samba - Jan 2019 - Winbind, cached logons and 'user persistency'...

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 18 januari 2019 11:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Winbind, cached logons and 'user 
> persistency'...
> 
> On Fri, 18 Jan 2019 10:41:10 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > Hai Marco,  
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > > Marco Gaiarin via samba
> > > Verzonden: vrijdag 18 januari 2019 10:03
> > > Aan: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] Winbind, cached logons and 'user 
> > > persistency'...
> > > 
> > > Mandi! L.P.H. van Belle via samba
> > >   In chel di` si favelave...
> > > 
> > > > Maybe the winbind cache time is set to low for this. 
> > > 
> > > OK. But this look still strange/dangerous to me. Two 'open
point':
> > > 
> > > 1) seems to me that there's many 'cache time'
parameters:
> > > 
> > >   + idmap cache time, default 604800 (one week); seems 
> related only
> > > to SID<->GID/UID query, so unrelated here.
> > > 
> > >   + winbind cache time, default 300 (5 minutes); this seems the
> > >     parameter i need to tackle with.
> > > 
> > > but... HOW work that cache? There's a 'negative'
timeout also? Or
> > > simply cache data and use cached data if all DC are not
available?
> > Poe, this i dont know, i dont know all code... 
> > Rowland, you know this? 
> > 
> 
> No, I have never had to mess with this, but 'man smb.conf' says
this:
> 
>            This parameter specifies the number of seconds the 
> winbindd(8)
>            daemon will cache user and group information 
> before querying a
>            Windows NT server again.
> 
> It looks like you reduce the time to make the cache refresh more often
> and increase it to make the cache last longer, I would presume setting
> it to '0' would make winbind query the server without using the
cache,
> but this is just a guess.
> 
> Rowland
> 
> -- 
Maybe https://wiki.debian.org/LDAP/NSS  is a better solution for the mailserver.

But personaly, the mail server should have replied with a better NDR. 
Like : 4.4.1 The recipient’s server is not responding, so something like that. 

If it was my server, i would fix the mail setup not samba. 
I just cant tell much about exim, i prefer postfix. 

But this like might help, it shows a lot, maybe it helps reviewing the setup and
add improvements.
https://bitlair.nl/Projects/Mailserver_with_Debian,_Exim,_spamassassin,_greylistd,_DKIM,_SRS,_SPF,_DMARC,_forwarding,_LDAP,_dovecot,_LMTP,_disk_crypto
I've about the same but in a postfix setup. 


Greetz, 

Louis

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

I come back in this thread, sorry.
> Maybe https://wiki.debian.org/LDAP/NSS  is a better solution for the
mailserver.
Probably better use directly LDAP info with native MTA tools also,
skipping NSS at all.

> But personaly, the mail server should have replied with a better NDR. 
> Like : 4.4.1 The recipient’s server is not responding, so something like
that.
Again... it is my configuration that reply generically; this is
intended to prevent dictionary attack against the SMTP server.


About 'winbind cache time' (default 5 minutes) seems effectively the
parameter to tackle with, but still a thing does not seems clear to me:
if i enable 'offline logons', i can have cached credentials.

But how does it make sense to have cached credential if there's no
cached user data (NSS)?


Strictly speaking, why winbind cache ''PAM'' data and not
''NSS'' one
(seems to me)?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

> 
> I come back in this thread, sorry.
We do that lots of times so so worry, no sorry ;-) 
> 
> > Maybe https://wiki.debian.org/LDAP/NSS  is a better 
> solution for the mailserver.
> 
> Probably better use directly LDAP info with native MTA tools also,
> skipping NSS at all.
Yes, but then if the ldap server is down, you will notice problems and your good
users email adresses might reject then also.
Make sure to test this. 
> 
> 
> > But personaly, the mail server should have replied with a better NDR. 
> > Like : 4.4.1 The recipient’s server is not responding, so 
> something like that. 
> 
> Again... it is my configuration that reply generically; this is
> intended to prevent dictionary attack against the SMTP server.
in dutch..  Foei foei.. dont know the italian translation 
In english .. .shame shame..  ;-)  It better not to change ndr's. 

There are much better ways to do this. ( previous link in previous mail ) 
Or : https://github.com/Exim/exim/wiki/MsExchangeAddressVerification 
But again, im a postfix (ab)user..  :-) 
I dont do addressverification, i block at the front. 
> 
> 
> About 'winbind cache time' (default 5 minutes) seems effectively
the
> parameter to tackle with, but still a thing does not seems 
> clear to me:
> if i enable 'offline logons', i can have cached credentials.
> 
> But how does it make sense to have cached credential if there's no
> cached user data (NSS)?
Its not, but handy to have for ssh logins. 
> 
> 
> Strictly speaking, why winbind cache ''PAM'' data and not
''NSS'' one (seems to me)?
Yes, that is questionable, thats why i suggested the ldap solution. 
> 
> 
> Thanks.
> 
Your welkom. 
Have a nice weekend. 


Greetz, 

Louis

On Fri, 25 Jan 2019 16:32:56 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> I come back in this thread, sorry.
> 
> > Maybe https://wiki.debian.org/LDAP/NSS  is a better solution for
> > the mailserver.
> 
> Probably better use directly LDAP info with native MTA tools also,
> skipping NSS at all.
> 
> 
> > But personaly, the mail server should have replied with a better
> > NDR. Like : 4.4.1 The recipient’s server is not responding, so
> > something like that. 
> 
> Again... it is my configuration that reply generically; this is
> intended to prevent dictionary attack against the SMTP server.
> 
> 
> About 'winbind cache time' (default 5 minutes) seems effectively
the
> parameter to tackle with, but still a thing does not seems clear to
> me: if i enable 'offline logons', i can have cached credentials.
> 
> But how does it make sense to have cached credential if there's no
> cached user data (NSS)?
> 
> 
> Strictly speaking, why winbind cache ''PAM'' data and not
''NSS'' one
> (seems to me)?
> 
The problem is (for myself anyway), I do not understand the difference
between 'PAM' and 'NSS' data. What does your exim mailserver
expect to
find ?
What data does it need ?

Rowland