PAM Offline Authentication

From SambaWiki

Offline Authentication using winbindd

In order to enable offline authentication, you must configure the passwd line in /etc/nsswitch.conf to use winbind and use PAM (Authenticating Domain Users Using PAM)

The [global] section of your smb.conf must contain:

winbind offline logon = yes
winbind request timeout = 10



Enabling offline authentication in pam_winbind

First, ensure that you can login using PAM and your windows credentials, e.g. using ssh:

ssh YOURDOM\\youruser@localhost

You cannot continue until login via PAM (pam_winbind) is working.


Now, pam_winbind needs to set the offline flag as well, you can do so by either


  • adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

This will enable offline ability globally for all applications using PAM.


  • adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE), this will give you a more fine grained control over services that use pam_winbind's offline mode.


  • Your distro may be able to set up PAM for you. For instance, if you install the libpam-winbind and libnss-winbind packages on a Debian based distro, you are highly likely to find a line similar to this in /etc/pam.d/common-auth:
auth	[success=1 default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

The latest version even sets the winbind lines in /etc/nsswitch for you.



Testing offline authentication

Start winbindd, authenticate successfully at least once while winbind is online

systemctl start winbind

 wbinfo -K YOURDOM\\youruser%password
 plaintext kerberos password authentication for [YOURDOM\youruser] succeeded (requesting cctype: FILE)
 credentials were put in: FILE:/tmp/krb5cc_1000

Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command.

smbcontrol winbind offline

Ensure that the computer is offline, unplug the network if required. You can check if the computer is offline with this command:

wbinfo --ping-dc

You should get a reply similar to this:

checking the NETLOGON for domain[SAMDOM] dc connection to "" failed

Now repeat the command

wbinfo -K YOURDOM\\youruser%password

You should get

user_flgs: NETLOGON_CACHED_ACCOUNT

in the output.

Your system is now prepared to use pam_winbind while offline. Please try to login to your localhost, e.g. using ssh

ssh YOURDOM\\youruser@localhost