samba - Aug 2023 - pam_unix failing after pam_winbind when Samba is running in Standalone Server mode

On 04/08/2023 16:00, J?ran Malek via samba wrote:
> Ah, didn't thought about that.
> 
> So, scenario is as follows:
> I want to create a homebrew NAS system, which I don't have to
> synchronize passwords with each and every additional sharing service I
> add (webdav, sftp, ftp, nfs, smb) but use existing infrastructure
> (PAM) to perform this.
> Up until 2014 there was pam_smbpass which allowed PAM to authenticate
> against the Samba passdb, performing this service: I can create a
> dummy unix user, add that to smbpasswd and login with these
> credentials to my local system.
> 
> Now that pam_smbpass is deprecated and removed - pam_winbind should be
> the drop-in replacement which, as far as I read from that bug ticket,
> should allow smbpasswd authentication of unix users, if the smb server
> is running in standalone mode.
> If I'm not mistaken, the patch mentioned in that ticket is around this
place:
>
https://gitlab.com/samba-team/samba/-/blob/samba-4.17.9/source3/winbindd/winbindd_util.c?ref_type=tags#L1576
> Which has a check for standalone role:
>
https://gitlab.com/samba-team/samba/-/blob/samba-4.17.9/source3/winbindd/winbindd_util.c?ref_type=tags#L1527
> 
> So as shown in the syslog pam_winbind is able to find and authenticate
> the user, but the user passed on to pam_unix has the netbios name
> attached, which causes it to fail (and not find the username).
> As the conversation in that ticket progresses, I don't know whether
> the off-tracker converstation had any success.
> 
> I really don't want to run a directory service just for logging in
three users.
> 
> Best,
> J?ran Malek
> 
You seem to be describing running Samba in a workgroup (bit rusty on 
this, it has been a long time). In a workgroup, (if I remember 
correctly) even if you use the same workgroup name, every Samba computer 
will have a different SID, that is where I think the problem lies.

You could try this, start with one machine and setup Samba as a 
standalone server, then add your Unix users and make them Samba users 
with 'smbpasswd -a USERNAME'. Do this on all workgroup computers, ensure
that you use the same workgroup name. Now create a user.map file on each 
computer, lets say your user is 'fred' and you are using the workgroup 
'HOME', add lines like this:

!fred = HOME\fred

I have no idea if that will work, I think it will, but it is the only 
thing I can think of at the moment.

Rowland

Basically, yes.

Regarding the user.map-file - I'm not quite sure which module that
should configure, or where to put that.
A web search engine query didn't bring up any information for either
PAM or Samba.

Best,
J?ran
> You seem to be describing running Samba in a workgroup (bit rusty on
> this, it has been a long time). In a workgroup, (if I remember
> correctly) even if you use the same workgroup name, every Samba computer
> will have a different SID, that is where I think the problem lies.
>
> You could try this, start with one machine and setup Samba as a
> standalone server, then add your Unix users and make them Samba users
> with 'smbpasswd -a USERNAME'. Do this on all workgroup computers,
ensure
> that you use the same workgroup name. Now create a user.map file on each
> computer, lets say your user is 'fred' and you are using the
workgroup
> 'HOME', add lines like this:
>
> !fred = HOME\fred
>
> I have no idea if that will work, I think it will, but it is the only
> thing I can think of at the moment.
>
> Rowland