3

We are getting ready to add Winbind/Samba to some CentOS servers. Identity Management for UNIX is running on our DC, and it's testing well so far. There is one scenario I'm having trouble with, and I'm pretty sure it's solved inside of /etc/pam.d/system-auth with UID ranges. I can't zero in on the specific lines needed. Here is the scenario:

  • We deploy three local users via Puppet; they must be able to login when the DC is down. They need to be purely local users.
  • The local usernames for these users is identical to their AD counterparts (e.g., jsmith is the name of the CentOS local user, and jsmith is also that same user's AD username)
  • When jsmith logs in, it needs to look for that user locally first.
  • Local users are typically > UID 500, and our AD/Winbind users are > UID 10000.
Improve this question
1
  • pam_unix sefficient can help you, pam_unix first of pam winbind Commented Sep 9, 2017 at 23:45

2 Answers 2

Reset to default
1

I've got a /etc/pam.d/system-auth that was setup with local users to authenticate first, and then fall back to kerberos (pam_krb5.so). I'll provide it here with pam_krb5.so replaced with pam_winbind.so to give you something to start with. This was cobbled together a couple years ago, and as I recall took a bit of refining to get it to work right for us.

account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [authinfo_unavail=ignore default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_winbind.so
Improve this answer
0

You may be able to solve this problem by caching winbind credentials. In other words, you have only the AD UID, but its credentials are cached so that he can still log in even when AD is unavailable.

See http://wiki.samba.org/index.php/PAM_Offline_Authentication for more information.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.