samba - Aug 2023 - pam_unix failing after pam_winbind when Samba is running in Standalone Server mode

On 04/08/2023 15:28, J?ran Malek via samba wrote:
> Hi,
> 
> I'm trying to get PAM to authenticate against a local install of
> Samba, using the Standalone server mode.
> 
> Environment information:
> - Debian 12
> - Samba version: 4.17.9
> 
> Following packages are installed:
> - samba
> - libpam-winbind
> - libnss-winbind
> 
> I added a user to passwd using
>> adduser --no-create-home --disabled-password --ingroup users jmalek
> Then registered that user in Sambas tdb:
>> pdbedit -a -u jmalek
> Confirmed the password, and continued:
> pdbedit -L
> jmalek:1000:
> 
> Now, nsswitch.conf is configured to use winbind for passwd and group.
Sorry, but I don't think that is ever going to work, you do not use 
winbind on a standalone server, it is meant for use in a domain and 
requires much more configuration.
> 
> I'm basically encountering the same issue that Brian Campbell
> encountered in 2014:
> https://bugzilla.samba.org/show_bug.cgi?id=10669#c12
> but can't find a resolution to this (I do see, that the mentioned
> patch is - albeit modified - still in Samba sources).
> 
Perhaps if you were to explain just what you are trying to achieve, we 
may be able to come up with a workaround.

Rowland

Ah, didn't thought about that.

So, scenario is as follows:
I want to create a homebrew NAS system, which I don't have to
synchronize passwords with each and every additional sharing service I
add (webdav, sftp, ftp, nfs, smb) but use existing infrastructure
(PAM) to perform this.
Up until 2014 there was pam_smbpass which allowed PAM to authenticate
against the Samba passdb, performing this service: I can create a
dummy unix user, add that to smbpasswd and login with these
credentials to my local system.

Now that pam_smbpass is deprecated and removed - pam_winbind should be
the drop-in replacement which, as far as I read from that bug ticket,
should allow smbpasswd authentication of unix users, if the smb server
is running in standalone mode.
If I'm not mistaken, the patch mentioned in that ticket is around this
place:
https://gitlab.com/samba-team/samba/-/blob/samba-4.17.9/source3/winbindd/winbindd_util.c?ref_type=tags#L1576
Which has a check for standalone role:
https://gitlab.com/samba-team/samba/-/blob/samba-4.17.9/source3/winbindd/winbindd_util.c?ref_type=tags#L1527

So as shown in the syslog pam_winbind is able to find and authenticate
the user, but the user passed on to pam_unix has the netbios name
attached, which causes it to fail (and not find the username).
As the conversation in that ticket progresses, I don't know whether
the off-tracker converstation had any success.

I really don't want to run a directory service just for logging in three
users.

Best,
J?ran Malek