Difference between revisions of "PAM Offline Authentication"
Line 1: | Line 1: | ||
− | Offline Authentication using winbindd |
+ | == Offline Authentication using winbindd == |
+ | In order to enable offline authentication configure Samba to use winbind in nsswitch and for PAM (FIXME: point to other docs). |
||
− | here comes documentation. |
||
+ | |||
+ | Then make sure smb.conf contains: |
||
+ | |||
+ | "winbind offline logon = yes" |
||
+ | |||
+ | == Enabling offline authentication in pam_winbind == |
||
+ | |||
+ | First of all, make sure that you can login using PAM and your windows credentials, e.g. using ssh: |
||
+ | ssh YOURDOM\\youruser@localhost |
||
+ | |||
+ | You cannot continue if login via PAM (pam_winbind) is not working. |
||
+ | |||
+ | Now, pam_winbind needs to set the offline flag as well, you can do so by either |
||
+ | |||
+ | * adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this: |
||
+ | |||
+ | # |
||
+ | # pam_winbind configuration file |
||
+ | # |
||
+ | # /etc/security/pam_winbind.conf |
||
+ | # |
||
+ | [global] |
||
+ | # request a cached login if possible |
||
+ | # (needs "winbind offline logon = yes" in smb.conf) |
||
+ | cached_login = yes |
||
+ | |||
+ | This will enable offline ability globally for all applications using PAM. If you want to have more fine grained control about services that use pam_winbind's offline mode then you can do so by |
||
+ | |||
+ | * adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE) |
||
+ | |||
+ | == Testing offline authentication == |
||
+ | |||
+ | Start winbindd, authenticate successfully at least once while winbind is online |
||
+ | |||
+ | /etc/init.d/winbind start |
||
+ | |||
+ | wbinfo -K YOURDOM\\youruser%password |
||
+ | |||
+ | Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command. |
||
+ | |||
+ | smbcontrol winbind offline |
||
+ | |||
+ | If you now repeat the command |
||
+ | |||
+ | wbinfo -K YOURDOM\\youruser%password |
||
+ | |||
+ | You should get |
||
+ | user_flgs: LOGON_CACHED_ACCOUNT |
||
+ | in the output. |
||
+ | |||
+ | Your system is now prepared to use pam_winbind while offline. Please try to login to your localhost, e.g. using ssh |
||
+ | ssh YOURDOM\\youruser@localhost |
Revision as of 12:55, 24 October 2007
Offline Authentication using winbindd
In order to enable offline authentication configure Samba to use winbind in nsswitch and for PAM (FIXME: point to other docs).
Then make sure smb.conf contains:
"winbind offline logon = yes"
Enabling offline authentication in pam_winbind
First of all, make sure that you can login using PAM and your windows credentials, e.g. using ssh:
ssh YOURDOM\\youruser@localhost
You cannot continue if login via PAM (pam_winbind) is not working.
Now, pam_winbind needs to set the offline flag as well, you can do so by either
- adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
# # pam_winbind configuration file # # /etc/security/pam_winbind.conf # [global] # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) cached_login = yes
This will enable offline ability globally for all applications using PAM. If you want to have more fine grained control about services that use pam_winbind's offline mode then you can do so by
- adding the "cached_login" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE)
Testing offline authentication
Start winbindd, authenticate successfully at least once while winbind is online
/etc/init.d/winbind start wbinfo -K YOURDOM\\youruser%password
Now you can switch winbindd to offline mode by hand (for testing) with the smbcontrol command.
smbcontrol winbind offline
If you now repeat the command
wbinfo -K YOURDOM\\youruser%password
You should get
user_flgs: LOGON_CACHED_ACCOUNT
in the output.
Your system is now prepared to use pam_winbind while offline. Please try to login to your localhost, e.g. using ssh
ssh YOURDOM\\youruser@localhost