DM and ''offline'' PAM (and NSS?)...

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

DM and ''offline'' PAM (and NSS?)...

Samba - General mailing list

I'm using samba 4.5 on a debian jessie (Louis packages).


Rarely it happen that a power outgage tear down all the stuff, here.
I've noticed that if the DM start before the DC, clearly all account
data are inaccessible.

To prevent or minimize that, the ''offline mode'' of winbind can be
safely used also on DM servers? Or is tailoread against roaming client
(portables, ...)?
What benefit and/or drawbacks?


I've seen:
        https://wiki.samba.org/index.php/PAM_Offline_Authentication

and seems clear to me. but still... some question:

a) there's no info about the persistence of the cache; so seems to me
 that the cache are ''persistent'', eg data are kept indefinitely and
updated only on successful logons against the DC. Right?

b) the doc speaks about ''passwords'' (PAM) but not mention at all
 ''account'' (eg, NSS); seems to me obvious that all stuff (password
and account) get cached; really, in a server i need more the latter
then the former...

c) also password expiration data are cached? Seems to me ''no'',
 because in this way also the policy (eg, 'samba-tool domain
passwordsettings') have to be cached...


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DM and ''offline'' PAM (and NSS?)...

Samba - General mailing list

> I've seen:
> https://wiki.samba.org/index.php/PAM_Offline_Authentication

I've tried to enable offline logon, and seems to work as expected.

I've only found a little strange thing, i think related to the fact
that in my DM i've set 'winbind use default domain = yes'.


Folowing the wiki, i've enabled offline logon and then done:

['smbcontrol winbind online'
 root@vdmsv1:~# wbinfo -K LNFFVG\\gaio
 Enter LNFFVG\gaio's password:
 plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE)
 credentials were put in: FILE:/tmp/krb5cc_0

['smbcontrol winbind offline']
 root@vdmsv1:~# wbinfo -K LNFFVG\\gaio
 Enter LNFFVG\gaio's password:
 plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE)
 user_flgs: NETLOGON_CACHED_ACCOUNT
 credentials were put in: FILE:/tmp/krb5cc_0

Goot. But still in 'smbcontrol winbind offline' i've done also a:

 root@vdmsv1:~# wbinfo -K gaio
 Enter gaio's password:
 plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE)
 credentials were put in: FILE:/tmp/krb5cc_0

and there's no 'user_flgs'. Boh...

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DM and ''offline'' PAM (and NSS?)...

Samba - General mailing list
What you show below is correct.

In linux, DOM\user != user

If you want that. See:
https://wiki.samba.org/index.php/OpenSSH_Single_sign-on 

[realms]
    SAMDOM.EXAMPLE.COM = {
        auth_to_local = RULE:[1:SAMDOM\$1]
    }

Now, since im not sure this works ok, i dont use it on my debian servers, i use option2.

option2 is ignore the "not recommended setting :  "winbind use default domain = yes"


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Marco Gaiarin via samba
> Verzonden: maandag 18 december 2017 15:52
> Aan: [hidden email]
> Onderwerp: Re: [Samba] DM and ''offline'' PAM (and NSS?)...
>
>
> > I've seen:
> > https://wiki.samba.org/index.php/PAM_Offline_Authentication
>
> I've tried to enable offline logon, and seems to work as expected.
>
> I've only found a little strange thing, i think related to the fact
> that in my DM i've set 'winbind use default domain = yes'.
>
>
> Folowing the wiki, i've enabled offline logon and then done:
>
> ['smbcontrol winbind online'
>  root@vdmsv1:~# wbinfo -K LNFFVG\\gaio
>  Enter LNFFVG\gaio's password:
>  plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE)
>  credentials were put in: FILE:/tmp/krb5cc_0
>
> ['smbcontrol winbind offline']
>  root@vdmsv1:~# wbinfo -K LNFFVG\\gaio
>  Enter LNFFVG\gaio's password:
>  plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE)
>  user_flgs: NETLOGON_CACHED_ACCOUNT
>  credentials were put in: FILE:/tmp/krb5cc_0
>
> Goot. But still in 'smbcontrol winbind offline' i've done also a:
>
>  root@vdmsv1:~# wbinfo -K gaio
>  Enter gaio's password:
>  plaintext kerberos password authentication for [gaio]
> succeeded (requesting cctype: FILE)
>  credentials were put in: FILE:/tmp/krb5cc_0
>
> and there's no 'user_flgs'. Boh...
>
> --
> dott. Marco Gaiarin        GNUPG
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711  
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DM and ''offline'' PAM (and NSS?)...

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 18 Dec 2017 15:51:47 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

>
> > I've seen:
> > https://wiki.samba.org/index.php/PAM_Offline_Authentication
>
> I've tried to enable offline logon, and seems to work as expected.
>
> I've only found a little strange thing, i think related to the fact
> that in my DM i've set 'winbind use default domain = yes'.
>
>
> Folowing the wiki, i've enabled offline logon and then done:
>
> ['smbcontrol winbind online'
>  root@vdmsv1:~# wbinfo -K LNFFVG\\gaio
>  Enter LNFFVG\gaio's password:
>  plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE) credentials were put in:
> FILE:/tmp/krb5cc_0
>
> ['smbcontrol winbind offline']
>  root@vdmsv1:~# wbinfo -K LNFFVG\\gaio
>  Enter LNFFVG\gaio's password:
>  plaintext kerberos password authentication for [LNFFVG\gaio]
> succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT
>  credentials were put in: FILE:/tmp/krb5cc_0
>
> Goot. But still in 'smbcontrol winbind offline' i've done also a:
>
>  root@vdmsv1:~# wbinfo -K gaio
>  Enter gaio's password:
>  plaintext kerberos password authentication for [gaio] succeeded
> (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0
>
> and there's no 'user_flgs'. Boh...
>

If you have the 'winbind use default domain = yes', winbind strips off
the domain name, so 'LNFFVG\\gaio' becomes 'gaio', or to put it another
way, you do not need to use the domain name with 'getent passwd' etc

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DM and ''offline'' PAM (and NSS?)...

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> What you show below is correct.
> In linux, DOM\user != user

I know. And i was using 'wbinfo', that, AFAIK query directly winbind
and no POSIX stuff...


> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on 
> [realms]
>     SAMDOM.EXAMPLE.COM = {
>         auth_to_local = RULE:[1:SAMDOM\$1]
>     }

Interesting! I've looked at that in the past, but i was not interested
in SSO so i've probably skipped.

Anyway, i've tried to comment out 'winbind use default domain = yes'
and add this stanza to /etc/krb5.conf but seems does not work, eg:

        root@vdmsv1:~# getent passwd gaio
        root@vdmsv1:~# getent passwd LNFFVG\\gaio
        LNFFVG\gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash

only the 'domainful' version of the account work.


> Now, since im not sure this works ok, i dont use it on my debian servers, i use option2.
> option2 is ignore the "not recommended setting :  "winbind use default domain = yes"

Also i, option 2. ;-)

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DM and ''offline'' PAM (and NSS?)...

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> If you have the 'winbind use default domain = yes', winbind strips off
> the domain name, so 'LNFFVG\\gaio' becomes 'gaio', or to put it another
> way, you do not need to use the domain name with 'getent passwd' etc

I know that. I've simply maked a note about the fact that 'wbinfo -K
LNFFVG\\gaio' print the offline flags:

        user_flgs: NETLOGON_CACHED_ACCOUNT

while 'wbinfo -K gaio' no.


(but both auth correctly my user, also with 'smbcontrol winbind offline').

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DM and ''offline'' PAM (and NSS?)...

Samba - General mailing list
So you discovert a minor bug in wbinfo..
>> https://bugzilla.samba.org/  ;-)


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Marco Gaiarin via samba
> Verzonden: maandag 18 december 2017 16:47
> Aan: [hidden email]
> Onderwerp: Re: [Samba] DM and ''offline'' PAM (and NSS?)...
>
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > If you have the 'winbind use default domain = yes', winbind
> strips off
> > the domain name, so 'LNFFVG\\gaio' becomes 'gaio', or to
> put it another
> > way, you do not need to use the domain name with 'getent passwd' etc
>
> I know that. I've simply maked a note about the fact that 'wbinfo -K
> LNFFVG\\gaio' print the offline flags:
>
> user_flgs: NETLOGON_CACHED_ACCOUNT
>
> while 'wbinfo -K gaio' no.
>
>
> (but both auth correctly my user, also with 'smbcontrol
> winbind offline').
>
> --
> dott. Marco Gaiarin        GNUPG
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711  
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DM and ''offline'' PAM (and NSS?)...

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 18 Dec 2017 16:44:32 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
>
> > What you show below is correct.
> > In linux, DOM\user != user
>
> I know. And i was using 'wbinfo', that, AFAIK query directly winbind
> and no POSIX stuff...
>
>
> > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on 
> > [realms]
> >     SAMDOM.EXAMPLE.COM = {
> >         auth_to_local = RULE:[1:SAMDOM\$1]
> >     }
>
> Interesting! I've looked at that in the past, but i was not interested
> in SSO so i've probably skipped.
>
> Anyway, i've tried to comment out 'winbind use default domain = yes'
> and add this stanza to /etc/krb5.conf but seems does not work, eg:
>
> root@vdmsv1:~# getent passwd gaio
> root@vdmsv1:~# getent passwd LNFFVG\\gaio
> LNFFVG\gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash
>
> only the 'domainful' version of the account work.

Of course it doesn't work, if you look at 'winbind use default domain =
yes', it is clearly telling 'winbind' to use the default domain even if
it is not supplied, if it is turned off, then 'gaio' is not a domain
member, but 'LNFFVG\\gaio' is.

>
>
> > Now, since im not sure this works ok, i dont use it on my debian
> > servers, i use option2. option2 is ignore the "not recommended
> > setting :  "winbind use default domain = yes"
>
> Also i, option 2. ;-)
>

Just don't add a trusted domain ;-)

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DM and ''offline'' PAM (and NSS?)...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> > only the 'domainful' version of the account work.
> Of course it doesn't work, if you look at 'winbind use default domain =
> yes', it is clearly telling 'winbind' to use the default domain even if
> it is not supplied, if it is turned off, then 'gaio' is not a domain
> member, but 'LNFFVG\\gaio' is.

Ok, probably i've not understood what 'auth_to_local' do; i supposed do
the same (translating logins to DOMAIN\\logins)...


> > Also i, option 2. ;-)
> Just don't add a trusted domain ;-)

Sure!

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DM and ''offline'' PAM (and NSS?)...

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> So you discovert a minor bug in wbinfo..

Cool! Bug filled:

        https://bugzilla.samba.org/show_bug.cgi?id=13196

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba