PAM Offline Authentication: Difference between revisions

From SambaWiki
m (*/ added warning)
mNo edit summary
(One intermediate revision by the same user not shown)
Line 1: Line 1:
== Offline Authentication using winbindd ==
== Offline Authentication using winbindd ==


In order to enable offline authentication configure Samba to use winbind in nsswitch and for PAM ([[Authenticating Domain Users Using PAM]])
In order to enable offline authentication, you must configure the <code>passwd</code> line in <code>/etc/nsswitch.conf</code> to use winbind and use PAM ([[Authenticating Domain Users Using PAM]])
Then make sure smb.conf contains:


The <code>[global]</code> section of your <code>smb.conf</code> must contain:
"winbind offline logon = yes"


winbind offline logon = yes
{{Imbox
| type = warning
| text = If you are using a Debian based distro there is a bug regarding gencache.tdb, which has been placed in the lock directory <code>/run/samba</code>. This means that it is removed at reboot and hence, winbind offline logon will not work. Until [https://bugzilla.samba.org/show_bug.cgi?id=14618 Bug #14618] is fixed, the workaround is to place <code>lock directory = /var/cache/samba</code> in your <code>smb.conf</code>.
}}




Line 18: Line 13:
== Enabling offline authentication in pam_winbind ==
== Enabling offline authentication in pam_winbind ==


First of all, make sure that you can login using PAM and your windows credentials, e.g. using ssh:
First, ensure that you can login using PAM and your windows credentials, e.g. using ssh:
ssh YOURDOM\\youruser@localhost
ssh YOURDOM\\youruser@localhost


You cannot continue if login via PAM (pam_winbind) is not working.
You cannot continue until login via PAM (pam_winbind) is working.



Now, pam_winbind needs to set the offline flag as well, you can do so by either
Now, pam_winbind needs to set the offline flag as well, you can do so by either



* adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
* adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
Line 37: Line 34:
cached_login = yes
cached_login = yes


This will enable offline ability globally for all applications using PAM. If you want to have more fine grained control about services that use pam_winbind's offline mode then you can do so by
This will enable offline ability globally for all applications using PAM.



* adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE)
* adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE), this will give you a more fine grained control over services that use pam_winbind's offline mode.


* Your distro may be able to set up PAM for you. For instance, if you install the libpam-winbind and libnss-winbind packages on a Debian based distro, you are highly likely to find a line similar to this in <code>/etc/pam.d/common-auth</code>:
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

The latest version even sets the <code>winbind</code> lines in <code>/etc/nsswitch</code> for you.




Line 49: Line 53:
Start winbindd, authenticate successfully at least once while winbind is online
Start winbindd, authenticate successfully at least once while winbind is online


/etc/init.d/winbind start
systemctl start winbind
wbinfo -K YOURDOM\\youruser%password
wbinfo -K YOURDOM\\youruser%password
plaintext kerberos password authentication for [YOURDOM\youruser] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_1000


Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command.
Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command.
Line 57: Line 63:
smbcontrol winbind offline
smbcontrol winbind offline


Ensure that the computer is offline, unplug the network if required.
If you now repeat the command

Now repeat the command


wbinfo -K YOURDOM\\youruser%password
wbinfo -K YOURDOM\\youruser%password


You should get
You should get
user_flgs: LOGON_CACHED_ACCOUNT
user_flgs: NETLOGON_CACHED_ACCOUNT
in the output.
in the output.


Revision as of 13:24, 20 May 2023

Offline Authentication using winbindd

In order to enable offline authentication, you must configure the passwd line in /etc/nsswitch.conf to use winbind and use PAM (Authenticating Domain Users Using PAM)

The [global] section of your smb.conf must contain: 

winbind offline logon = yes



Enabling offline authentication in pam_winbind

First, ensure that you can login using PAM and your windows credentials, e.g. using ssh: 

ssh YOURDOM\\youruser@localhost

You cannot continue until login via PAM (pam_winbind) is working.


Now, pam_winbind needs to set the offline flag as well, you can do so by either


  • adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

This will enable offline ability globally for all applications using PAM.


  • adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE), this will give you a more fine grained control over services that use pam_winbind's offline mode.


  • Your distro may be able to set up PAM for you. For instance, if you install the libpam-winbind and libnss-winbind packages on a Debian based distro, you are highly likely to find a line similar to this in /etc/pam.d/common-auth:
auth	[success=1 default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

The latest version even sets the winbind lines in /etc/nsswitch for you.



Testing offline authentication

Start winbindd, authenticate successfully at least once while winbind is online 

systemctl start winbind

 wbinfo -K YOURDOM\\youruser%password
 plaintext kerberos password authentication for [YOURDOM\youruser] succeeded (requesting cctype: FILE)
 credentials were put in: FILE:/tmp/krb5cc_1000

Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command. 

smbcontrol winbind offline

Ensure that the computer is offline, unplug the network if required.

Now repeat the command 

wbinfo -K YOURDOM\\youruser%password

You should get 

user_flgs: NETLOGON_CACHED_ACCOUNT

in the output.

Your system is now prepared to use pam_winbind while offline. Please try to login to your localhost, e.g. using ssh 

ssh YOURDOM\\youruser@localhost



Retrieved from "https://wiki.samba.org/index.php?title=PAM_Offline_Authentication&oldid=18914"