[Samba] Issue with pam_winbind for MS AD authentication and module options - Samba

This is a discussion on [Samba] Issue with pam_winbind for MS AD authentication and module options - Samba ; Hello! I've configured samba with winbind and pam_winbind module to authenticate users that connect to my linux box against MS AD. Works like a charm. If a user exists both in AD and locally, login should assume local users. Again, ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: [Samba] Issue with pam_winbind for MS AD authentication and module options

  1. [Samba] Issue with pam_winbind for MS AD authentication and module options

    Hello!

    I've configured samba with winbind and pam_winbind module to
    authenticate users that connect to my linux box against MS AD.

    Works like a charm. If a user exists both in AD and locally, login
    should assume local users. Again, it works pretty well (It seems at
    least with my current config).

    If my AD server goes down for any reason, local users should be able to
    login. For example, root has to login always no matter if my AD server
    exploded.

    That's where is the problem. When I shutdown my AD server and I try to
    login with a local user (root as well), my guess is that it seems that
    pam_winbind waits for a very very long time trying to find my AD server
    to authenticate that even the local login times out. I don't really know
    if that is the reason for this behaviour, but if it is, I'm wondering if
    there is a hidden or maybe a new "timeout" option for pam_winbind module
    as I didn't found anything related in the man pages and the mailing
    lists archive. Or maybe if login finds the user in the local database,
    bypass winbind authentication, don't know if that is possible.

    The reason why I came up with this idea is that when the AD server is
    down and I try to login with root for eg. over and over many times,
    after a while it goes (looks like pam config order is right), but a few
    minutes later it won't again, which made me thought that perhaps winbind
    or pam_winbind are trying to estabilish a connection with AD and somehow
    because of that the whole process slows down so much that even local
    login times out.

    Samba is configured to catch UID's, GID's from AD using SFU and ad idmap
    backend. Only users that are members of a specified AD group are able to
    login. The purpose of the machine is to be an application server and
    share folders based on AD users and group permissions.

    My system is RHEL AS3 with update 7 and samba-3.0.24

    Below are my pam lines in the system-auth file:

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required /lib/security/$ISA/pam_env.so
    auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
    auth sufficient /lib/security/$ISA/pam_winbind.so
    try_first_pass require_membership_of=DOMAIN+group
    auth required /lib/security/$ISA/pam_deny.so

    account required /lib/security/$ISA/pam_unix.so nullok_secure
    account sufficient /lib/security/$ISA/pam_winbind.so

    password required /lib/security/$ISA/pam_cracklib.so retry=3
    password sufficient /lib/security/$ISA/pam_unix.so nullok
    use_authtok md5 shadow
    password required /lib/security/$ISA/pam_deny.so

    session required /lib/security/$ISA/pam_limits.so
    session required /lib/security/$ISA/pam_unix.so
    session required /lib/security/$ISA/pam_mkhomedir.so umask=0022
    skel=/etc/skel

    Considering that if a user exists both in the local user database and
    AD, login has to assume local user (seems to be working fine), could
    someone give me a hint if I'm in the right path, and maybe an idea why
    or what I could do when my AD servers goes down to my local users
    (including root) log in normally??

    Any help will be greatly appreciated,

    Andre

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Issue with pam_winbind for MS AD authentication and module options

    Hi,

    maybe this isn't exactly what you're looking for, but it could help you:

    "pam_ccreds"

    cached credentials, this should give you full access to your server even
    if the ad-server is down. I haven't used this module yet. Just found it
    today while looking for a solution concerning a similar issue.

    Good luck!

    Sebastian Knieschewski
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

    Hi,

    Thanks for your reply!
    As you said that you have a similiar issue, I think you can achieve this
    with pam_winbind module as well, with the cached_login option set and
    with "winbind offline logon" enabled in your smb.conf file if I'm correct.

    In both cases, I can't think of how it could work when you have for
    example two usernames with the same name in ad and linux but with
    different passwords.

    Any ideas

    Andre

    Sebastian Knieschewski wrote:
    > Hi,
    >
    > maybe this isn't exactly what you're looking for, but it could help you:
    >
    > "pam_ccreds"
    >
    > cached credentials, this should give you full access to your server
    > even if the ad-server is down. I haven't used this module yet. Just
    > found it today while looking for a solution concerning a similar issue.
    >
    > Good luck!
    >
    > Sebastian Knieschewski
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

    Andre Fernando Goldacker schrieb:
    > In both cases, I can't think of how it could work when you have for
    > example two usernames with the same name in ad and linux but with
    > different passwords.
    >

    ssh DOMAIN+USERNAME@YOURHOST for AD-User ("winbind separator = +" in
    your smb.conf)

    ssh USERNAME@YOURHOST for Unix-User

    This is the way I can logon my Linux with an apperently equal user.
    Dispite one is registered to the ad and the other to the unix system.

    HTH

    Sebastian
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread