PAM Offline Authentication: Difference between revisions
Mmuehlfeld (talk | contribs) m (Updated category) |
mNo edit summary |
||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Offline Authentication using winbindd == |
== Offline Authentication using winbindd == |
||
In order to enable offline authentication |
In order to enable offline authentication, you must configure the <code>passwd</code> line in <code>/etc/nsswitch.conf</code> to use winbind and use PAM ([[Authenticating Domain Users Using PAM]]) |
||
The <code>[global]</code> section of your <code>smb.conf</code> must contain: |
|||
⚫ | |||
winbind request timeout = 10 |
|||
Then make sure smb.conf contains: |
|||
{{Imbox |
|||
⚫ | |||
| type = warning |
|||
| text = If you are using a distro that locates the lock directory in <code>/run/samba</code>, there is a bug report regarding this. This directory is removed at reboot and there appears to be something in that directory that is required for winbind offline logon to work. Until [https://bugzilla.samba.org/show_bug.cgi?id=14618 Bug #14618] is fixed, the workaround is to place <code>lock directory = /var/cache/samba</code> in your <code>smb.conf</code>. |
|||
}} |
|||
== Enabling offline authentication in pam_winbind == |
== Enabling offline authentication in pam_winbind == |
||
First |
First, ensure that you can login using PAM and your windows credentials, e.g. using ssh: |
||
ssh YOURDOM\\youruser@localhost |
ssh YOURDOM\\youruser@localhost |
||
You cannot continue |
You cannot continue until login via PAM (pam_winbind) is working. |
||
Now, pam_winbind needs to set the offline flag as well, you can do so by either |
Now, pam_winbind needs to set the offline flag as well, you can do so by either |
||
* adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this: |
* adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this: |
||
Line 28: | Line 44: | ||
cached_login = yes |
cached_login = yes |
||
This will enable offline ability globally for all applications using PAM. |
This will enable offline ability globally for all applications using PAM. |
||
⚫ | |||
* Your distro may be able to set up PAM for you. For instance, if you install the libpam-winbind and libnss-winbind packages on a Debian based distro, you are highly likely to find a line similar to this in <code>/etc/pam.d/common-auth</code>: |
|||
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass |
|||
The latest version even sets the <code>winbind</code> lines in <code>/etc/nsswitch</code> for you. |
|||
⚫ | |||
== Testing offline authentication == |
== Testing offline authentication == |
||
Line 36: | Line 63: | ||
Start winbindd, authenticate successfully at least once while winbind is online |
Start winbindd, authenticate successfully at least once while winbind is online |
||
systemctl start winbind |
|||
wbinfo -K YOURDOM\\youruser%password |
wbinfo -K YOURDOM\\youruser%password |
||
plaintext kerberos password authentication for [YOURDOM\youruser] succeeded (requesting cctype: FILE) |
|||
credentials were put in: FILE:/tmp/krb5cc_1000 |
|||
Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command. |
Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command. |
||
Line 44: | Line 73: | ||
smbcontrol winbind offline |
smbcontrol winbind offline |
||
Ensure that the computer is offline, unplug the network if required. You can check if the computer is offline with this command: |
|||
⚫ | |||
wbinfo --ping-dc |
|||
You should get a reply similar to this: |
|||
checking the NETLOGON for domain[SAMDOM] dc connection to "" failed |
|||
⚫ | |||
wbinfo -K YOURDOM\\youruser%password |
wbinfo -K YOURDOM\\youruser%password |
||
You should get |
You should get |
||
user_flgs: |
user_flgs: NETLOGON_CACHED_ACCOUNT |
||
in the output. |
in the output. |
||
Latest revision as of 08:33, 24 June 2023
Offline Authentication using winbindd
In order to enable offline authentication, you must configure the passwd
line in /etc/nsswitch.conf
to use winbind and use PAM (Authenticating Domain Users Using PAM)
The [global]
section of your smb.conf
must contain:
winbind offline logon = yes winbind request timeout = 10
If you are using a distro that locates the lock directory in /run/samba , there is a bug report regarding this. This directory is removed at reboot and there appears to be something in that directory that is required for winbind offline logon to work. Until Bug #14618 is fixed, the workaround is to place lock directory = /var/cache/samba in your smb.conf . |
Enabling offline authentication in pam_winbind
First, ensure that you can login using PAM and your windows credentials, e.g. using ssh:
ssh YOURDOM\\youruser@localhost
You cannot continue until login via PAM (pam_winbind) is working.
Now, pam_winbind needs to set the offline flag as well, you can do so by either
- adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
# # pam_winbind configuration file # # /etc/security/pam_winbind.conf # [global] # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) cached_login = yes
This will enable offline ability globally for all applications using PAM.
- adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE), this will give you a more fine grained control over services that use pam_winbind's offline mode.
- Your distro may be able to set up PAM for you. For instance, if you install the libpam-winbind and libnss-winbind packages on a Debian based distro, you are highly likely to find a line similar to this in
/etc/pam.d/common-auth
:
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
The latest version even sets the winbind
lines in /etc/nsswitch
for you.
Testing offline authentication
Start winbindd, authenticate successfully at least once while winbind is online
systemctl start winbind wbinfo -K YOURDOM\\youruser%password plaintext kerberos password authentication for [YOURDOM\youruser] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_1000
Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command.
smbcontrol winbind offline
Ensure that the computer is offline, unplug the network if required. You can check if the computer is offline with this command:
wbinfo --ping-dc
You should get a reply similar to this:
checking the NETLOGON for domain[SAMDOM] dc connection to "" failed
Now repeat the command
wbinfo -K YOURDOM\\youruser%password
You should get
user_flgs: NETLOGON_CACHED_ACCOUNT
in the output.
Your system is now prepared to use pam_winbind while offline. Please try to login to your localhost, e.g. using ssh
ssh YOURDOM\\youruser@localhost