samba - Aug 2023 - pam_unix failing after pam_winbind when Samba is running in Standalone Server mode

Ah, didn't thought about that.

So, scenario is as follows:
I want to create a homebrew NAS system, which I don't have to
synchronize passwords with each and every additional sharing service I
add (webdav, sftp, ftp, nfs, smb) but use existing infrastructure
(PAM) to perform this.
Up until 2014 there was pam_smbpass which allowed PAM to authenticate
against the Samba passdb, performing this service: I can create a
dummy unix user, add that to smbpasswd and login with these
credentials to my local system.

Now that pam_smbpass is deprecated and removed - pam_winbind should be
the drop-in replacement which, as far as I read from that bug ticket,
should allow smbpasswd authentication of unix users, if the smb server
is running in standalone mode.
If I'm not mistaken, the patch mentioned in that ticket is around this
place:
https://gitlab.com/samba-team/samba/-/blob/samba-4.17.9/source3/winbindd/winbindd_util.c?ref_type=tags#L1576
Which has a check for standalone role:
https://gitlab.com/samba-team/samba/-/blob/samba-4.17.9/source3/winbindd/winbindd_util.c?ref_type=tags#L1527

So as shown in the syslog pam_winbind is able to find and authenticate
the user, but the user passed on to pam_unix has the netbios name
attached, which causes it to fail (and not find the username).
As the conversation in that ticket progresses, I don't know whether
the off-tracker converstation had any success.

I really don't want to run a directory service just for logging in three
users.

Best,
J?ran Malek

On 04/08/2023 16:00, J?ran Malek via samba wrote:
> Ah, didn't thought about that.
> 
> So, scenario is as follows:
> I want to create a homebrew NAS system, which I don't have to
> synchronize passwords with each and every additional sharing service I
> add (webdav, sftp, ftp, nfs, smb) but use existing infrastructure
> (PAM) to perform this.
> Up until 2014 there was pam_smbpass which allowed PAM to authenticate
> against the Samba passdb, performing this service: I can create a
> dummy unix user, add that to smbpasswd and login with these
> credentials to my local system.
> 
> Now that pam_smbpass is deprecated and removed - pam_winbind should be
> the drop-in replacement which, as far as I read from that bug ticket,
> should allow smbpasswd authentication of unix users, if the smb server
> is running in standalone mode.
> If I'm not mistaken, the patch mentioned in that ticket is around this
place:
>
https://gitlab.com/samba-team/samba/-/blob/samba-4.17.9/source3/winbindd/winbindd_util.c?ref_type=tags#L1576
> Which has a check for standalone role:
>
https://gitlab.com/samba-team/samba/-/blob/samba-4.17.9/source3/winbindd/winbindd_util.c?ref_type=tags#L1527
> 
> So as shown in the syslog pam_winbind is able to find and authenticate
> the user, but the user passed on to pam_unix has the netbios name
> attached, which causes it to fail (and not find the username).
> As the conversation in that ticket progresses, I don't know whether
> the off-tracker converstation had any success.
> 
> I really don't want to run a directory service just for logging in
three users.
> 
> Best,
> J?ran Malek
> 
You seem to be describing running Samba in a workgroup (bit rusty on 
this, it has been a long time). In a workgroup, (if I remember 
correctly) even if you use the same workgroup name, every Samba computer 
will have a different SID, that is where I think the problem lies.

You could try this, start with one machine and setup Samba as a 
standalone server, then add your Unix users and make them Samba users 
with 'smbpasswd -a USERNAME'. Do this on all workgroup computers, ensure
that you use the same workgroup name. Now create a user.map file on each 
computer, lets say your user is 'fred' and you are using the workgroup 
'HOME', add lines like this:

!fred = HOME\fred

I have no idea if that will work, I think it will, but it is the only 
thing I can think of at the moment.

Rowland