samba - Nov 2024 - pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

On 11/27/24 12:38, Rowland Penny via samba wrote:
>> Hmm, PAM on Gentoo appears to be very different to Debian. For
>> instance on Debian, to include lines from another file you use
>> '@include' and it includes the entire contents of the file,
Gentoo
>> appears to just include the lines referred to in the first column,
>> which, if correct, means that your PAM stack for sshd is this:
>> ...
You've interpreted it correctly. Incidentally, that "module_name 
include" syntax has been part of PAM since at least 2010 (which is the 
date on the latest PAM Administrators' Guide). I surmise that the 
@include syntax is older--and now deprecated, as it isn't described in 
the guide. But, momentum, I guess.
>>
>> Can I suggest an idea, install Debian bookworm in a VM, use Samba from
>> backports and then after you get it working, you can compare a working
>> Unix domain member with your nearly working Gentoo one.
Let me study what you've provided first and, if I can't get it working, 
I'll try your suggestion before I write back.Thank you so much for 
taking the time to synthesize that.

- John

On 11/27/24 13:20, John R. Graham via samba wrote:
> On 11/27/24 12:38, Rowland Penny via samba wrote:
>>> Hmm, PAM on Gentoo appears to be very different to Debian. For
>>> instance on Debian, to include lines from another file you use
>>> '@include' and it includes the entire contents of the file,
Gentoo
>>> appears to just include the lines referred to in the first column,
>>> which, if correct, means that your PAM stack for sshd is this:
>>> ...
> You've interpreted it correctly. Incidentally, that "module_name 
> include" syntax has been part of PAM since at least 2010 (which is the
> date on the latest PAM Administrators' Guide). I surmise that the 
> @include syntax is older--and now deprecated, as it isn't described in 
> the guide. But, momentum, I guess.
>>>
>>> Can I suggest an idea, install Debian bookworm in a VM, use Samba
from
>>> backports and then after you get it working, you can compare a
working
>>> Unix domain member with your nearly working Gentoo one.
> Let me study what you've provided first and, if I can't get it 
> working, I'll try your suggestion before I write back.Thank you so 
> much for taking the time to synthesize that.
>
I think I may have found something, but I need to ask a question. It 
appears that libnss_winbind.so.2 communicates with winbindd to do its 
job, so shouldn't it honor winbindd's offline status? It appears that it
may not be--and it appears that that may be a bug. It seems central to 
my offline authentication issue that

 ??? terra ~ # getent passwd SAMDOM\\jgraham
 ??? [29645]: getpwnam_r SAMDOM\jgraham
 ??? [29645]: getpwnam SAMDOM\jgraham returns NSS_STATUS_SUCCESS (1)
 ??? SAMDOM\jgraham:*:10000:11001:John Graham:/home/jgraham:/bin/bash

works when the network interface is up, but when the network interface 
is down,

 ??? terra ~ # getent passwd SAMDOM\\jgraham
 ??? [ 4156]: getpwnam_r SAMDOM\jgraham
 ??? [ 4156]: getpwnam SAMDOM\jgraham returns NSS_STATUS_UNAVAIL (-1)

does not. (I rebuilt winbind_nss_linux.c with the DEBUG_NSS symbol 
defined to get the messages depicted above.)

- John