On Sun, 7 Jan 2024 15:00:27 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! bd730c5053df9efb via samba > In chel di` si favelave... > > > idmap config smadom:schema_mode = rfc2307 > > Sorry but is a bug of RFC2307: > > https://bugzilla.samba.org/show_bug.cgi?id=15405 >Sorry, but allowing for bug 14618, it works for myself. https://bugzilla.samba.org/show_bug.cgi?id=14618 On a Unix domain member using the 'rid' backend, I get this: adminuser at testdm12:~$ getent passwd rowland rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash The user 'rowland' can logon, but if the user logs out and the network is disconnected, the user cannot logon until: A) the network is reconnected. B) 'lock directory = /var/cache/samba' is added to smb.conf and Samba is restarted. C) the user 'rowland' logs on at least once with the network connected. At this point, if the user logs out and the network is disconnected, the user can still logon. This to myself proves that offline logon works with the 'rid' backend. If I now change the rid' backend to the 'ad' backend: Change: idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999 To: idmap config SAMDOM : backend = ad idmap config SAMDOM : range = 10000-999999 idmap config SAMDOM : schema_mode = rfc2307 Give rowland the uidNumber 10000 and Domain Users the gidNumber 10000 and restart Samba on the Unix domain member: adminuser at testdm12:~$ sudo systemctl restart winbind smbd adminuser at testdm12:~$ sudo net cache flush adminuser at testdm12:~$ getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash When I then tried to log on as 'rowland', I was denied, but changing the ownership of /home/rowland cured this: adminuser at testdm12:~$ sudo chown 10000:10000 -R /home/rowland I could then log on. I logged out, disconnected the network and tried again, I logged in straight away. This looks like logging in using the 'ad' backend works as well. Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> Sorry, but allowing for bug 14618, it works for myself. > https://bugzilla.samba.org/show_bug.cgi?id=14618I think was fixed, at least in Michael packages... it is not?! There's a compelling debian bug?> This to myself proves that offline logon works with the 'rid' backend.I can totally confirm that.> This looks like logging in using the 'ad' backend works as well.No. If you go back on list archive, we have discussed and tested this, and at last i've fired up the bug i've linked. *Seems* to work, but does *not* work. At least does not work reilable. Digging a bit deeper, this pose also some performance trouble, because in an 'AD' backend domain members (with or without offline logon/cache enaled) do an insane amount more of LDAP queries against the DCs then in an 'RID' backend (with offline logon/cache enaled, of course). I've not the time/resource to dig deeper in this, but this bug get introduced by some samba version in advance; the same portable had Ubuntu 16.04 and worked in offline mode as a charm, with the same domain (so in 'AD' mode). -- Pi? ? in alto l'asticella delle aspettative, pi? comodamente ci passo sotto. Fabrizio (@phab at mastodon.uno)
Hi all! On Monday, January 8th, 2024 at 08:23, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sun, 7 Jan 2024 15:00:27 +0100 > Marco Gaiarin via samba samba at lists.samba.org wrote: > > > Mandi! bd730c5053df9efb via samba > > In chel di` si favelave... > > > > > idmap config smadom:schema_mode = rfc2307 > > > > Sorry but is a bug of RFC2307: > > > > https://bugzilla.samba.org/show_bug.cgi?id=15405 > > > Sorry, but allowing for bug 14618, it works for myself. > > https://bugzilla.samba.org/show_bug.cgi?id=14618 > > On a Unix domain member using the 'rid' backend, I get this: > > adminuser at testdm12:~$ getent passwd rowland > rowland::11104:10513:Rowland Penny:/home/rowland:/bin/bash > > The user 'rowland' can logon, but if the user logs out and the network > is disconnected, the user cannot logon until: > > A) the network is reconnected. > B) 'lock directory = /var/cache/samba' is added to smb.conf and Samba > is restarted. > C) the user 'rowland' logs on at least once with the network connected. > > At this point, if the user logs out and the network is disconnected, > the user can still logon. > > This to myself proves that offline logon works with the 'rid' backend. > > If I now change the rid' backend to the 'ad' backend: > > Change: > > idmap config SAMDOM : backend = rid > idmap config SAMDOM : range = 10000-999999 > > To: > > idmap config SAMDOM : backend = ad > idmap config SAMDOM : range = 10000-999999 > idmap config SAMDOM : schema_mode = rfc2307 > > Give rowland the uidNumber 10000 and Domain Users the gidNumber 10000 > and restart Samba on the Unix domain member: > > adminuser at testdm12:~$ sudo systemctl restart winbind smbd > adminuser at testdm12:~$ sudo net cache flush > adminuser at testdm12:~$ getent passwd rowland > rowland::10000:10000:Rowland Penny:/home/rowland:/bin/bash > > When I then tried to log on as 'rowland', I was denied, but changing > the ownership of /home/rowland cured this: > > adminuser at testdm12:~$ sudo chown 10000:10000 -R /home/rowland > > I could then log on. > > I logged out, disconnected the network and tried again, I logged in > straight away. > > This looks like logging in using the 'ad' backend works as well.I tried switching from ad to rid backend in my testing debian environment and it work as I have expected from the beginning. I will try this in my production notebook using slackware and report back.> > Rowland > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaBest regards, Dave.