samba - Jan 2019 - Winbind, cached logons and 'user persistency'...

On Fri, 25 Jan 2019 16:32:56 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> I come back in this thread, sorry.
> 
> > Maybe https://wiki.debian.org/LDAP/NSS  is a better solution for
> > the mailserver.
> 
> Probably better use directly LDAP info with native MTA tools also,
> skipping NSS at all.
> 
> 
> > But personaly, the mail server should have replied with a better
> > NDR. Like : 4.4.1 The recipient’s server is not responding, so
> > something like that. 
> 
> Again... it is my configuration that reply generically; this is
> intended to prevent dictionary attack against the SMTP server.
> 
> 
> About 'winbind cache time' (default 5 minutes) seems effectively
the
> parameter to tackle with, but still a thing does not seems clear to
> me: if i enable 'offline logons', i can have cached credentials.
> 
> But how does it make sense to have cached credential if there's no
> cached user data (NSS)?
> 
> 
> Strictly speaking, why winbind cache ''PAM'' data and not
''NSS'' one
> (seems to me)?
> 
The problem is (for myself anyway), I do not understand the difference
between 'PAM' and 'NSS' data. What does your exim mailserver
expect to
find ?
What data does it need ?

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> > Strictly speaking, why winbind cache ''PAM'' data and
not ''NSS'' one
> > (seems to me)?
> The problem is (for myself anyway), I do not understand the difference
> between 'PAM' and 'NSS' data.
'PAM' is authorization scenario (eg, «user X use the correct
password»), while 'NSS' enable the system to 'see' user (eg,
«user X
exist in the system»).

Make really little sense to me to have an 'offline' system that can
answer to the first question but not to the second... also because if
user are not known to the underlying system, there's no credential to
check.


'nscd' do NSS offline cache, but if i remember well all samba expert
here suggest not to use winbind and nscd togeter(
	https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
«You should also ensure that nscd is not installed, it will interfere with
winbind.»)

There's a more general approach, really offline (nssl_updatedb,
https://www.padl.com/OSS/nss_updatedb.html) but seems overkilled here.


I think that, to be effective, winbind have to be some sort of 'NSS
cache', and seems to me this is not.
'nscd' can provide simple and effective NSS cache, but 'interfere
with
winbind'.


Andrew (or other samba developers...), can you give some clue? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Mon, 28 Jan 2019 12:52:45 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > > Strictly speaking, why winbind cache ''PAM'' data
and not ''NSS''
> > > one (seems to me)?
> > The problem is (for myself anyway), I do not understand the
> > difference between 'PAM' and 'NSS' data.
> 
> 'PAM' is authorization scenario (eg, «user X use the correct
> password»), while 'NSS' enable the system to 'see' user
(eg, «user X
> exist in the system»).
Now this is what I do not understand, my understanding is that 'PAM' is
used to find the correct authentication system and 'NSS' just connects
to that authentication system. For instance, in /etc/pam.d/common-auth
I have:

auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=10000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass

And /etc/nsswitch.conf has these two lines:

passwd:         compat winbind
group:          compat winbind

This is on my laptop and I have 'winbind offline logon = yes' set in
smb.conf

If I go anywhere (away from the domain), I can still log into the
laptop as my domain user, read and save files etc. All files are saved
as the domain user and when I do re-connect to the domain, it is if I
haven't been anywhere.
> 
> Make really little sense to me to have an 'offline' system that can
> answer to the first question but not to the second... also because if
> user are not known to the underlying system, there's no credential to
> check.
You seem to be doing something wrong ;-)
> 
> 
> 'nscd' do NSS offline cache, but if i remember well all samba
expert
> here suggest not to use winbind and nscd togeter(
> 	https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
> «You should also ensure that nscd is not installed, it will interfere
> with winbind.»)
Not entirely true that you cannot run nscd with winbind, you just have
to stop nscd caching everything that winbind does and by the time you
do that, there isn't much left.
> 
> There's a more general approach, really offline (nssl_updatedb,
> https://www.padl.com/OSS/nss_updatedb.html) but seems overkilled here.
Well, mainly because that will do what winbind is already doing.
> 
> I think that, to be effective, winbind have to be some sort of 'NSS
> cache', and seems to me this is not.
> 'nscd' can provide simple and effective NSS cache, but
'interfere with
> winbind'.
I think the time has come to ask, what isn't working if you disconnect
from the domain e.g. walk away with a laptop, also why is it not
working, what can it not find ?

Rowland