Winbind/AD: Local users with identical AD usernames

Question

We are getting ready to add Winbind/Samba to some CentOS servers. Identity Management for UNIX is running on our DC, and it's testing well so far. There is one scenario I'm having trouble with, and I'm pretty sure it's solved inside of /etc/pam.d/system-auth with UID ranges. I can't zero in on the specific lines needed. Here is the scenario:

We deploy three local users via Puppet; they must be able to login when the DC is down. They need to be purely local users.
The local usernames for these users is identical to their AD counterparts (e.g., jsmith is the name of the CentOS local user, and jsmith is also that same user's AD username)
When jsmith logs in, it needs to look for that user locally first.
Local users are typically > UID 500, and our AD/Winbind users are > UID 10000.

pam_unix sefficient can help you, pam_unix first of pam winbind — c4f4t0r, Sep 09 '17 at 23:45

score 1 · Answer 1 · answered Jun 01 '11 at 22:01

I've got a /etc/pam.d/system-auth that was setup with local users to authenticate first, and then fall back to kerberos (pam_krb5.so). I'll provide it here with pam_krb5.so replaced with pam_winbind.so to give you something to start with. This was cobbled together a couple years ago, and as I recall took a bit of refining to get it to work right for us.

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [authinfo_unavail=ignore default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so


password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_winbind.so

score 0 · Answer 2 · answered Jun 01 '11 at 20:20

You may be able to solve this problem by caching winbind credentials. In other words, you have only the AD UID, but its credentials are cached so that he can still log in even when AD is unavailable.

See http://wiki.samba.org/index.php/PAM_Offline_Authentication for more information.

Winbind/AD: Local users with identical AD usernames

2 Answers2