From: Linux Addict on 20 Apr 2010 09:50 Did you check the release notes for 3.4? I have the same config(cached_login) as you and works fine on 3.2. On Fri, Apr 16, 2010 at 5:17 PM, Bryant, Phillip - IS < Phillip.Bryant(a)itt.com> wrote: > Having issues adapting our 3.4 configuration that worked very well using > idmap rid in 3.3. > > It seems like winbind does not cache the credentials despite all of the > settings being present. I can set winbind offline via smbcontrol and have it > work, but if I reboot the machine (important for my laptops) off the network > winbind complains that it can't find the logon server. > > When disconnected and booted cold off the network, logon reports no logon > server. > > Testing with wbinfo -K while offline: > wbinfo -K bry47927 > Enter bry47927's password: > plaintext kerberos password authentication for [bry47927] succeeded > (requesting cctype: FILE) > user_flgs: NETLOGON_CACHED_ACCOUNT > no credentials cached > > Not sure why this works but regular logon does not. > > Samba config: > This configuration works fine connected to the LAN. But, having to digest > more than a year's worth of changes and updates I'm not sure if the idmap > settings are really correct. > [global] > workgroup = AES > realm = AES.DE.ITTIND.COM > server string = Samba Server Version %v > security = ADS > password server = 2008dc > log file = /var/log/samba/log.%m > max log size = 50 > enable core files = No > idmap backend = tdb > idmap uid = 800 - 9999 > idmap gid = 800 - 9999 > # idmap domains = BUILTIN, AES > # idmap config AES: default = yes > idmap config AES: backend = rid > template shell = /bin/bash > winbind use default domain = Yes > winbind offline logon = Yes > idmap config AES : range = 100000 - 900000 > cups options = raw > > pam settings: > > auth required pam_env.so > auth sufficient pam_fprintd.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_krb5.so use_first_pass > auth sufficient pam_winbind.so cached_login use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account [default=bad success=ok user_unknown=ignore] pam_winbind.so > cached_login > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 > dcredit=1 ucredit=1 lcredit=1 ocredit=1 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_krb5.so use_authtok > password sufficient pam_winbind.so cached_login use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_krb5.so > > pam_winbind.conf: > > [global] > > # turn on debugging > ;debug = no > > # turn on extended PAM state debugging > ;debug_state = no > > # request a cached login if possible > # (needs "winbind offline logon = yes" in smb.conf) > cached_login = yes > > # authenticate using kerberos > ;krb5_auth = yes > > # when using kerberos, request a "FILE" krb5 credential cache type > # (leave empty to just do krb5 authentication but not have a ticket > # afterwards) > ;krb5_ccache_type = file > > Nsswitch.conf: > > passwd: files winbind > shadow: files winbind > group: files winbind > > > > Phillip Bryant - ABQ IT Site Lead > 5901 Indian School Rd NE > ph# 505-889-7016 > cell# 505-385-8668 > RHCT/RHCE RHEL 5 ID#805009017938113 > MCSE NT4.0, 2000, 2003, 2008 MCP ID#1150956 > MCTS Windows 7, Windows Server 2008 Enterprise > MCP+I > MCP > > > ________________________________ > This e-mail and any files transmitted with it may be proprietary and are > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this e-mail in error please notify the > sender. > Please note that any views or opinions presented in this e-mail are solely > those of the author and do not necessarily represent those of ITT > Corporation. The recipient should check this e-mail and any attachments for > the presence of viruses. ITT accepts no liability for any damage caused by > any virus transmitted by this e-mail. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Linux Addict on 20 Apr 2010 13:00 I say remove the pam_krb5.so on one of the host and restart winbind and test. I think it doesnt even get to the winbind layer and rejected on krb layer itself which is where it is cached. Also check /etc/security/pam_winbind.conf if exists. On Tue, Apr 20, 2010 at 9:44 AM, Linux Addict <linuxaddict7(a)gmail.com>wrote: > Did you check the release notes for 3.4? I have the same > config(cached_login) as you and works fine on 3.2. > > > On Fri, Apr 16, 2010 at 5:17 PM, Bryant, Phillip - IS < > Phillip.Bryant(a)itt.com> wrote: > >> Having issues adapting our 3.4 configuration that worked very well using >> idmap rid in 3.3. >> >> It seems like winbind does not cache the credentials despite all of the >> settings being present. I can set winbind offline via smbcontrol and have it >> work, but if I reboot the machine (important for my laptops) off the network >> winbind complains that it can't find the logon server. >> >> When disconnected and booted cold off the network, logon reports no logon >> server. >> >> Testing with wbinfo -K while offline: >> wbinfo -K bry47927 >> Enter bry47927's password: >> plaintext kerberos password authentication for [bry47927] succeeded >> (requesting cctype: FILE) >> user_flgs: NETLOGON_CACHED_ACCOUNT >> no credentials cached >> >> Not sure why this works but regular logon does not. >> >> Samba config: >> This configuration works fine connected to the LAN. But, having to digest >> more than a year's worth of changes and updates I'm not sure if the idmap >> settings are really correct. >> [global] >> workgroup = AES >> realm = AES.DE.ITTIND.COM >> server string = Samba Server Version %v >> security = ADS >> password server = 2008dc >> log file = /var/log/samba/log.%m >> max log size = 50 >> enable core files = No >> idmap backend = tdb >> idmap uid = 800 - 9999 >> idmap gid = 800 - 9999 >> # idmap domains = BUILTIN, AES >> # idmap config AES: default = yes >> idmap config AES: backend = rid >> template shell = /bin/bash >> winbind use default domain = Yes >> winbind offline logon = Yes >> idmap config AES : range = 100000 - 900000 >> cups options = raw >> >> pam settings: >> >> auth required pam_env.so >> auth sufficient pam_fprintd.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_krb5.so use_first_pass >> auth sufficient pam_winbind.so cached_login use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_krb5.so >> account [default=bad success=ok user_unknown=ignore] pam_winbind.so >> cached_login >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 >> dcredit=1 ucredit=1 lcredit=1 ocredit=1 >> password sufficient pam_unix.so md5 shadow nullok try_first_pass >> use_authtok >> password sufficient pam_krb5.so use_authtok >> password sufficient pam_winbind.so cached_login use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session optional pam_mkhomedir.so >> session [success=1 default=ignore] pam_succeed_if.so service in crond >> quiet use_uid >> session required pam_unix.so >> session optional pam_krb5.so >> >> pam_winbind.conf: >> >> [global] >> >> # turn on debugging >> ;debug = no >> >> # turn on extended PAM state debugging >> ;debug_state = no >> >> # request a cached login if possible >> # (needs "winbind offline logon = yes" in smb.conf) >> cached_login = yes >> >> # authenticate using kerberos >> ;krb5_auth = yes >> >> # when using kerberos, request a "FILE" krb5 credential cache type >> # (leave empty to just do krb5 authentication but not have a ticket >> # afterwards) >> ;krb5_ccache_type = file >> >> Nsswitch.conf: >> >> passwd: files winbind >> shadow: files winbind >> group: files winbind >> >> >> >> Phillip Bryant - ABQ IT Site Lead >> 5901 Indian School Rd NE >> ph# 505-889-7016 >> cell# 505-385-8668 >> RHCT/RHCE RHEL 5 ID#805009017938113 >> MCSE NT4.0, 2000, 2003, 2008 MCP ID#1150956 >> MCTS Windows 7, Windows Server 2008 Enterprise >> MCP+I >> MCP >> >> >> ________________________________ >> This e-mail and any files transmitted with it may be proprietary and are >> intended solely for the use of the individual or entity to whom they are >> addressed. If you have received this e-mail in error please notify the >> sender. >> Please note that any views or opinions presented in this e-mail are solely >> those of the author and do not necessarily represent those of ITT >> Corporation. The recipient should check this e-mail and any attachments for >> the presence of viruses. ITT accepts no liability for any damage caused by >> any virus transmitted by this e-mail. >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: viewing, if not editing, NFSv4 ACL's from Samba shares Next: [Samba] Trust relationship failed |