I can confirm that on slackware too if I use rid as the backend for the ad domain winbind works offline and the system doesn't slow to a crawl for every process I try to start. Maybe if ad backend used to work, as stated previously in the thread, it could be fixed since the rid backend has some drawbacks and ad backend has some reasons to be the preferred option but at least for now it is possible for me to use the rid backend until and if the ad backend is fixed to allow offline logon working again. FWIW I'm using samba 4.18.9 in slackware and 4.17.12-Debian in debian. Thanks! Best regards, Dave. Sent with Proton Mail secure email. On Wednesday, January 10th, 2024 at 07:26, bd730c5053df9efb via samba <samba at lists.samba.org> wrote:> Hi all! > > On Monday, January 8th, 2024 at 08:23, Rowland Penny via samba samba at lists.samba.org wrote: > > > > > On Sun, 7 Jan 2024 15:00:27 +0100 > > Marco Gaiarin via samba samba at lists.samba.org wrote: > > > > > Mandi! bd730c5053df9efb via samba > > > In chel di` si favelave... > > > > > > > idmap config smadom:schema_mode = rfc2307 > > > > > > Sorry but is a bug of RFC2307: > > > > > > https://bugzilla.samba.org/show_bug.cgi?id=15405 > > > > Sorry, but allowing for bug 14618, it works for myself. > > > > https://bugzilla.samba.org/show_bug.cgi?id=14618 > > > > On a Unix domain member using the 'rid' backend, I get this: > > > > adminuser at testdm12:~$ getent passwd rowland > > rowland::11104:10513:Rowland Penny:/home/rowland:/bin/bash > > > > The user 'rowland' can logon, but if the user logs out and the network > > is disconnected, the user cannot logon until: > > > > A) the network is reconnected. > > B) 'lock directory = /var/cache/samba' is added to smb.conf and Samba > > is restarted. > > C) the user 'rowland' logs on at least once with the network connected. > > > > At this point, if the user logs out and the network is disconnected, > > the user can still logon. > > > > This to myself proves that offline logon works with the 'rid' backend. > > > > If I now change the rid' backend to the 'ad' backend: > > > > Change: > > > > idmap config SAMDOM : backend = rid > > idmap config SAMDOM : range = 10000-999999 > > > > To: > > > > idmap config SAMDOM : backend = ad > > idmap config SAMDOM : range = 10000-999999 > > idmap config SAMDOM : schema_mode = rfc2307 > > > > Give rowland the uidNumber 10000 and Domain Users the gidNumber 10000 > > and restart Samba on the Unix domain member: > > > > adminuser at testdm12:~$ sudo systemctl restart winbind smbd > > adminuser at testdm12:~$ sudo net cache flush > > adminuser at testdm12:~$ getent passwd rowland > > rowland::10000:10000:Rowland Penny:/home/rowland:/bin/bash > > > > When I then tried to log on as 'rowland', I was denied, but changing > > the ownership of /home/rowland cured this: > > > > adminuser at testdm12:~$ sudo chown 10000:10000 -R /home/rowland > > > > I could then log on. > > > > I logged out, disconnected the network and tried again, I logged in > > straight away. > > > > This looks like logging in using the 'ad' backend works as well. > > I tried switching from ad to rid backend in my testing debian environment and it work as I have expected from the beginning. I will try this in my production notebook using slackware and report back. > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > Best regards, > Dave. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Wed, 10 Jan 2024 14:52:12 +0000 bd730c5053df9efb via samba <samba at lists.samba.org> wrote:> I can confirm that on slackware too if I use rid as the backend for > the ad domain winbind works offline and the system doesn't slow to a > crawl for every process I try to start.The 'problem' (if it is a problem) with using the 'ad' backend is that everything has to be pulled from AD, it is my understanding that user information is only cached at login.> > Maybe if ad backend used to work, as stated previously in the thread, > it could be fixed since the rid backend has some drawbacks and ad > backend has some reasons to be the preferred option but at least for > now it is possible for me to use the rid backend until and if the ad > backend is fixed to allow offline logon working again. FWIW I'm using > samba 4.18.9 in slackware and 4.17.12-Debian in debian. >What are the drawbacks of using the 'rid' backend that you see ? AD, whilst it has all the rfc2307 attributes, it only really uses a very small portion of them: uidNumber gidNumber gecos uid loginShell unixHomeDirectory If I run 'getent passwd rowland' on a Unix domain member using the 'rid' idmap backend', I get this: rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash Which would seem to be: username:??:UID:GID:?????:Home Directory:login shell The '??' is I believe meant for the 'shadow' field. The '?????' is the gecos field, but 'rowland' doesn't have a 'gecos' attribute, so winbind must be filling in this field from either a combination of the givenName and sn attributes, or the displayName attribute, all three are in AD. I cannot see any drawbacks there, which just leaves us with the user home directory and login shell. If you use the 'ad' backend, then you can set individual paths for home directories and shells, but what does this really give you and couldn't you live without this facility ? The only real thing that using the rfc2307 attributes gives you, is that your users & groups will have the same IDs everywhere in Unix land. However, do you really need this ? I thought you did, but testing proved otherwise. The following presumes that no rfc2307 attributes are used: If I have a share on a DC (yes, I know you shouldn't, but this is theoretical) and my user 'rowland' saves a document to that share, it will end up belonging to a numeric ID in the '3000000' range. If 'rowland' creates another document in a share on a Unix domain member that uses the 'rid' backend, with the DOMAIN low range starting at '10000', the document will end up belonging to a numeric ID such as '11104' If you run 'ls' on both machines, the shares will be shown to belong to 'rowland', different machines, different IDs, but the same username. If you then copy one document from one share to another, it will show as belonging to 'rowland' on the new machine. So I ask again, what are the drawbacks with using the 'rid' backend ? Rowland