search for: cctype

I'm using samba 4.5 on a debian jessie (Louis packages). Rarely it happen that a power outgage tear down all the stuff, here. I've noticed that if the DM start before the DC, clearly all account data are inaccessible. To prevent or minimize that, the ''offline mode'' of winbind can be safely used also on DM servers? Or is tailoread against roaming client (portables,

...ervers". The situation can also be reproduced with "wbinfo -K". On samba >= 4.4 (tested on SLES12SP3 and RHEL7): # wbinfo -K TRUSTEDDOM\\myaccount Enter TRUSTEDDOM\myaccount's password: plaintext kerberos password authentication for [TRUSTEDDOM\myaccount] failed (requesting cctype: FILE) wbcLogonUser(TRUSTEDDOM\myaccount): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No logon servers Could not authenticate user [TRUSTEDDOM\myaccount] with Kerberos (ccache: FILE) The same worked with samba 4.2 (tested on SLES12SP1, identical configuration in sam...

...04 computer and it works, so I have > updated the wiki page: > https://wiki.samba.org/index.php/PAM_Offline_Authentication Apparently works as expected: root at dane:~# wbinfo -K gaio Enter gaio's password: plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 root at dane:~# smbcontrol winbind offline root at dane:~# wbinfo -K gaio Enter gaio's password: plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT credentials we...

...ame): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong Password Could not authenticate user username with challenge/response   8 wbinfo --krb5auth=username Enter username's password: plaintext kerberos password authentication for [username] failed (requesting cctype: FILE) wbcLogonUser(username): error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error message was: No such user Could not authenticate user [username] with Kerberos (ccache: FILE)   9 wbinfo --krb5auth='NTDOM\username' Enter NTDOM\username's password: plaintext kerberos passwo...

...;> updated the wiki page: >> https://wiki.samba.org/index.php/PAM_Offline_Authentication > > Apparently works as expected: > > root at dane:~# wbinfo -K gaio > Enter gaio's password: > plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) > credentials were put in: FILE:/tmp/krb5cc_0 > root at dane:~# smbcontrol winbind offline > root at dane:~# wbinfo -K gaio > Enter gaio's password: > plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) > user_flgs: NETL...

...d use default domain = yes'. Folowing the wiki, i've enabled offline logon and then done: ['smbcontrol winbind online' root at vdmsv1:~# wbinfo -K LNFFVG\\gaio Enter LNFFVG\gaio's password: plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 ['smbcontrol winbind offline'] root at vdmsv1:~# wbinfo -K LNFFVG\\gaio Enter LNFFVG\gaio's password: plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACC...

...gt; Folowing the wiki, i've enabled offline logon and then done: > > ['smbcontrol winbind online' > root at vdmsv1:~# wbinfo -K LNFFVG\\gaio > Enter LNFFVG\gaio's password: > plaintext kerberos password authentication for [LNFFVG\gaio] > succeeded (requesting cctype: FILE) > credentials were put in: FILE:/tmp/krb5cc_0 > > ['smbcontrol winbind offline'] > root at vdmsv1:~# wbinfo -K LNFFVG\\gaio > Enter LNFFVG\gaio's password: > plaintext kerberos password authentication for [LNFFVG\gaio] > succeeded (requesting cctype: F...

...can test offline authentication as follows with "switch winbindd to offline mode by hand": *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser* *Enter EXAMPLE.CORP\faiuser's password: * *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser] succeeded (requesting cctype: FILE)* *credentials were put in: FILE:/tmp/krb5cc_0* *root at cd2bd668e00c7:~# smbcontrol winbind offline* *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser* *Enter EXAMPLE.CORP\faiuser's password: * *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser] succeeded (requ...

On 19/05/2023 12:02, Marco Gaiarin via samba wrote: > > I'm trying to enable offline auth in a Ubuntu 22.04 box, following: > > https://wiki.samba.org/index.php/PAM_Offline_Authentication > > using standard ubuntu samba package (4.15.13+dfsg-0ubuntu1.1). > I've enabled workaround 'lock directory = /var/cache/samba'. I would undo that, it appears to be

...> Folowing the wiki, i've enabled offline logon and then done: > > ['smbcontrol winbind online' > root at vdmsv1:~# wbinfo -K LNFFVG\\gaio > Enter LNFFVG\gaio's password: > plaintext kerberos password authentication for [LNFFVG\gaio] > succeeded (requesting cctype: FILE) credentials were put in: > FILE:/tmp/krb5cc_0 > > ['smbcontrol winbind offline'] > root at vdmsv1:~# wbinfo -K LNFFVG\\gaio > Enter LNFFVG\gaio's password: > plaintext kerberos password authentication for [LNFFVG\gaio] > succeeded (requesting cctype: FIL...

...on as > follows with "switch winbindd to offline mode by hand": > > *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser* > *Enter EXAMPLE.CORP\faiuser's password: * > *plaintext kerberos password authentication for [EXAMPLE.CORP\faiuser] > succeeded (requesting cctype: FILE)* > *credentials were put in: FILE:/tmp/krb5cc_0* > *root at cd2bd668e00c7:~# smbcontrol winbind offline* > *root at cd2bd668e00c7:~# wbinfo -K EXAMPLE.CORP\\faiuser* > *Enter EXAMPLE.CORP\faiuser's password: * > *plaintext kerberos password authentication for [EXAMPLE.CORP...

On Mon, 28 Jan 2019 12:52:45 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > > Strictly speaking, why winbind cache ''PAM'' data and not ''NSS'' > > > one (seems to me)? > > The problem is (for myself anyway), I do not understand the >

...their username), and only on the server "wbinfo -K username" fails. On the clients it works. The server complains about that: 22:59:54 root at sambaserver:samba# wbinfo --verbose -K john Enter john's password: plaintext kerberos password authentication for [john] failed (requesting cctype: FILE) wbcLogonUser(john): error code was NT_STATUS_CONNECTION_DISCONNECTED (0xc000020c) error message was: The transport connection is now disconnected. Could not authenticate user [john] with Kerberos (ccache: FILE) The error in /usr/local/samba-4-4/var/log.wb-DOMAIN is: [2016/04/20 23:00:04.70...

...ge was: Account restriction Could not authenticate user TEST\protecteduser with challenge/response Whereas Kerberos auth works ok root at test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX' plaintext kerberos password authentication for [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 when we have a regular user from the same win2k client that is not part of "Protected User", plaintext/NTLM auth works ok root at test-01:~# wbinfo -a 'TEST\normaluser%XXXX' plaintext password authentication succeeded challe...

...rc/Makefile.housekeeping @@ -134,6 +134,16 @@ SP_FLAGS := $(shell $(SP_TEST) && $(ECHO) '-fno-stack-protector') CFLAGS += $(SP_FLAGS) endif +# Some widespread patched versions of gcc include -fPIE -Wl,-pie by +# default. gpxe does not support pie code in get_cpuinfo. +# +ifeq ($(CCTYPE),gcc) +PIE_TEST = $(CC) -fno-PIE -nopie -x c -c /dev/null \ + -o /dev/null >/dev/null 2>&1 +PIE_FLAGS := $(shell $(PIE_TEST) && $(ECHO) '-fno-PIE -nopie') +CFLAGS += $(PIE_FLAGS) +endif + # gcc 4.4 generates .eh_frame sections by default, which distort the # output of &...

...FLAGS) endif +# Some widespread patched versions of gcc include -fPIE -Wl,-pie by +# default. Note that gcc will exit *successfully* if it fails to +# recognise an option that starts with "no", so we have to test for +# output on stderr instead of checking the exit status. +# +ifeq ($(CCTYPE),gcc) +PIE_TEST = [ -z "`$(CC) -fno-PIE -nopie -x c -c /dev/null -o /dev/null 2>&1`" ] +PIE_FLAGS := $(shell $(PIE_TEST) && $(ECHO) '-fno-PIE -nopie') +CFLAGS += $(PIE_FLAGS) +endif + # gcc 4.4 generates .eh_frame sections by default, which distort the # output of...

...sswd? O;-) > You seem to be doing something wrong ;-) Probably. But i don't understand what. Authentication works as expected: root at vdmsv2:~# wbinfo -K LNFFVG\\gaio Enter LNFFVG\gaio's password: plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 root at vdmsv2:~# smbcontrol winbind offline root at vdmsv2:~# wbinfo -K LNFFVG\\gaio Enter LNFFVG\gaio's password: plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACH...

...e able to authentication using a UPN: > > pi at raspberrypi:~ $ wbinfo -K SAMDOM\\rowland at samdom.example.com > Enter SAMDOM\rowland at samdom.example.com's password: > plaintext kerberos password authentication for > [SAMDOM\rowland at samdom.example.com] succeeded (requesting cctype: FILE) > credentials were put in: FILE:/tmp/krb5cc_1000 > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba

.../etc/security/pam_winbind.conf I have: krb5_auth = yes krb5_ccache_type = KEYRING In /etc/krb5.conf, I also have: default_ccache_name = KEYRING:persistent:%{uid} Using wbinfo -K jas, then entering my password,? I see: plaintext kerberos password authentication for [jas] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_1004 [It writes the keyring to a file even though I've specified KEYRING.? I don't know if wbinfo automatically writes to FILE or whether it reads pam_winbind.conf and should be writing to KEYRING). If I remove the file, and ssh to the sy...

...mba]# wbinfo -a 'DNAME\uname'%secret plaintext password authentication succeeded challenge/response password authentication succeeded [root@solar samba]# wbinfo -K 'DNAME\uname'%secret plaintext kerberos password authentication for [DNAME\uname%secret] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 [root@solar samba]# wbinfo -t checking the trust secret via RPC calls succeeded So that all works fine. smbclient chokes though: [root@solar samba]# smbclient -L solar -U 'DNAME\uname' Password: session setup failed: NT_STA...