Web lists-archives.com

Re: [Samba] Winbind, cached logons and 'user persistency'...




On Tue, 29 Jan 2019 18:47:45 +0100
Marco Gaiarin via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > Now this is what I do not understand, my understanding is that
> > 'PAM' is used to find the correct authentication system and 'NSS'
> > just connects to that authentication system.
> 
> No. NSS, roughly, 'extend the user database':
> 	https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html
> 

Your meaning and my meaning, roughly mean the same ;-)

> > For instance, in /etc/pam.d/common-auth I have:
> > auth    [success=3 default=ignore]      pam_krb5.so
> > minimum_uid=10000 auth    [success=2 default=ignore]
> > pam_unix.so nullok_secure try_first_pass auth    [success=1
> > default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE
> > cached_login try_first_pass
> 
> Putting 'cached_login' here is the same of putting:
> 
> 	[global]
> 	cached_login = yes
> 
> in /etc/security/pam_winbind.conf .

I do not even have that file.

> 
> 
> > If I go anywhere (away from the domain), I can still log into the
> > laptop as my domain user, read and save files etc. All files are
> > saved as the domain user and when I do re-connect to the domain, it
> > is if I haven't been anywhere.
> 
> This is what i supposed to work mee too. Seems not.
> 
> You have also your user in /etc/passwd? O;-)

No, you cannot have a user in /etc/passwd and AD.

> 
> 
> > You seem to be doing something wrong ;-)
> 
> Probably. But i don't understand what. Authentication works as
> expected:
> 
>  root@vdmsv2:~# wbinfo -K LNFFVG\\gaio
>  Enter LNFFVG\gaio's password: 
>  plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE) credentials were put in:
> FILE:/tmp/krb5cc_0 root@vdmsv2:~# smbcontrol winbind offline
>  root@vdmsv2:~# wbinfo -K LNFFVG\\gaio
>  Enter LNFFVG\gaio's password: 
>  plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT
>  credentials were put in: FILE:/tmp/krb5cc_0
> 
> a simple 'getent' seems to work:
> 
>  root@vdmsv2:~# getent passwd LNFFVG\\gaio; smbcontrol winbind
> offline; sleep 65; getent passwd LNFFVG\\gaio; smbcontrol winbind
> online gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash
> gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash

That all works for myself.

> 
> but, i just stated that, if i disconnect DM from DC for more then a
> minute, NSS start to reply that user does not exist (seems that).
>

There must be some reason for this, what is in /etc/nsswitch.conf ?

Do you have libpam-winbind libnss-winbind libpam-krb5 installed ?
 
> 
> [nscd and windbind]
> > Not entirely true that you cannot run nscd with winbind, you just
> > have to stop nscd caching everything that winbind does and by the
> > time you do that, there isn't much left.
> 
> Ahem, sorry i've not understood you...

nscd caches certain things, as does winbind, if you want to run nscd
with winbind, you need to stop nscd caching the things that winbind
does, when you do this, nscd isn't caching very much, so you might as
well not use it.

> 
> 
> > I think the time has come to ask, what isn't working if you
> > disconnect from the domain e.g. walk away with a laptop, also why
> > is it not working, what can it not find ?
> 
> Ahem, again i've not understood...
> 

That basically says 'why isn't it working for you'

Have you tried turning up the Samba logging and seeing if anything
'pops' out.

> 
> But, clearly, i've found 'exim' that reply 'user not found', so
> probably winbind cache effectvaly data, but in a way that exim does
> not find... seems REALLY strange...

AH, how does 'exim' look for the user ?

Rowland
 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba