Web lists-archives.com

Re: [Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?




Hai, 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Marco Gaiarin via samba
> Verzonden: donderdag 28 februari 2019 11:33
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] [OT?] Kerberos, PAM, NSS: if user does 
> not exist, pam_krb5 try login?
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > logname=admin uid=0 euid=0  << no no.. Uid=0 ? Thats not 
> good, root = uid 0
> 
> It is the standard log of pam susbsystem, also for ldap.

> 
> 
> > Administrator is mapped through /etc/samba/smb.conf ( usermapping)
> 
> No, louis; i'm speaking about machine where samba is even not
> installed; i've simply created some users (in /etc/passwd) and added
> pam_krb5 to (also) authenticate against. No samba (so the 'OT' ;-).

Ok, wrong list ;-) :-P 

No, here you go, read this, this explains it. 
https://wiki.debian.org/LDAP/PAM 
The second alinea tels what you want to know. 

And i noticed also this on that site. 
/snap
Hint: Offline caching of LDAP credentials is only useful if LDAP information 
about users and groups is also available offline through NSS. 
This can be accomplished through the use of NSCD. See LDAP/NSS for more information. 
/snapoff

Often not seen, the last lines on the site. 
If using OpenSSH, you may need to add "UsePAM yes" to sshd_config or it will not use PAM by default. 

While reading more, for the offline logins or you exim, read. 
http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html 
Shows some good info, bit older but still ok with minor adjustments. 


Greetz, 

Louis


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba