PAM Offline Authentication: Difference between revisions
m (*/ added warning) |
mNo edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
== Offline Authentication using winbindd == |
== Offline Authentication using winbindd == |
||
In order to enable offline authentication |
In order to enable offline authentication, you must configure the <code>passwd</code> line in <code>/etc/nsswitch.conf</code> to use winbind and use PAM ([[Authenticating Domain Users Using PAM]]) |
||
Then make sure smb.conf contains: |
|||
The <code>[global]</code> section of your <code>smb.conf</code> must contain: |
|||
⚫ | |||
⚫ | |||
{{Imbox |
|||
| type = warning |
|||
| text = If you are using a Debian based distro there is a bug regarding gencache.tdb, which has been placed in the lock directory <code>/run/samba</code>. This means that it is removed at reboot and hence, winbind offline logon will not work. Until [https://bugzilla.samba.org/show_bug.cgi?id=14618 Bug #14618] is fixed, the workaround is to place <code>lock directory = /var/cache/samba</code> in your <code>smb.conf</code>. |
|||
}} |
|||
Line 18: | Line 13: | ||
== Enabling offline authentication in pam_winbind == |
== Enabling offline authentication in pam_winbind == |
||
First |
First, ensure that you can login using PAM and your windows credentials, e.g. using ssh: |
||
ssh YOURDOM\\youruser@localhost |
ssh YOURDOM\\youruser@localhost |
||
You cannot continue |
You cannot continue until login via PAM (pam_winbind) is working. |
||
Now, pam_winbind needs to set the offline flag as well, you can do so by either |
Now, pam_winbind needs to set the offline flag as well, you can do so by either |
||
* adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this: |
* adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this: |
||
Line 37: | Line 34: | ||
cached_login = yes |
cached_login = yes |
||
This will enable offline ability globally for all applications using PAM. |
This will enable offline ability globally for all applications using PAM. |
||
* adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE) |
* adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE), this will give you a more fine grained control over services that use pam_winbind's offline mode. |
||
* Your distro may be able to set up PAM for you. For instance, if you install the libpam-winbind and libnss-winbind packages on a Debian based distro, you are highly likely to find a line similar to this in <code>/etc/pam.d/common-auth</code>: |
|||
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass |
|||
The latest version even sets the <code>winbind</code> lines in <code>/etc/nsswitch</code> for you. |
|||
Line 49: | Line 53: | ||
Start winbindd, authenticate successfully at least once while winbind is online |
Start winbindd, authenticate successfully at least once while winbind is online |
||
systemctl start winbind |
|||
wbinfo -K YOURDOM\\youruser%password |
wbinfo -K YOURDOM\\youruser%password |
||
plaintext kerberos password authentication for [YOURDOM\youruser] succeeded (requesting cctype: FILE) |
|||
credentials were put in: FILE:/tmp/krb5cc_1000 |
|||
Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command. |
Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command. |
||
Line 57: | Line 63: | ||
smbcontrol winbind offline |
smbcontrol winbind offline |
||
Ensure that the computer is offline, unplug the network if required. |
|||
⚫ | |||
⚫ | |||
wbinfo -K YOURDOM\\youruser%password |
wbinfo -K YOURDOM\\youruser%password |
||
You should get |
You should get |
||
user_flgs: |
user_flgs: NETLOGON_CACHED_ACCOUNT |
||
in the output. |
in the output. |
||
Revision as of 13:24, 20 May 2023
Offline Authentication using winbindd
In order to enable offline authentication, you must configure the passwd
line in /etc/nsswitch.conf
to use winbind and use PAM (Authenticating Domain Users Using PAM)
The [global]
section of your smb.conf
must contain:
winbind offline logon = yes
Enabling offline authentication in pam_winbind
First, ensure that you can login using PAM and your windows credentials, e.g. using ssh:
ssh YOURDOM\\youruser@localhost
You cannot continue until login via PAM (pam_winbind) is working.
Now, pam_winbind needs to set the offline flag as well, you can do so by either
- adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
# # pam_winbind configuration file # # /etc/security/pam_winbind.conf # [global] # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) cached_login = yes
This will enable offline ability globally for all applications using PAM.
- adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE), this will give you a more fine grained control over services that use pam_winbind's offline mode.
- Your distro may be able to set up PAM for you. For instance, if you install the libpam-winbind and libnss-winbind packages on a Debian based distro, you are highly likely to find a line similar to this in
/etc/pam.d/common-auth
:
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
The latest version even sets the winbind
lines in /etc/nsswitch
for you.
Testing offline authentication
Start winbindd, authenticate successfully at least once while winbind is online
systemctl start winbind wbinfo -K YOURDOM\\youruser%password plaintext kerberos password authentication for [YOURDOM\youruser] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_1000
Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command.
smbcontrol winbind offline
Ensure that the computer is offline, unplug the network if required.
Now repeat the command
wbinfo -K YOURDOM\\youruser%password
You should get
user_flgs: NETLOGON_CACHED_ACCOUNT
in the output.
Your system is now prepared to use pam_winbind while offline. Please try to login to your localhost, e.g. using ssh
ssh YOURDOM\\youruser@localhost