Mandi! Markus Dellermann via samba In chel di` si favelave...> Marco, you are using the ad-Backend, right?Yes, rfc2307.> Have you tried with rid-backend or at leastNo, i cannot try RID, or at least i'll need to setup a different test domain...> "idmap config LNFFVG : unix_nss_info = no" in smb.conf ?Tried, but nothing changed. My current [global] section is: [global] disable spoolss = Yes load printers = No lock directory = /var/cache/samba log file = /var/log/samba/log.%m map to guest = Bad User panic action = /usr/share/samba/panic-action %d printcap name = /dev/null realm = AD.FVG.LNF.IT security = ADS syslog = 0 template homedir = /home/%U template shell = /bin/bash username map = /etc/samba/user.map usershare max shares = 0 winbind offline logon = Yes winbind request timeout = 5 winbind use default domain = Yes workgroup = LNFFVG idmap config lnffvg : unix_primary_group = yes idmap config lnffvg : unix_nss_info = no idmap config lnffvg : schema_mode = rfc2307 idmap config lnffvg : range = 10000-49999 idmap config lnffvg : backend = ad idmap config * : range = 5000-9999 idmap config * : backend = tdb printing = bsd> To update to 4.18 could be also an good idea, because there are some changes > wich should help..Samba version 4.18.3+dfsg-1. Thanks... -- ...buffoni che campate di versi senza forza avrete soldi e gloria, ma non avete scorza; (F. Guccini)
Markus Dellermann
2023-Jun-28 07:48 UTC
[Samba] PAM Offline Authentication in Ubuntu 22.04
Hi Marco, Am Dienstag, 27. Juni 2023, 17:00:06 CEST schrieb Marco Gaiarin via samba:> Mandi! Markus Dellermann via samba > In chel di` si favelave... > > > Marco, you are using the ad-Backend, right? > > Yes, rfc2307. > > > Have you tried with rid-backend or at least > > No, i cannot try RID, or at least i'll need to setup a different test > domain...No, i ve meant only one client for testing...> > "idmap config LNFFVG : unix_nss_info = no" in smb.conf ? > > Tried, but nothing changed. My current [global] section is: > > [global] > disable spoolss = Yes > load printers = No > lock directory = /var/cache/samba > log file = /var/log/samba/log.%m > map to guest = Bad User > panic action = /usr/share/samba/panic-action %d > printcap name = /dev/null > realm = AD.FVG.LNF.IT > security = ADS > syslog = 0 > template homedir = /home/%U > template shell = /bin/bash > username map = /etc/samba/user.map > usershare max shares = 0 > winbind offline logon = Yes > winbind request timeout = 5 > winbind use default domain = Yes > workgroup = LNFFVG > idmap config lnffvg : unix_primary_group = yes > idmap config lnffvg : unix_nss_info = no > idmap config lnffvg : schema_mode = rfc2307 > idmap config lnffvg : range = 10000-49999 > idmap config lnffvg : backend = ad > idmap config * : range = 5000-9999 > idmap config * : backend = tdb > printing = bsd > > > To update to 4.18 could be also an good idea, because there are some > > changes wich should help.. > > Samba version 4.18.3+dfsg-1. > > > Thanks...?hm...is there apparmor or something else, nscd..? Have you tried "async dns timeout" in smb.conf? Markus
I reply to myself.>> "idmap config LNFFVG : unix_nss_info = no" in smb.conf ? > Tried, but nothing changed. My current [global] section is:Bingo! If i set:> idmap config lnffvg : unix_nss_info = noAND> idmap config lnffvg : unix_primary_group = noThings start to work; i mean 'start' because effectively a disconnection of the laptop basic nss survive (eg, i can do 'id gaio' and i get some output), but still if i lock the screen, i cannot login back anymore (due to timeouts, i suppose; it is a bit hard to debug a disconnected laptop... ;-). I've also reboot, and in logon screen GDM say me that i'm logging in with a cached credential (wow!), but after 15 minutes i was still logging in, screen saver start and so i was back to login screen. This lead to me to the considerations: 1) winbind offline logon work only in 'rid' mode, or at least does NOT work in rfc2307 mode. 2) i think this is a bug... Andrew, what do you think? -- I'm old enough to remember when the Internet wasn't a group of five websites, each consisting of screenshots of text from the other four. (Tom Eastman)