John R. Graham
2024-Nov-27 16:52 UTC
[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
On 11/27/24 11:39, John R. Graham wrote:> On 11/27/24 11:10, Rowland Penny via samba wrote: >> I am not having a good day, I now seem to have replied to the wrong >> thread :-( >> >> Lets try again: >> >> If I remember correctly, this is on Gentoo, Debian sets up PAM for you, >> so can we see your PAM config files. Putting winbindd (or is it winbind >> ?) offline is supposed to be the same as pulling the ethernet cable or >> the network going down, it should move to a cache (provided the user >> has logged in at least once. >> >> Rowland >Ugh. Expanded tabs version of system-auth file: ??? auth required pam_env.so ??? auth requisite pam_faillock.so preauth ??? auth??????? [success=2 default=ignore]????????????????????????????????? pam_winbind.so try_first_pass ??? auth??????? [success=1 new_authtok_reqd=1 ignore=ignore default=bad]??? pam_unix.so nullok try_first_pass ??? auth [default=die] pam_faillock.so authfail ??? account???? [default=bad success=ok user_unknown=ignore]??????????????? pam_winbind.so ??? account required pam_unix.so ??? account required pam_faillock.so ??? password required pam_passwdqc.so config=/etc/security/passwdqc.conf ??? password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow ??? password sufficient pam_winbind.so use_authtok ??? session required pam_limits.so ??? session required pam_env.so ??? session required pam_unix.so
John R. Graham
2024-Nov-27 17:36 UTC
[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
On 11/27/24 11:52, John R. Graham via samba wrote:> Ugh. Expanded tabs version of system-auth file: >One more time: system-auth: ??? auth required pam_env.so ??? auth requisite pam_faillock.so preauth ??? auth??????? [success=2 default=ignore]????????????????????????????????? pam_winbind.so try_first_pass ??? auth??????? [success=1 new_authtok_reqd=1 ignore=ignore default=bad]??? pam_unix.so nullok try_first_pass ??? auth [default=die] pam_faillock.so authfail ??? account???? [default=bad success=ok user_unknown=ignore]??????????????? pam_winbind.so ??? account required pam_unix.so ??? account required pam_faillock.so ??? password required pam_passwdqc.so config=/etc/security/passwdqc.conf ??? password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow ??? password sufficient pam_winbind.so use_authtok ??? session required pam_limits.so ??? session required pam_env.so ??? session required pam_unix.so
Rowland Penny
2024-Nov-27 17:38 UTC
[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
On Wed, 27 Nov 2024 11:52:14 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote:> On 11/27/24 11:39, John R. Graham wrote: > > On 11/27/24 11:10, Rowland Penny via samba wrote: > >> I am not having a good day, I now seem to have replied to the wrong > >> thread :-( > >> > >> Lets try again: > >> > >> If I remember correctly, this is on Gentoo, Debian sets up PAM for > >> you, so can we see your PAM config files. Putting winbindd (or is > >> it winbind ?) offline is supposed to be the same as pulling the > >> ethernet cable or the network going down, it should move to a > >> cache (provided the user has logged in at least once. > >> > >> Rowland > > > Ugh. Expanded tabs version of system-auth file: > > ??? auth required pam_env.so > ??? auth requisite pam_faillock.so preauth > ??? auth??????? [success=2 > default=ignore]????????????????????????????????? pam_winbind.so > try_first_pass > ??? auth??????? [success=1 new_authtok_reqd=1 ignore=ignore > default=bad]??? pam_unix.so nullok try_first_pass > ??? auth [default=die] pam_faillock.so authfail > > ??? account???? [default=bad success=ok > user_unknown=ignore]??????????????? pam_winbind.so > ??? account required pam_unix.so > ??? account required pam_faillock.so > > ??? password required pam_passwdqc.so > config=/etc/security/passwdqc.conf password required pam_unix.so > try_first_pass use_authtok nullok sha512 shadow > ??? password sufficient pam_winbind.so use_authtok > > ??? session required pam_limits.so > ??? session required pam_env.so > ??? session required pam_unix.so > > >Hmm, PAM on Gentoo appears to be very different to Debian. For instance on Debian, to include lines from another file you use '@include' and it includes the entire contents of the file, Gentoo appears to just include the lines referred to in the first column, which, if correct, means that your PAM stack for sshd is this: ??? auth required pam_shells.so ??? auth required pam_nologin.so ??? auth required pam_env.so ??? auth requisite pam_faillock.so preauth ??? account required pam_access.so ??? account required pam_nologin.so ??? account required pam_time.so ??? account [default=bad success=ok user_unknown=ignore]?pam_winbind.so ??? account required pam_unix.so ??? account required pam_faillock.so ??? password required pam_passwdqc.so config=/etc/security/passwdqc.conf ??? password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow ??? password sufficient pam_winbind.so use_authtok ??? session optional pam_loginuid.so ??? session required pam_env.so envfile=/etc/profile.env ??? session optional pam_lastlog.so silent ??? session required pam_limits.so ??? session required pam_env.so ??? session required pam_unix.so ??? session optional pam_motd.so motd=/etc/motd ??? session optional pam_mail.so ??? -session optional pam_elogind.so Compare it with the Debian stack: auth [success=2 default=ignore] pam_unix.so nullok auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so account required pam_nologin.so account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account required pam_permit.so session required pam_loginuid.so session optional pam_keyinit.so force revoke session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_winbind.so session optional pam_elogind.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session optional pam_mail.so standard noenv session required pam_limits.so session required pam_env.so session required pam_env.so user_readenv=1 envfile=/etc/default/locale password [success=2 default=ignore] pam_unix.so obscure yescrypt password [success=1 default=ignore] pam_winbind.so try_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so NOTE: I have cut & pasted a few files together to get the above. I haven't used Gentoo for years, mostly because I do not what to spend hours setting up an OS, but I can understand others that want to. Can I suggest an idea, install Debian bookworm in a VM, use Samba from backports and then after you get it working, you can compare a working Unix domain member with your nearly working Gentoo one. Rowland