCOUNT
 ??? credentials were put in: FILE:/tmp/krb5cc_0

Turns out smbcontrol will accept either "winbind" or
"winbindd". I was
following the Wiki page verbatim, which uses the former. I can tweak the 
Wiki page if the latter is more canonically correct. More importantly an 
ssh login succeeds:

 ??? terra ~ # ssh SAMDOM\\jgraham at localhost
 ??? (SAMDOM\jgraham at localhost) Password:
 ??? Domain Controller unreachable, using cached credentials instead. 
Network resources may be unavailable
 ??? Domain Controller unreachable, using cached credentials instead. 
Network resources may be unavailable
 ??? SAMDOM\jgraham at terra ~ $

with the following information in /var/log messages:

 ??? Nov 25 12:15:18 terra sshd-session[25073]: pam_winbind(sshd:auth): 
getting password (0x00004388)
 ??? Nov 25 12:15:22 terra sshd-session[25073]: pam_winbind(sshd:auth): 
user 'SAMDOM\jgraham' granted access
 ??? Nov 25 12:15:23 terra sshd-session[25073]: 
pam_winbind(sshd:account): user 'SAMDOM\jgraham' granted access
 ??? Nov 25 12:15:23 terra sshd-session[25037]: Accepted 
keyboard-interactive/pam for SAMDOM\\jgraham from 127.0.0.1 port 44002 ssh2
 ??? Nov 25 12:15:24 terra sshd-session[25037]: pam_unix(sshd:session): 
session opened for user HOME\jgraham(uid=10000) by HOME\jgraham(uid=0)
 ??? Nov 25 12:15:24 terra elogind-daemon[3816]: New session 11 of user 
SAMDOM\jgraham.

This is behaving well as far as I can tell. However, the network cable 
is still attached when this test was run. When I remove the network 
cable, the behavior changes. With the exact same ssh command as above, 
there's a long timeout before the password prompt appears and another 
one after the password is provided. /var/log/messages tells a sad tale:

 ??? Nov 25 12:28:11 terra sshd-session[28633]: pam_faillock(sshd:auth): 
User unknown
 ??? Nov 25 12:28:11 terra sshd-session[28633]: pam_winbind(sshd:auth): 
getting password (0x00004388)
 ??? Nov 25 12:28:11 terra sshd-session[27411]: Postponed 
keyboard-interactive for invalid user SAMDOM\\\\jgraham from 127.0.0.1 
port 38014 ssh2 [preauth]
 ??? Nov 25 12:28:11 terra sshd-session[27411]: Connection closed by 
invalid user SAMDOM\\\\jgraham 127.0.0.1 port 38014 [preauth]
 ??? Nov 25 12:28:11 terra elogind-daemon[3816]: Removed session 11.
 ??? Nov 25 12:28:16 terra sshd-session[25037]: fatal: login_init_entry: 
Cannot find user "SAMDOM\\jgraham"
 ??? Nov 25 12:28:16 terra sshd-session[30386]: Invalid user 
SAMDOM\\jgraham from 127.0.0.1 port 36848
 ??? Nov 25 12:28:46 terra sshd-session[31332]: pam_faillock(sshd:auth): 
User unknown
 ??? Nov 25 12:28:46 terra sshd-session[31332]: pam_winbind(sshd:auth): 
getting password (0x00004388)
 ??? Nov 25 12:28:46 terra sshd-session[30386]: Postponed 
keyboard-interactive for invalid user SAMDOM\\\\jgraham from 127.0.0.1 
port 36848 ssh2 [preauth]
 ??? Nov 25 12:29:31 terra sshd-session[31332]: pam_unix(sshd:auth): 
check pass; user unknown
 ??? Nov 25 12:29:31 terra sshd-session[31332]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=127.0.0.1
 ??? Nov 25 12:29:46 terra sshd-session[31332]: pam_faillock(sshd:auth): 
User unknown
 ??? Nov 25 12:29:48 terra sshd-session[30386]: error: PAM: User not 
known to the underlying authentication module for illegal user 
SAMDOM\\jgraham from 127.0.0.1
 ??? Nov 25 12:29:48 terra sshd-session[30386]: Failed 
keyboard-interactive/pam for invalid user SAMDOM\\jgraham from 127.0.0.1 
port 36848 ssh2
 ??? Nov 25 12:30:04 terra sshd[3802]: Timeout before authentication for 
connection from 127.0.0.1 to 127.0.0.1, pid = 30386

I suppose that this could indicate that my PAM configuration still needs 
work, but I don't yet see it.

- John