Marco Gaiarin
2024-Nov-29 17:04 UTC
[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
Mandi! John R. Graham via samba In chel di` si favelave...> When I put winbindd in offline mode,RFC2307? A known bug: https://bugzilla.samba.org/show_bug.cgi?id=15405 --
Kees van Vloten
2024-Nov-30 21:06 UTC
[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
Op 29-11-2024 om 18:04 schreef Marco Gaiarin via samba:> Mandi! John R. Graham via samba > In chel di` si favelave... > >> When I put winbindd in offline mode, > RFC2307? A known bug: > > https://bugzilla.samba.org/show_bug.cgi?id=15405 >I have figured out a workaround for this. The bug in winbind is that it it fails to lookup users and groups when offline in rfc2307 mode (= smb.conf: idmap config <domain>:backend = ad). A working option is to use just pam_winbind but take the nss services of sssd instead of nss_winbind: * Install (on Debian): sssd-dbus, sssd-ldap, sssd-tools, libnss-sss * Set /etc/nsswitch.conf passwd and group to "files systemd sss" * In /etc/samba/smb.conf set the nss backend to "idmap config <domain>:backend = nss" and add "sync machine password script /usr/local/sbin/machinepw_update" (the latter requires Samba 4.21) * Configure sssd: [sssd] config_file_version = 2 services = nss,ifp domains = <dns-domain> debug_level = 4 reconnection_retries = 3 [domain/<dns-domain>] cache_credentials = true enumerate = true id_provider = ldap access_provider = ldap min_id = 1000 dns_discovery_domain = <dns-domain> ldap_default_bind_dn = <ldap-machine-dn> # machine password: ldap_default_authtok = <machine-password> ldap_search_base = <ldap-base-dn> ldap_user_search_base = <ldap-users-base-dn> ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_referrals = false ldap_id_mapping = false ldap_schema = ad ldap_group_nesting_level = 10 fallback_homedir = /home/%u default_shell = /bin/bash #skel_dir = /etc/skel Download: wget -o?/usr/local/sbin/accountmachinepw https://gitlab.com/samba-team/samba/raw/v4-21-stable/source4/scripting/bin/machineaccountpw In "/usr/local/sbin/machinepw_update" put something like: #!/bin/bash PW="$(/usr/local/sbin/accountmachinepw)" sed -ie "/^ldap_default_authtok = (.+)$/ldap_default_authtok =?$(PW)/" /etc/sssd/sssd.conf systemctl restart sssd Do not forget to make both scripts executable "chmod 750 /usr/local/sbin/machinepw_update /usr/local/sbin/accountmachinepw" Although I would prefer to have Samba bug 15045 fixed and use nss_winbind as well, this pragmatic approach with sssd works for now. It has been running on my laptop for some time and it seems to work fine. - Kees.
John R. Graham
2024-Dec-01 13:05 UTC
[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
On 11/29/24 12:04, Marco Gaiarin via samba wrote:> Mandi! John R. Graham via samba > In chel di` si favelave... > >> When I put winbindd in offline mode, > RFC2307? A known bug: > > https://bugzilla.samba.org/show_bug.cgi?id=15405Hi, Marco. Yes, RFC2307. Your work-around (rid idmap back end) works for me, too! Offline login is now functional. Currently this is only a minor inconvenience for me because the templated shell and home directory values correspond to what I'm actually using on my Linux domain members.