samba - Feb 2019 - 'winbind' on the 'shadow' line in nsswitch.conf

On Mon, 25 Feb 2019 16:14:53 -0800
Alexey A Nikitin <nikitin at amazon.com> wrote:
> Hi Rowland,
> 
> On Friday, 22 February 2019 08:03:11 PST Rowland Penny via samba
> wrote:
> > You also shouldn't use winbind on the shadow line
> 
> Perhaps a stupid question, but my google-fu doesn't seem to be good
> enough to find an answer myself: what is the exact expected mode of
> failure of including 'winbind' for 'shadow' in
nsswitch.conf?
> 
> I understand that Winbind doesn't implement 'shadow' database,
and
> I've also seen reference somewhere in the docs to 'wbinfo' tool
> failing if that line is there, but I personally haven't observed any
> (consistent) wbinfo failures. It also appears that 'authconfig'
tool
> in RHEL/CentOS puts 'winbind' in 'shadow' line in
nsswitch.conf if
> you pass --enablewinbind flag to it, is my understanding correct that
> that's a bug?
You don't need to add 'winbind' to the shadow line mainly because it
isn't needed and as you have said, there have been reports of strange
things happening in wbinfo if it is added.

Just because red-hat adds it, doesn't me it is required, they also add a
lot of default lines to smb.conf.

Rowland

On Tuesday, 26 February 2019 00:49:50 PST Rowland Penny via samba
wrote:
> You don't need to add 'winbind' to the shadow line mainly
because it
> isn't needed and as you have said, there have been reports of strange
> things happening in wbinfo if it is added.
> 
I understand that I don't need to add 'winbind' to the
'shadow' line. I also understand that it would be a potential mistake
too, since Winbind doesn't implement 'shadow' database (according to
the docs, anyway). Problem is, we already got several thousand machines in
production with 'winbind' in the 'shadow' line, and they
(mostly) appear to be working OK, except for about 2-4% that have intermittent
failures of getpwnam() and/or authentication failures. Changing the
configuration in those production machines is definitely possible, but I'm
trying to understand what's the exact risk of leaving existing machines
as-is, and whether there may be any connection between those intermittent
auth/getpwnam failures and this config option. Any insight into the system
behavior with unimplemented 'shadow' database in nsswitch.conf is
appreciated.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190226/e208afff/signature.sig>

Mandi! Alexey A Nikitin via samba
  In chel di` si favelave...
> I understand that I don't need to add 'winbind' to the
'shadow' line. I also understand that it would be a potential mistake
too, since Winbind doesn't implement 'shadow' database (according to
the docs, anyway). Problem is, we already got several thousand machines in
production with 'winbind' in the 'shadow' line, and they
(mostly) appear to be working OK, except for about 2-4% that have intermittent
failures of getpwnam() and/or authentication failures. Changing the
configuration in those production machines is definitely possible, but I'm
trying to understand what's the exact risk of leaving existing machines
as-is, and whether there may be any connection between those intermittent
auth/getpwnam failures and this config option. Any insight into the system
behavior with unimplemented 'shadow' database in nsswitch.conf is
appreciated.
I feel i've still hit this, see my thread 'Winbind, cached logons and
'user
persistency'...'.

Also for be, and absolutely randomly, i've the MTA (Exim) that seems
'forget' user, like getpwnam() return nothing (or, anyway, bad data).

I've spotted this behaviour while rebooting DC, but clearly not all at
the same time, so there was a DC reachable.


I've tried to debug this a bit, but with no success: anytime i try to
trick this, does not trick. ;(

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)