PAM Offline Authentication: Difference between revisions
Mmuehlfeld (talk | contribs) m (Added categories, fixed link) |
|||
Line 1: | Line 1: | ||
== Offline Authentication using winbindd == |
== Offline Authentication using winbindd == |
||
In order to enable offline authentication configure Samba to use winbind in nsswitch and for PAM ([[ |
In order to enable offline authentication configure Samba to use winbind in nsswitch and for PAM ([[Authenticating Domain Users Using PAM]]) |
||
Then make sure smb.conf contains: |
Then make sure smb.conf contains: |
||
Line 54: | Line 54: | ||
Your system is now prepared to use pam_winbind while offline. Please try to login to your localhost, e.g. using ssh |
Your system is now prepared to use pam_winbind while offline. Please try to login to your localhost, e.g. using ssh |
||
ssh YOURDOM\\youruser@localhost |
ssh YOURDOM\\youruser@localhost |
||
---- |
|||
[[Category:Active Directory]] |
|||
[[Category:Domain Membership]] |
|||
[[Category:NT4 Domains]] |
Revision as of 20:47, 26 February 2017
Offline Authentication using winbindd
In order to enable offline authentication configure Samba to use winbind in nsswitch and for PAM (Authenticating Domain Users Using PAM)
Then make sure smb.conf contains:
"winbind offline logon = yes"
Enabling offline authentication in pam_winbind
First of all, make sure that you can login using PAM and your windows credentials, e.g. using ssh:
ssh YOURDOM\\youruser@localhost
You cannot continue if login via PAM (pam_winbind) is not working.
Now, pam_winbind needs to set the offline flag as well, you can do so by either
- adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
# # pam_winbind configuration file # # /etc/security/pam_winbind.conf # [global] # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) cached_login = yes
This will enable offline ability globally for all applications using PAM. If you want to have more fine grained control about services that use pam_winbind's offline mode then you can do so by
- adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE)
Testing offline authentication
Start winbindd, authenticate successfully at least once while winbind is online
/etc/init.d/winbind start wbinfo -K YOURDOM\\youruser%password
Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command.
smbcontrol winbind offline
If you now repeat the command
wbinfo -K YOURDOM\\youruser%password
You should get
user_flgs: LOGON_CACHED_ACCOUNT
in the output.
Your system is now prepared to use pam_winbind while offline. Please try to login to your localhost, e.g. using ssh
ssh YOURDOM\\youruser@localhost