Did you check the release notes for 3.4? I have the same config(cached_login) as you and works fine on 3.2.
On Fri, Apr 16, 2010 at 5:17 PM, Bryant, Phillip - IS < [email protected]> wrote: > Having issues adapting our 3.4 configuration that worked very well using > idmap rid in 3.3. > > It seems like winbind does not cache the credentials despite all of the > settings being present. I can set winbind offline via smbcontrol and have it > work, but if I reboot the machine (important for my laptops) off the network > winbind complains that it can't find the logon server. > > When disconnected and booted cold off the network, logon reports no logon > server. > > Testing with wbinfo -K while offline: > wbinfo -K bry47927 > Enter bry47927's password: > plaintext kerberos password authentication for [bry47927] succeeded > (requesting cctype: FILE) > user_flgs: NETLOGON_CACHED_ACCOUNT > no credentials cached > > Not sure why this works but regular logon does not. > > Samba config: > This configuration works fine connected to the LAN. But, having to digest > more than a year's worth of changes and updates I'm not sure if the idmap > settings are really correct. > [global] > workgroup = AES > realm = AES.DE.ITTIND.COM > server string = Samba Server Version %v > security = ADS > password server = 2008dc > log file = /var/log/samba/log.%m > max log size = 50 > enable core files = No > idmap backend = tdb > idmap uid = 800 - 9999 > idmap gid = 800 - 9999 > # idmap domains = BUILTIN, AES > # idmap config AES: default = yes > idmap config AES: backend = rid > template shell = /bin/bash > winbind use default domain = Yes > winbind offline logon = Yes > idmap config AES : range = 100000 - 900000 > cups options = raw > > pam settings: > > auth required pam_env.so > auth sufficient pam_fprintd.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_krb5.so use_first_pass > auth sufficient pam_winbind.so cached_login use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account [default=bad success=ok user_unknown=ignore] pam_winbind.so > cached_login > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 > dcredit=1 ucredit=1 lcredit=1 ocredit=1 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_krb5.so use_authtok > password sufficient pam_winbind.so cached_login use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_krb5.so > > pam_winbind.conf: > > [global] > > # turn on debugging > ;debug = no > > # turn on extended PAM state debugging > ;debug_state = no > > # request a cached login if possible > # (needs "winbind offline logon = yes" in smb.conf) > cached_login = yes > > # authenticate using kerberos > ;krb5_auth = yes > > # when using kerberos, request a "FILE" krb5 credential cache type > # (leave empty to just do krb5 authentication but not have a ticket > # afterwards) > ;krb5_ccache_type = file > > Nsswitch.conf: > > passwd: files winbind > shadow: files winbind > group: files winbind > > > > Phillip Bryant - ABQ IT Site Lead > 5901 Indian School Rd NE > ph# 505-889-7016 > cell# 505-385-8668 > RHCT/RHCE RHEL 5 ID#805009017938113 > MCSE NT4.0, 2000, 2003, 2008 MCP ID#1150956 > MCTS Windows 7, Windows Server 2008 Enterprise > MCP+I > MCP > > > ________________________________ > This e-mail and any files transmitted with it may be proprietary and are > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this e-mail in error please notify the > sender. > Please note that any views or opinions presented in this e-mail are solely > those of the author and do not necessarily represent those of ITT > Corporation. The recipient should check this e-mail and any attachments for > the presence of viruses. ITT accepts no liability for any damage caused by > any virus transmitted by this e-mail. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
