Difference between revisions of "PAM Offline Authentication"

 
Line 1: Line 1:
Offline Authentication using winbindd
+
== Offline Authentication using winbindd ==
  
here comes documentation.
+
In order to enable offline authentication configure Samba to use winbind in nsswitch and for PAM (FIXME: point to other docs).
 +
 +
Then make sure smb.conf contains:
 +
 
 +
"winbind offline logon = yes"
 +
 
 +
== Enabling offline authentication in pam_winbind ==
 +
 
 +
First of all, make sure that you can login using PAM and your windows credentials, e.g. using ssh:
 +
ssh YOURDOM\\youruser@localhost
 +
 
 +
You cannot continue if login via PAM (pam_winbind) is not working.
 +
 
 +
Now, pam_winbind needs to set the offline flag as well, you can do so by either
 +
 
 +
* adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
 +
 +
#
 +
# pam_winbind configuration file
 +
#
 +
# /etc/security/pam_winbind.conf
 +
#
 +
[global]
 +
# request a cached login if possible
 +
# (needs "winbind offline logon = yes" in smb.conf)
 +
cached_login = yes
 +
 
 +
This will enable offline ability globally for all applications using PAM. If you want to have more fine grained control about services that use pam_winbind's offline mode then you can do so by
 +
 
 +
* adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE)
 +
 
 +
== Testing offline authentication ==
 +
 
 +
Start winbindd, authenticate successfully at least once while winbind is online
 +
 
 +
/etc/init.d/winbind start
 +
 +
  wbinfo -K YOURDOM\\youruser%password
 +
 
 +
Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command.
 +
 
 +
smbcontrol winbind offline
 +
 
 +
If you now repeat the command
 +
 
 +
wbinfo -K YOURDOM\\youruser%password
 +
 
 +
You should get
 +
user_flgs: LOGON_CACHED_ACCOUNT
 +
in the output.
 +
 
 +
Your system is now prepared to use pam_winbind while offline. Please try to login to your localhost, e.g. using ssh
 +
ssh YOURDOM\\youruser@localhost

Revision as of 12:55, 24 October 2007

Offline Authentication using winbindd

In order to enable offline authentication configure Samba to use winbind in nsswitch and for PAM (FIXME: point to other docs).

Then make sure smb.conf contains:

"winbind offline logon = yes"

Enabling offline authentication in pam_winbind

First of all, make sure that you can login using PAM and your windows credentials, e.g. using ssh:

ssh YOURDOM\\youruser@localhost

You cannot continue if login via PAM (pam_winbind) is not working.

Now, pam_winbind needs to set the offline flag as well, you can do so by either

  • adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

This will enable offline ability globally for all applications using PAM. If you want to have more fine grained control about services that use pam_winbind's offline mode then you can do so by

  • adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE)

Testing offline authentication

Start winbindd, authenticate successfully at least once while winbind is online

/etc/init.d/winbind start

 wbinfo -K YOURDOM\\youruser%password

Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command.

smbcontrol winbind offline

If you now repeat the command

wbinfo -K YOURDOM\\youruser%password

You should get

user_flgs: LOGON_CACHED_ACCOUNT

in the output.

Your system is now prepared to use pam_winbind while offline. Please try to login to your localhost, e.g. using ssh

ssh YOURDOM\\youruser@localhost