Markus Dellermann
2023-Jun-26 18:55 UTC
[Samba] PAM Offline Authentication in Ubuntu 22.04
Hi Marco, Rowland, Kees, and all other... Am Montag, 26. Juni 2023, 20:12:26 CEST schrieb Rowland Penny via samba:> On 26/06/2023 18:20, Kees van Vloten via samba wrote: > > I am quite convinced it is not a DNS issue, although those lookups > > obviously fail when you pull the network plug (I guess installing > > something like dnsmasq can prevent that). The issue is in the nss > > lookups of users and groups: getent passwd <user> or getent passwd > > <group>, which implies something in winbind-nss. > > I have been using the "lock directory" parameter on my Debian (Bullseye) > > machines since nearly forever and added the "winbind request timeout" > > recently (after the discussion here), which probably help to reduce the > > effects but do not solve the issue. > > The problem for me is that I struggle to get the symptoms that Marco does. > I have Ubuntu 22.04 running in a VM, it is setup as a Unix domain > member, using the 'rid' idmap backend. > > It works as expected, if I disconnect the network, sometimes it starts > running slow, but only sometimes, other times you cannot tell the > difference. > > Now you could be correct about the dns, and I am now beginning to think > that Marco's problem has nothing to do with Samba, there is something > not set up correctly in the OS, but what, I do not know. > > As anyone got any suggestions that Marco can try ? > > RowlandMarco, you are using the ad-Backend, right? Have you tried with rid-backend or at least "idmap config LNFFVG : unix_nss_info = no" in smb.conf ? Some time ago i have had "this" Problems with some openSUSE based clients. If i remeber correctly, behavior was better after changing smb.conf to rid- backend. To update to 4.18 could be also an good idea, because there are some changes wich should help.. Good Luck! (sorry, for bad english) Markus
On 26/06/2023 19:55, Markus Dellermann via samba wrote:> Hi Marco, Rowland, Kees, and all other... > > Am Montag, 26. Juni 2023, 20:12:26 CEST schrieb Rowland Penny via samba: >> On 26/06/2023 18:20, Kees van Vloten via samba wrote: >>> I am quite convinced it is not a DNS issue, although those lookups >>> obviously fail when you pull the network plug (I guess installing >>> something like dnsmasq can prevent that). The issue is in the nss >>> lookups of users and groups: getent passwd <user> or getent passwd >>> <group>, which implies something in winbind-nss. >>> I have been using the "lock directory" parameter on my Debian (Bullseye) >>> machines since nearly forever and added the "winbind request timeout" >>> recently (after the discussion here), which probably help to reduce the >>> effects but do not solve the issue. >> >> The problem for me is that I struggle to get the symptoms that Marco does. >> I have Ubuntu 22.04 running in a VM, it is setup as a Unix domain >> member, using the 'rid' idmap backend. >> >> It works as expected, if I disconnect the network, sometimes it starts >> running slow, but only sometimes, other times you cannot tell the >> difference. >> >> Now you could be correct about the dns, and I am now beginning to think >> that Marco's problem has nothing to do with Samba, there is something >> not set up correctly in the OS, but what, I do not know. >> >> As anyone got any suggestions that Marco can try ? >> >> Rowland > > Marco, you are using the ad-Backend, right? > > Have you tried with rid-backend or at least > "idmap config LNFFVG : unix_nss_info = no" > in smb.conf ? > Some time ago i have had "this" Problems with some openSUSE based clients. > If i remeber correctly, behavior was better after changing smb.conf to rid- > backend. > > To update to 4.18 could be also an good idea, because there are some changes > wich should help.. > > Good Luck! > (sorry, for bad english) > > MarkusTest number ?? No idea lost track LOL I added a number of users to my AD with rfc2307 attributes, I also added a similar number of groups with gidNumber attributes I then modified the smb.conf on the Ubuntu machine to use these users and rebooted (with the network connected) and logged on as one of the new users. So far so good. Now disconnected the network and everything went extremely slow, so slow in fact that I had time to go and make myself a coffee in the time between trying to log out and the box popping up asking if I really wanted to log out, we are talking minutes here, not seconds. changing 'unix_nss_info = yes' to 'unix_nss_info = no', speeded things up dramatically. What I think is happening is this (from my understanding of the relevant code); If 'unix_nss_info = yes' is set, winbind tries to get the users homedir, shell and full name and there is a pause involved with each one, of course I could be wrong. Using 'unix_nss_info = no' means that winbind falls back to the templates and these will be much faster. Is this a bug ? No idea, but if it is, I have no idea how to fix it. I would suggest either using the 'rid' idmap backend (which, provided you use the same 'idmap config' lines on all Samba domain members, will get you the same ID's on all Unix domain members), or use the 'ad' idmap backend with 'unix_nss_info = no' and set the 'template' lines as required. Rowland
Mandi! Markus Dellermann via samba In chel di` si favelave...> Marco, you are using the ad-Backend, right?Yes, rfc2307.> Have you tried with rid-backend or at leastNo, i cannot try RID, or at least i'll need to setup a different test domain...> "idmap config LNFFVG : unix_nss_info = no" in smb.conf ?Tried, but nothing changed. My current [global] section is: [global] disable spoolss = Yes load printers = No lock directory = /var/cache/samba log file = /var/log/samba/log.%m map to guest = Bad User panic action = /usr/share/samba/panic-action %d printcap name = /dev/null realm = AD.FVG.LNF.IT security = ADS syslog = 0 template homedir = /home/%U template shell = /bin/bash username map = /etc/samba/user.map usershare max shares = 0 winbind offline logon = Yes winbind request timeout = 5 winbind use default domain = Yes workgroup = LNFFVG idmap config lnffvg : unix_primary_group = yes idmap config lnffvg : unix_nss_info = no idmap config lnffvg : schema_mode = rfc2307 idmap config lnffvg : range = 10000-49999 idmap config lnffvg : backend = ad idmap config * : range = 5000-9999 idmap config * : backend = tdb printing = bsd> To update to 4.18 could be also an good idea, because there are some changes > wich should help..Samba version 4.18.3+dfsg-1. Thanks... -- ...buffoni che campate di versi senza forza avrete soldi e gloria, ma non avete scorza; (F. Guccini)