Il 12/02/19 20:38, Andreas Hasenack ha scritto:
> Ok, can you please share your configuration files so I can give it a
> try?
of course!
> - smb.conf
# Global parameters
[global]
allow trusted domains = No
client ipc signing = if_required
dns proxy = No
log file = /var/log/samba/log.%m
map to guest = Bad User
max log size = 1000
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
security = DOMAIN
server signing = required
server string = %h server (Samba, Ubuntu)
template shell = /bin/bash
unix password sync = Yes
usershare allow guests = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind expand groups = 1
winbind offline logon = Yes
workgroup = MYDOMAIN
idmap config * : range = 25000-30000
idmap config dominiocsa : range = 10000-24999
idmap config dominiocsa : backend = rid
idmap config * : backend = tdb
[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
> - pam_winbbind config
$ egrep -v "^(#|;|$)" /etc/security/pam_winbind.conf
[global]
debug = yes
debug_state = yes
cached_login = yes
> - relevant /etc/pam.d/ files for the service you are trying (ssh, common-*
> probably)
$ egrep -v "^(#|$)" /etc/pam.d/sshd
@include common-auth
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
@include common-password
$ egrep -v "^(#|$)" /etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
$ egrep -v "^(#|$)" /etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so
$ egrep -v "^(#|$)" /etc/pam.d/common-password
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so use_authtok
try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
> Also, have you run testparm on your config just to rule out syntax errors and
> other checks?
yes, of course. This is the output of testparm before showing the dump of the
"service definition":
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
WARNING: The 'client ipc signing' value may mean SMB signing is not used when
contacting a domain controller or other server. This setting is not
recommended; please be aware of the security implications when using this
configuration setting.
Server role: ROLE_DOMAIN_MEMBER
[...]> Finally, I would suggest to really drop the network instead of running
> "winbind offline", as I think that is a more realistic test.
ok, many thanks
Piviul
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1815019
Title:
offline logon doesnt works in ubuntu 18.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1815019/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
