samba - Feb 2022 - making pam_winbind to work

On Mon, 2022-02-14 at 16:22 +0300, Michael Tokarev via samba
wrote:
> Hello!
> 
> Another day, another issue which I can't resolve so far.
> 
> We switched our user from local /etc/passwd to samba AD.
> And it was apparently a big mistake, since nothing work
> besides samba now.
Anything that uses nsswitch should work, provided that everything is
set up correctly.
> 
> Well, auth does not work anymore.  The only way to login locally
> so far is to use ssh keys. Or it is possible to enable
> KerberosAuthentication in sshd_config, that one works too.
What OS are you using on your Unix domain member ? and can you post the
global part of the smb.conf currently in use.

Rowland

On Mon, 2022-02-14 at 13:32 +0000, Rowland Penny via samba
wrote:
> On Mon, 2022-02-14 at 16:22 +0300, Michael Tokarev via samba wrote:
> > Hello!
> > 
> > Another day, another issue which I can't resolve so far.
> > 
> > We switched our user from local /etc/passwd to samba AD.
> > And it was apparently a big mistake, since nothing work
> > besides samba now.
> 
> Anything that uses nsswitch should work, provided that everything is
> set up correctly.
> > Well, auth does not work anymore.  The only way to login locally
> > so far is to use ssh keys. Or it is possible to enable
> > KerberosAuthentication in sshd_config, that one works too.
> 
> What OS are you using on your Unix domain member ? and can you post
> the
> global part of the smb.conf currently in use.
> 
> Rowland

Just noticed 'debian' in your post, so please go here:
https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh

Download the script and run it on your Unix domain member. Post the
output in a reply to this, do not attach it, this list strips
attachments.

Rowland

14.02.2022 16:32, Rowland Penny via samba wrote:
> On Mon, 2022-02-14 at 16:22 +0300, Michael Tokarev via samba wrote:
>> Hello!
>>
>> Another day, another issue which I can't resolve so far.
>>
>> We switched our user from local /etc/passwd to samba AD.
>> And it was apparently a big mistake, since nothing work
>> besides samba now.
> 
> Anything that uses nsswitch should work, provided that everything is
> set up correctly.
Are you sure you really mean nsswitch, not pam?

Nsswitch is for mapping uid<=>users and the like, it is NOT for auth.
Auth can be done using /etc/shadow - it does not work with nsswitch.
And in order for any service to look for user's local shadow password
entry, pw_passwd should contain value "x", but samba returns
"*", so
no service will try to open local /etc/shadow for any samba user, so
no auth will work.

pam_winbind is exactly for this auth stuff.  You can't log into the
system based on nsswitch, passwords are stored elsewhere.

Is the mlock() failure somehow relevant?  I'm looking at the source
now, but so far I don't understand the process model.
>> Well, auth does not work anymore.  The only way to login locally
>> so far is to use ssh keys. Or it is possible to enable
>> KerberosAuthentication in sshd_config, that one works too.
> 
> What OS are you using on your Unix domain member ? and can you post the
> global part of the smb.conf currently in use.
This is a current debian bullseye system (current debian stable).

Here's global smb.conf section:

[global]
  server string = %h samba server %v
  netbios name = TSRV
  netbios aliases = LINUX FS
  realm = TLS.MSK.RU
  workgroup = TLS
  server role = member server
  security = ADS

  idmap config TLS : backend = ad
  idmap config TLS : range = 1000-3000
  #idmap config TLS : schema_mode = rfc2307 # rfc2307 is the default
  idmap config TLS : unix_primary_group = yes
  template homedir = /home/%U
  template shell = /bin/bash
  idmap config * : backend = tdb
  idmap config * : range = 5000-7000
  winbind use default domain = yes

  acl allow execute always = true

  hostname lookups = yes
  log file = /var/log/samba/log.%m
  max log size = 1000
  log level = 2

  # disable user shares
  usershare max shares = 0

  load printers = no
  printing = bsd
  disable spoolss = yes

  map hidden = yes
  create mask = 0775
  directory mask = 0775

Thanks,

/mjt