Web lists-archives.com

Re: [Samba] DM and ''offline'' PAM (and NSS?)...




On Mon, 18 Dec 2017 15:51:47 +0100
Marco Gaiarin via samba <samba@xxxxxxxxxxxxxxx> wrote:

> 
> > I've seen:
> > 	https://wiki.samba.org/index.php/PAM_Offline_Authentication
> 
> I've tried to enable offline logon, and seems to work as expected.
> 
> I've only found a little strange thing, i think related to the fact
> that in my DM i've set 'winbind use default domain = yes'.
> 
> 
> Folowing the wiki, i've enabled offline logon and then done:
> 
> ['smbcontrol winbind online'
>  root@vdmsv1:~# wbinfo -K LNFFVG\\gaio
>  Enter LNFFVG\gaio's password: 
>  plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE) credentials were put in:
> FILE:/tmp/krb5cc_0
> 
> ['smbcontrol winbind offline']
>  root@vdmsv1:~# wbinfo -K LNFFVG\\gaio
>  Enter LNFFVG\gaio's password: 
>  plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT
>  credentials were put in: FILE:/tmp/krb5cc_0
> 
> Goot. But still in 'smbcontrol winbind offline' i've done also a:
> 
>  root@vdmsv1:~# wbinfo -K gaio
>  Enter gaio's password: 
>  plaintext kerberos password authentication for [gaio] succeeded
> (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0
> 
> and there's no 'user_flgs'. Boh...
> 

If you have the 'winbind use default domain = yes', winbind strips off
the domain name, so 'LNFFVG\\gaio' becomes 'gaio', or to put it another
way, you do not need to use the domain name with 'getent passwd' etc

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba