PAM Offline Authentication: Difference between revisions

From SambaWiki
m (Added categories, fixed link)
mNo edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Offline Authentication using winbindd ==
== Offline Authentication using winbindd ==


In order to enable offline authentication configure Samba to use winbind in nsswitch and for PAM ([[Authenticating Domain Users Using PAM]])
In order to enable offline authentication, you must configure the <code>passwd</code> line in <code>/etc/nsswitch.conf</code> to use winbind and use PAM ([[Authenticating Domain Users Using PAM]])

The <code>[global]</code> section of your <code>smb.conf</code> must contain:

winbind offline logon = yes
winbind request timeout = 10
Then make sure smb.conf contains:


{{Imbox
"winbind offline logon = yes"
| type = warning
| text = If you are using a distro that locates the lock directory in <code>/run/samba</code>, there is a bug report regarding this. This directory is removed at reboot and there appears to be something in that directory that is required for winbind offline logon to work. Until [https://bugzilla.samba.org/show_bug.cgi?id=14618 Bug #14618] is fixed, the workaround is to place <code>lock directory = /var/cache/samba</code> in your <code>smb.conf</code>.
}}






== Enabling offline authentication in pam_winbind ==
== Enabling offline authentication in pam_winbind ==


First of all, make sure that you can login using PAM and your windows credentials, e.g. using ssh:
First, ensure that you can login using PAM and your windows credentials, e.g. using ssh:
ssh YOURDOM\\youruser@localhost
ssh YOURDOM\\youruser@localhost


You cannot continue if login via PAM (pam_winbind) is not working.
You cannot continue until login via PAM (pam_winbind) is working.



Now, pam_winbind needs to set the offline flag as well, you can do so by either
Now, pam_winbind needs to set the offline flag as well, you can do so by either



* adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
* adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
Line 28: Line 44:
cached_login = yes
cached_login = yes


This will enable offline ability globally for all applications using PAM. If you want to have more fine grained control about services that use pam_winbind's offline mode then you can do so by
This will enable offline ability globally for all applications using PAM.


* adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE), this will give you a more fine grained control over services that use pam_winbind's offline mode.


* Your distro may be able to set up PAM for you. For instance, if you install the libpam-winbind and libnss-winbind packages on a Debian based distro, you are highly likely to find a line similar to this in <code>/etc/pam.d/common-auth</code>:
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

The latest version even sets the <code>winbind</code> lines in <code>/etc/nsswitch</code> for you.





* adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE)


== Testing offline authentication ==
== Testing offline authentication ==
Line 36: Line 63:
Start winbindd, authenticate successfully at least once while winbind is online
Start winbindd, authenticate successfully at least once while winbind is online


/etc/init.d/winbind start
systemctl start winbind
wbinfo -K YOURDOM\\youruser%password
wbinfo -K YOURDOM\\youruser%password
plaintext kerberos password authentication for [YOURDOM\youruser] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_1000


Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command.
Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command.
Line 44: Line 73:
smbcontrol winbind offline
smbcontrol winbind offline


Ensure that the computer is offline, unplug the network if required. You can check if the computer is offline with this command:
If you now repeat the command

wbinfo --ping-dc

You should get a reply similar to this:

checking the NETLOGON for domain[SAMDOM] dc connection to "" failed

Now repeat the command


wbinfo -K YOURDOM\\youruser%password
wbinfo -K YOURDOM\\youruser%password


You should get
You should get
user_flgs: LOGON_CACHED_ACCOUNT
user_flgs: NETLOGON_CACHED_ACCOUNT
in the output.
in the output.


Line 61: Line 98:
----
----
[[Category:Active Directory]]
[[Category:Active Directory]]
[[Category:Domain Membership]]
[[Category:Domain Members]]
[[Category:NT4 Domains]]
[[Category:NT4 Domains]]

Latest revision as of 08:33, 24 June 2023

Offline Authentication using winbindd

In order to enable offline authentication, you must configure the passwd line in /etc/nsswitch.conf to use winbind and use PAM (Authenticating Domain Users Using PAM)

The [global] section of your smb.conf must contain: 

winbind offline logon = yes
winbind request timeout = 10



Enabling offline authentication in pam_winbind

First, ensure that you can login using PAM and your windows credentials, e.g. using ssh: 

ssh YOURDOM\\youruser@localhost

You cannot continue until login via PAM (pam_winbind) is working.


Now, pam_winbind needs to set the offline flag as well, you can do so by either


  • adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

This will enable offline ability globally for all applications using PAM.


  • adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE), this will give you a more fine grained control over services that use pam_winbind's offline mode.


  • Your distro may be able to set up PAM for you. For instance, if you install the libpam-winbind and libnss-winbind packages on a Debian based distro, you are highly likely to find a line similar to this in /etc/pam.d/common-auth:
auth	[success=1 default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

The latest version even sets the winbind lines in /etc/nsswitch for you.



Testing offline authentication

Start winbindd, authenticate successfully at least once while winbind is online 

systemctl start winbind

 wbinfo -K YOURDOM\\youruser%password
 plaintext kerberos password authentication for [YOURDOM\youruser] succeeded (requesting cctype: FILE)
 credentials were put in: FILE:/tmp/krb5cc_1000

Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command. 

smbcontrol winbind offline

Ensure that the computer is offline, unplug the network if required. You can check if the computer is offline with this command: 

wbinfo --ping-dc

You should get a reply similar to this: 

checking the NETLOGON for domain[SAMDOM] dc connection to "" failed

Now repeat the command 

wbinfo -K YOURDOM\\youruser%password

You should get 

user_flgs: NETLOGON_CACHED_ACCOUNT

in the output.

Your system is now prepared to use pam_winbind while offline. Please try to login to your localhost, e.g. using ssh 

ssh YOURDOM\\youruser@localhost



Retrieved from "https://wiki.samba.org/index.php?title=PAM_Offline_Authentication&oldid=18981"