You are not logged in.
I need help, or direction, or something because I've been racking my brain trying to get this working in my home lab.
I have a Samba AD DC provisioned that's working great. I have a laptop running Arch Linux that's also working great. These two can talk to each other and that's working great.
What I can't get to work is logging into my laptop when I don't have line-of-sight to the DC... When my laptop is connected to a network with direct connectivity to the DC, there are no issues and I'm loving it. However, trying to setup PAM/winbind for offline/cached logon appears to be another beast altogether and I'm hoping for some guidance.
I can login to the display manager as "DOMAIN\orlin" and start a desktop session without any issues. Then, if I disconnect the network, I can run:
wbinfo -K DOMAIN\\orlin --krb5ccname FILE:/run/user/30000XX/krb5ccwhich returns:
user_flgs: NETLOGON_CACHED_ACCOUNTas expected. However, at this point, if I log out of the desktop session and attempt to log back in to the display manager again while disconnected from the network (after verifying the file "/run/user/30000XX/krb5cc" is still present), the display manager hangs, times out, and states the password is incorrect. If I flip back to another TTY session already logged in as the local root account and run:
faillock --user DOMAIN\\orlinthere are no failures for the user. Trying to log in to a TTY session as "DOMAIN\orlin" when disconnected from the network also fails with the same results as the display manager. And finally, it fails to let me "su" into "DOMAIN\\orlin" from root when the network is disconnected.
All three scenarios (display manager, TTY, and su) work when my laptop has line-of-sight to the DC.
Config time... Pardon the mess, I've been working on this for a few days and have tried many configuration variations to try to get this working.
/etc/samba/smb.conf
-------------------
[global]
apply group policies = Yes
dedicated keytab file = /etc/krb5.keytab
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 3000000-7999999
idmap config DOMAIN : schema_mode = rfc2307
idmap config DOMAIN : unix_nss_info = yes
idmap config DOMAIN : unix_primary_group = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
log level = 1
map acl inherit = Yes
realm = INTERNAL.DOMAIN.TLD
restrict anonymous = 2
security = ads
server role = member server
store dos attributes = Yes
template homedir = /home/%U.%D
template shell = /bin/bash
vfs objects = acl_xattr, recycle
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind request timeout = 10
winbind use default domain = yes
workgroup = DOMAIN/etc/krb5.conf
--------------
[libdefaults]
default_realm = INTERNAL.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
default_ccache_name = /run/user/%{uid}/krb5cc
[realms]
INTERNAL.DOMAIN.TLD = {
kdc = DC1.INTERNAL.DOMAIN.TLD
default_domain = INTERNAL.DOMAIN.TLD
admin_server = DC1.INTERNAL.DOMAIN.TLD
}
DOMAIN = {
kdc = DC1.INTERNAL.DOMAIN.TLD
default_domain = INTERNAL.DOMAIN.TLD
admin_server = DC1.INTERNAL.DOMAIN.TLD
}
[domain_realm]
.internal.domain.tld = INTERNAL.DOMAIN.TLD
internal.domain.tld = INTERNAL.DOMAIN.TLD
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}/etc/security/pam_winbind.conf
------------------------------
[libdefaults]
default_realm = INTERNAL.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
default_ccache_name = /run/user/%{uid}/krb5cc
[realms]
INTERNAL.DOMAIN.TLD = {
kdc = DC1.INTERNAL.DOMAIN.TLD
default_domain = INTERNAL.DOMAIN.TLD
admin_server = DC1.INTERNAL.DOMAIN.TLD
}
DOMAIN = {
kdc = DC1.INTERNAL.DOMAIN.TLD
default_domain = INTERNAL.DOMAIN.TLD
admin_server = DC1.INTERNAL.DOMAIN.TLD
}
[domain_realm]
.internal.domain.tld = INTERNAL.DOMAIN.TLD
internal.domain.tld = INTERNAL.DOMAIN.TLD
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}/etc/pam.d/system-auth
----------------------
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth [success=3 default=ignore] pam_systemd_home.so
auth [success=2 default=ignore] pam_winbind.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=2 default=ignore] pam_systemd_home.so
account [success=1 default=ignore] pam_winbind.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=2 default=ignore] pam_systemd_home.so
password [success=1 default=ignore] pam_winbind.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so
-session optional pam_systemd_home.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_winbind.so
session required pam_unix.so
session optional pam_permit.so/etc/nsswitch.conf
------------------
# Name Service Switch configuration file.
# See nsswitch.conf(5) for details.
passwd: files winbind mymachines systemd
group: files winbind mymachines systemd
shadow: files systemd
gshadow: files systemd
publickey: files
hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: files/etc/pam.d/su
-------------
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth sufficient pam_winbind.so
auth required pam_unix.so
account sufficient pam_winbind.so
account required pam_unix.so
session sufficient pam_winbind.so
session required pam_unix.so
password include system-authI'm really just hoping I got so deep in the woods that I've either missed something super simple, or someone can just tell me it's just not possible. I just want to understand at this point and if it's not doable, I can accept that if I know why...
Any help is appreciated.
Offline