Hi list members, My 2 cents in the sssd discussion. I use Debian Bullseye with Louis' repo (samba 4.14). I have setup a DC and every user has an assigned uidNumber and gidNumber as I have some users that existed since even before Samba4 and I do not want to get into troubles with file ownerships. Now I have recently re-setup the? (Linux) desktops and laptops. My conclusion is that the only way to get everything working. Everything means: machine domain-membership, nss against samba, pam against samba and offline support, nfs-krb5 home-dirs with offline support. I would have preferred to use winbind only, but winbind (nss) hangs when I pull the network plug and winbind-pam has an issue with account expiry. Q&A on this list did not help to get around both issues. In other words a winbind only setup works (for me) pretty well on desktops (the expiry issue does not occur frequently). The config files for this: # /etc/samba/smb.conf [global] ??????? interfaces = lo ??????? bind interfaces only = yes ??????? netbios name = BACH ??????? security = ADS ??????? realm = COMPOSERS.LAN ??????? workgroup = COMPOSERS ??????? idmap config composers:backend = ad ??????? idmap config composers:schema_mode = rfc2307 ??????? idmap config composers:unix_primary_group = yes ??????? idmap config composers:unix_nss_info = yes ??????? idmap config composers:range = 1001-100000? # this is intended ??????? idmap config *:backend = tdb ??????? idmap config *:range = 1000000-1999999 ??????? winbind nss info = rfc2307 ??????? winbind cache time = 300 ??????? winbind enum groups = no ??????? winbind enum users = no ??????? winbind expand groups = 10 ??????? winbind normalize names = no ??????? winbind offline logon = yes ??????? lock directory = /var/cache/samba ??????? winbind refresh tickets = yes ??????? winbind scan trusted domains = no ??????? winbind use default domain = yes ??????? kerberos method = secrets and keytab ??????? kerberos encryption types = strong ??????? rpc server dynamic port range = 50000-55000 ??????? ntlm auth = mschapv2-and-ntlmv2-only ??????? disable netbios = yes ??????? template homedir = /home/%U ??????? template shell = /bin/bash ??????? tls enabled = yes ??????? tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 ??????? tls cafile = /etc/ssl/certs/ca.pem # /etc/nsswitch.conf passwd:???????? files systemd winbind group:????????? files systemd winbind shadow:???????? files gshadow:??????? files hosts:????????? files mdns4_minimal [NOTFOUND=return] dns mymachines networks:?????? files # /etc/security/pam_winbind.conf [global] warn_pwd_expire = 30 # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) cached_login = yes # winbind will keep your Ticket Granting Ticket (TGT) up-to-date by refreshing it whenever necessary # (needs "winbind refresh tickets = yes" in smb.conf) krb5_auth = yes # succeed only if the user is a member of the given SID or NAME require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118 Now to overcome the issues I mentioned, I started testing with a combination of sssd and winbind because sssd has its own issues. I found sssd not refreshing the machine tgt automatically and on Bullseye with sssd-ad it uses cldap which is not supported by samba (there are bugs for this on sssd (#5720) and debian (#991274) bugtrackers). The only working configuration (for me) is winbind for the machine domain-membership and sssd-ldap+krb5 for nss and pam. This setup has working offline support and proper password expiry behavior because that works with sssd and it has proper machine-account management as that is where winbind works: # /etc/samba/smb.conf (same as above, but different client) [global] ??????? log level = 5 ??????? interfaces = lo ??????? bind interfaces only = yes ??????? netbios name = HAYDN ??????? security = ADS ??????? realm = COMPOSERS.LAN ??????? workgroup = COMPOSERS ??????? idmap config composers:backend = ad ??????? idmap config composers:schema_mode = rfc2307 ??????? idmap config composers:unix_primary_group = yes ??????? idmap config composers:unix_nss_info = yes ??????? idmap config composers:range = 1001-100000 ??????? idmap config *:backend = tdb ??????? idmap config *:range = 1000000-1999999 ??????? winbind nss info = rfc2307 ??????? winbind cache time = 300 ??????? winbind enum groups = no ??????? winbind enum users = no ??????? winbind expand groups = 10 ??????? winbind normalize names = no ??????? winbind offline logon = yes ??????? lock directory = /var/cache/samba ??????? winbind refresh tickets = yes ??????? winbind scan trusted domains = no ??????? winbind use default domain = yes ??????? kerberos method = secrets and keytab ??????? kerberos encryption types = strong ??????? rpc server dynamic port range = 50000-55000 ??????? ntlm auth = mschapv2-and-ntlmv2-only ??????? disable netbios = yes ??????? template homedir = /home/%U ??????? template shell = /bin/bash ??????? tls enabled = yes ??????? tls priority = -VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 ??????? tls cafile = /etc/ssl/certs/ca.pem # /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = composers.lan reconnection_retries = 3 [pam] offline_credentials_expiration = 0 [domain/composers.lan] cache_credentials = true enumerate = true id_provider = ldap access_provider = ldap auth_provider = krb5 chpass_provider = krb5 autofs_provider = none sudo_provider = none # Access for member of specifed group(s) access_provider = simple simple_allow_groups = acl-desktops_linux-user_access? # same as 'require_membership_of' in /etc/security/pam_winbind.conf above min_id = 1001 dyndns_update = false auto_private_groups = false use_fully_qualified_names = false pwd_expiration_warning = 30 ldap_uri = ldaps://einaudi.composers.lan/ # 'ldap_tls_cipher_suite' and/or 'ldap_tls_cacert' make it fail, cannot use for now # https://github.com/SSSD/sssd/issues/5444 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979995 # ldap_tls_cipher_suite = !ALL:VERS-TLS1.2:VERS-TLS1.3 # ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_search_base = DC=composers,DC=lan ldap_user_search_base = OU=User Accounts,OU=Client Users,OU=Users,DC=composers,DC=lan ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_referrals = false ldap_id_mapping = false ldap_schema = ad ldap_group_nesting_level = 10 krb5_realm = COMPOSERS.LAN krb5_server = 192.168.10.3 krb5_kpasswd = 192.168.10.3 krb5_store_password_if_offline = true krb5_lifetime = 10h fallback_homedir = /home/%u default_shell = /bin/bash skel_dir = /etc/skel # /etc/nsswitch.conf passwd:???????? files systemd sss group:????????? files systemd sss shadow:???????? files sss gshadow:??????? files hosts:????????? files mdns4_minimal [NOTFOUND=return] dns mymachines networks:?????? files protocols:????? db files services:?????? db files sss ethers:???????? db files rpc:??????????? db files For now this later setup has fewer critical issues than the first, while both are imperfect and the latter has a more complex setup. At least for now winbind only is not possible in my setup, not even with the help of this list. Draw your own conclusion... - Kees.
On 9/23/21 14:32, Kees van Vloten via samba wrote:> Hi list members, > > My 2 cents in the sssd discussion. > > I use Debian Bullseye with Louis' repo (samba 4.14). I have setup a DC > and every user has an assigned uidNumber and gidNumber as I have some > users that existed since even before Samba4 and I do not want to get > into troubles with file ownerships. > > Now I have recently re-setup the? (Linux) desktops and laptops. My > conclusion is that the only way to get everything working. Everything > means: machine domain-membership, nss against samba, pam against samba > and offline support, nfs-krb5 home-dirs with offline support. > > I would have preferred to use winbind only, but winbind (nss) hangs when > I pull the network plug and winbind-pam has an issue with account > expiry. Q&A on this list did not help to get around both issues. In > other words a winbind only setup works (for me) pretty well on desktops > (the expiry issue does not occur frequently). > The config files for this: > > # /etc/samba/smb.conf > [global] > ??????? interfaces = lo > ??????? bind interfaces only = yes > ??????? netbios name = BACH > ??????? security = ADS > ??????? realm = COMPOSERS.LAN > ??????? workgroup = COMPOSERS > ??????? idmap config composers:backend = ad > ??????? idmap config composers:schema_mode = rfc2307 > ??????? idmap config composers:unix_primary_group = yes > ??????? idmap config composers:unix_nss_info = yes > ??????? idmap config composers:range = 1001-100000? # this is intended > ??????? idmap config *:backend = tdb > ??????? idmap config *:range = 1000000-1999999 > ??????? winbind nss info = rfc2307 > ??????? winbind cache time = 300 > ??????? winbind enum groups = no > ??????? winbind enum users = no > ??????? winbind expand groups = 10 > ??????? winbind normalize names = no > ??????? winbind offline logon = yes > ??????? lock directory = /var/cache/samba > ??????? winbind refresh tickets = yes > ??????? winbind scan trusted domains = no > ??????? winbind use default domain = yes > ??????? kerberos method = secrets and keytab > ??????? kerberos encryption types = strong > ??????? rpc server dynamic port range = 50000-55000 > ??????? ntlm auth = mschapv2-and-ntlmv2-only > ??????? disable netbios = yes > ??????? template homedir = /home/%U > ??????? template shell = /bin/bash > ??????? tls enabled = yes > ??????? tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 > ??????? tls cafile = /etc/ssl/certs/ca.pem > > > # /etc/nsswitch.conf > passwd:???????? files systemd winbind > group:????????? files systemd winbind > shadow:???????? files > gshadow:??????? files > > hosts:????????? files mdns4_minimal [NOTFOUND=return] dns mymachines > networks:?????? files > > # /etc/security/pam_winbind.conf > [global] > warn_pwd_expire = 30 > > # request a cached login if possible > # (needs "winbind offline logon = yes" in smb.conf) > cached_login = yes > > # winbind will keep your Ticket Granting Ticket (TGT) up-to-date by > refreshing it whenever necessary > # (needs "winbind refresh tickets = yes" in smb.conf) > krb5_auth = yes > > # succeed only if the user is a member of the given SID or NAME > require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118 > > > Now to overcome the issues I mentioned, I started testing with a > combination of sssd and winbind because sssd has its own issues. I found > sssd not refreshing the machine tgt automatically and on Bullseye with > sssd-ad it uses cldap which is not supported by samba (there are bugs > for this on sssd (#5720) and debian (#991274) bugtrackers).Add something like this to your /etc/crontab on the client: 00 12 * * 1 root msktutil --update --computer-name my-pc --verbose --server dc.samdom.com> The only working configuration (for me) is winbind for the machine > domain-membership and sssd-ldap+krb5 for nss and pam. > This setup has working offline support and proper password expiry > behavior because that works with sssd and it has proper machine-account > management as that is where winbind works: > > # /etc/samba/smb.conf (same as above, but different client) > [global] > ??????? log level = 5 > ??????? interfaces = lo > ??????? bind interfaces only = yes > ??????? netbios name = HAYDN > ??????? security = ADS > ??????? realm = COMPOSERS.LAN > ??????? workgroup = COMPOSERS > ??????? idmap config composers:backend = ad > ??????? idmap config composers:schema_mode = rfc2307 > ??????? idmap config composers:unix_primary_group = yes > ??????? idmap config composers:unix_nss_info = yes > ??????? idmap config composers:range = 1001-100000 > ??????? idmap config *:backend = tdb > ??????? idmap config *:range = 1000000-1999999 > ??????? winbind nss info = rfc2307 > ??????? winbind cache time = 300 > ??????? winbind enum groups = no > ??????? winbind enum users = no > ??????? winbind expand groups = 10 > ??????? winbind normalize names = no > ??????? winbind offline logon = yes > ??????? lock directory = /var/cache/samba > ??????? winbind refresh tickets = yes > ??????? winbind scan trusted domains = no > ??????? winbind use default domain = yes > ??????? kerberos method = secrets and keytab > ??????? kerberos encryption types = strong > ??????? rpc server dynamic port range = 50000-55000 > ??????? ntlm auth = mschapv2-and-ntlmv2-only > ??????? disable netbios = yes > ??????? template homedir = /home/%U > ??????? template shell = /bin/bash > ??????? tls enabled = yes > ??????? tls priority = -VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 > ??????? tls cafile = /etc/ssl/certs/ca.pem > > > # /etc/sssd/sssd.conf > [sssd] > config_file_version = 2 > domains = composers.lan > reconnection_retries = 3 > > [pam] > offline_credentials_expiration = 0 > > [domain/composers.lan] > cache_credentials = true > enumerate = true > > id_provider = ldap > access_provider = ldap > auth_provider = krb5 > chpass_provider = krb5 > autofs_provider = none > sudo_provider = none > # Access for member of specifed group(s) > access_provider = simple > simple_allow_groups = acl-desktops_linux-user_access? # same as > 'require_membership_of' in /etc/security/pam_winbind.conf above > min_id = 1001 > dyndns_update = false > auto_private_groups = false > use_fully_qualified_names = false > pwd_expiration_warning = 30 > > ldap_uri = ldaps://einaudi.composers.lan/ > # 'ldap_tls_cipher_suite' and/or 'ldap_tls_cacert' make it fail, cannot > use for now > # https://github.com/SSSD/sssd/issues/5444 > # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979995 > # ldap_tls_cipher_suite = !ALL:VERS-TLS1.2:VERS-TLS1.3 > # ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt > ldap_search_base = DC=composers,DC=lan > ldap_user_search_base = OU=User Accounts,OU=Client > Users,OU=Users,DC=composers,DC=lan > ldap_access_order = expire > ldap_account_expire_policy = ad > > ldap_force_upper_case_realm = true > ldap_referrals = false > ldap_id_mapping = false > ldap_schema = ad > ldap_group_nesting_level = 10 > > krb5_realm = COMPOSERS.LAN > krb5_server = 192.168.10.3 > krb5_kpasswd = 192.168.10.3 > krb5_store_password_if_offline = true > krb5_lifetime = 10h > > fallback_homedir = /home/%u > default_shell = /bin/bash > skel_dir = /etc/skel > > > # /etc/nsswitch.conf > passwd:???????? files systemd sss > group:????????? files systemd sss > shadow:???????? files sss > gshadow:??????? files > > hosts:????????? files mdns4_minimal [NOTFOUND=return] dns mymachines > networks:?????? files > > protocols:????? db files > services:?????? db files sss > ethers:???????? db files > rpc:??????????? db files > > For now this later setup has fewer critical issues than the first, while > both are imperfect and the latter has a more complex setup. > At least for now winbind only is not possible in my setup, not even with > the help of this list. Draw your own conclusion... > > - Kees. > >
Hai Kees, Small tip..> # /etc/nsswitch.conf > passwd:???????? files systemd sss > group:????????? files systemd sss > shadow:???????? files sss > gshadow:??????? files > > hosts:????????? files mdns4_minimal [NOTFOUND=return] dns mymachinesChange hosts line..> hosts:????????? files dns mdns4_minimal [NOTFOUND=return] mymachinesHelps in delays in revolven and reduces avahi (mDNS) lookups. ;-) Plus, to reduces these "delays", /etc/resolv.conf .. man resolv.conf, look at the options timeout and attempts.>From what im seeing, i run same as you, but only samba+winbind.Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Kees > van Vloten via samba > Verzonden: donderdag 23 september 2021 21:32 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Winbind vs sssd both have issues > > Hi list members, > > My 2 cents in the sssd discussion. > > I use Debian Bullseye with Louis' repo (samba 4.14). I have > setup a DC > and every user has an assigned uidNumber and gidNumber as I have some > users that existed since even before Samba4 and I do not want to get > into troubles with file ownerships. > > Now I have recently re-setup the? (Linux) desktops and laptops. My > conclusion is that the only way to get everything working. Everything > means: machine domain-membership, nss against samba, pam > against samba > and offline support, nfs-krb5 home-dirs with offline support. > > I would have preferred to use winbind only, but winbind (nss) > hangs whenSee my comment.> I pull the network plug and winbind-pam has an issue with account > expiry. Q&A on this list did not help to get around both issues. In > other words a winbind only setup works (for me) pretty well > on desktops > (the expiry issue does not occur frequently). > The config files for this: > > # /etc/samba/smb.conf > [global] > ??????? interfaces = lo > ??????? bind interfaces only = yes > ??????? netbios name = BACH > ??????? security = ADS > ??????? realm = COMPOSERS.LAN > ??????? workgroup = COMPOSERS > ??????? idmap config composers:backend = ad > ??????? idmap config composers:schema_mode = rfc2307 > ??????? idmap config composers:unix_primary_group = yes > ??????? idmap config composers:unix_nss_info = yes > ??????? idmap config composers:range = 1001-100000? # this > is intended > ??????? idmap config *:backend = tdb > ??????? idmap config *:range = 1000000-1999999 > ??????? winbind nss info = rfc2307 > ??????? winbind cache time = 300 > ??????? winbind enum groups = no > ??????? winbind enum users = no > ??????? winbind expand groups = 10 > ??????? winbind normalize names = no > ??????? winbind offline logon = yes > ??????? lock directory = /var/cache/samba > ??????? winbind refresh tickets = yes > ??????? winbind scan trusted domains = no > ??????? winbind use default domain = yes > ??????? kerberos method = secrets and keytab > ??????? kerberos encryption types = strong > ??????? rpc server dynamic port range = 50000-55000 > ??????? ntlm auth = mschapv2-and-ntlmv2-only > ??????? disable netbios = yes > ??????? template homedir = /home/%U > ??????? template shell = /bin/bash > ??????? tls enabled = yes > ??????? tls priority = > NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 > ??????? tls cafile = /etc/ssl/certs/ca.pem > > > # /etc/nsswitch.conf > passwd:???????? files systemd winbind > group:????????? files systemd winbind > shadow:???????? files > gshadow:??????? files > > hosts:????????? files mdns4_minimal [NOTFOUND=return] dns mymachines > networks:?????? files > > # /etc/security/pam_winbind.conf > [global] > warn_pwd_expire = 30 > > # request a cached login if possible > # (needs "winbind offline logon = yes" in smb.conf) > cached_login = yes > > # winbind will keep your Ticket Granting Ticket (TGT) up-to-date by > refreshing it whenever necessary > # (needs "winbind refresh tickets = yes" in smb.conf) > krb5_auth = yes > > # succeed only if the user is a member of the given SID or NAME > require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118 > > > Now to overcome the issues I mentioned, I started testing with a > combination of sssd and winbind because sssd has its own > issues. I found > sssd not refreshing the machine tgt automatically and on > Bullseye with > sssd-ad it uses cldap which is not supported by samba (there are bugs > for this on sssd (#5720) and debian (#991274) bugtrackers). > The only working configuration (for me) is winbind for the machine > domain-membership and sssd-ldap+krb5 for nss and pam. > This setup has working offline support and proper password expiry > behavior because that works with sssd and it has proper > machine-account > management as that is where winbind works: > > # /etc/samba/smb.conf (same as above, but different client) > [global] > ??????? log level = 5 > ??????? interfaces = lo > ??????? bind interfaces only = yes > ??????? netbios name = HAYDN > ??????? security = ADS > ??????? realm = COMPOSERS.LAN > ??????? workgroup = COMPOSERS > ??????? idmap config composers:backend = ad > ??????? idmap config composers:schema_mode = rfc2307 > ??????? idmap config composers:unix_primary_group = yes > ??????? idmap config composers:unix_nss_info = yes > ??????? idmap config composers:range = 1001-100000 > ??????? idmap config *:backend = tdb > ??????? idmap config *:range = 1000000-1999999 > ??????? winbind nss info = rfc2307 > ??????? winbind cache time = 300 > ??????? winbind enum groups = no > ??????? winbind enum users = no > ??????? winbind expand groups = 10 > ??????? winbind normalize names = no > ??????? winbind offline logon = yes > ??????? lock directory = /var/cache/samba > ??????? winbind refresh tickets = yes > ??????? winbind scan trusted domains = no > ??????? winbind use default domain = yes > ??????? kerberos method = secrets and keytab > ??????? kerberos encryption types = strong > ??????? rpc server dynamic port range = 50000-55000 > ??????? ntlm auth = mschapv2-and-ntlmv2-only > ??????? disable netbios = yes > ??????? template homedir = /home/%U > ??????? template shell = /bin/bash > ??????? tls enabled = yes > ??????? tls priority = -VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 > ??????? tls cafile = /etc/ssl/certs/ca.pem > > > # /etc/sssd/sssd.conf > [sssd] > config_file_version = 2 > domains = composers.lan > reconnection_retries = 3 > > [pam] > offline_credentials_expiration = 0 > > [domain/composers.lan] > cache_credentials = true > enumerate = true > > id_provider = ldap > access_provider = ldap > auth_provider = krb5 > chpass_provider = krb5 > autofs_provider = none > sudo_provider = none > # Access for member of specifed group(s) > access_provider = simple > simple_allow_groups = acl-desktops_linux-user_access? # same as > 'require_membership_of' in /etc/security/pam_winbind.conf above > min_id = 1001 > dyndns_update = false > auto_private_groups = false > use_fully_qualified_names = false > pwd_expiration_warning = 30 > > ldap_uri = ldaps://einaudi.composers.lan/ > # 'ldap_tls_cipher_suite' and/or 'ldap_tls_cacert' make it > fail, cannot > use for now > # https://github.com/SSSD/sssd/issues/5444 > # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979995 > # ldap_tls_cipher_suite = !ALL:VERS-TLS1.2:VERS-TLS1.3 > # ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt > ldap_search_base = DC=composers,DC=lan > ldap_user_search_base = OU=User Accounts,OU=Client > Users,OU=Users,DC=composers,DC=lan > ldap_access_order = expire > ldap_account_expire_policy = ad > > ldap_force_upper_case_realm = true > ldap_referrals = false > ldap_id_mapping = false > ldap_schema = ad > ldap_group_nesting_level = 10 > > krb5_realm = COMPOSERS.LAN > krb5_server = 192.168.10.3 > krb5_kpasswd = 192.168.10.3 > krb5_store_password_if_offline = true > krb5_lifetime = 10h > > fallback_homedir = /home/%u > default_shell = /bin/bash > skel_dir = /etc/skel > > > # /etc/nsswitch.conf > passwd:???????? files systemd sss > group:????????? files systemd sss > shadow:???????? files sss > gshadow:??????? files > > hosts:????????? files mdns4_minimal [NOTFOUND=return] dns mymachines > networks:?????? files > > protocols:????? db files > services:?????? db files sss > ethers:???????? db files > rpc:??????????? db files > > For now this later setup has fewer critical issues than the > first, while > both are imperfect and the latter has a more complex setup. > At least for now winbind only is not possible in my setup, > not even with > the help of this list. Draw your own conclusion... > > - Kees. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >