samba - Dec 2024 - pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

On 11/30/24 16:06, Kees van Vloten via samba wrote:
> Although I would prefer to have Samba bug 15045 fixed and use 
> nss_winbind as well, this pragmatic approach with sssd works for now. 
> It has been running on my laptop for some time and it seems to work fine.
>
I also like the idea of the ad back end and nss_winbind because it's a 
better "single source of truth"--and I don't like the templated 
/etc/passwd fields. Was that your goal with the work-around? To not have 
those restrictions?

On Sun, 1 Dec 2024 09:15:27 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 11/30/24 16:06, Kees van Vloten via samba wrote:
> > Although I would prefer to have Samba bug 15045 fixed and use 
> > nss_winbind as well, this pragmatic approach with sssd works for
> > now. It has been running on my laptop for some time and it seems to
> > work fine.
> >
> I also like the idea of the ad back end and nss_winbind because it's
> a better "single source of truth"--and I don't like the
templated
> /etc/passwd fields. Was that your goal with the work-around? To not
> have those restrictions?
> 
> 
I used to think that way, but once I realised that if I used the same
'idmap config' lines on all Unix domain members, I would always get
the same Unix IDs, then I thought differently. The 'single source of
truth' isn't rfc2307, it is the accounts RID and the 'rid' idmap
backend calculates the Unix ID from the RID and the DOMAIN low range set
in the smb.conf file:

ID = RID + low_range

So, if the low_range is set to '10000', the Domain Users group will
always get the Unix ID '10513' and so on.

10513 = 513 + 10000

Coming to to the users shell and home directory, these are always
relative to the Unix domain member, they are not mounted from another
computer (NOTE: the Windows home directory is not the same as a Unix
home directory). From this, I hope you can see that it doesn't matter
what home directory or shell you set in AD (by setting the
'unixHomeDirectory' & 'loginShell' attributes), you can get
virtually
the same results by setting 'template homedir' and 'template
shell' in
the smb.conf file, the only real difference is that setting them in the
smb.conf file means that every user gets the same, but is this really a
problem ?
 
Rowland

Op 01-12-2024 om 15:15 schreef John R. Graham via samba:
> On 11/30/24 16:06, Kees van Vloten via samba wrote:
>> Although I would prefer to have Samba bug 15045 fixed and use 
>> nss_winbind as well, this pragmatic approach with sssd works for now. 
>> It has been running on my laptop for some time and it seems to work 
>> fine.
>>
> I also like the idea of the ad back end and nss_winbind because it's a 
> better "single source of truth"--and I don't like the
templated
> /etc/passwd fields. Was that your goal with the work-around? To not 
> have those restrictions?
>
>
A user in Posix-land is defined by its UID and GID. Ownership of files 
is defined by those same IDs. If you use rfc2307, you manage these two 
IDs manually per user in the LDAP attributes uidNumber and gidNumber. 
The reason for this is usually to keep the IDs constant everywhere and / 
or unchanged since the user was defined long ago, so its files where 
ever they are are still owned by that user.

Autorid or Rid will are fine when rfc2307 is not used (i.e. no legacy 
users and files) and the configuration across all machines is identical. 
Or if accessing files from other machines is over smb and ssh only (then 
these will do the UID/GID translations), with nfs, tars, etc. you might 
have issues with file ownerships.


In my rfc2307 setup, the **single source of truth are the UID and GID 
defined in the uidNumber and gidNumber** attributes on LDAP on the DCs. 
I want those to be constant across all machines.

Rid and autorid do not deliver this and hence are not a good solution, 
nss_winbind (offline support) is broken hence it is a solution for 
always connected desktops (which I do use on these). Then nss-sssd 
delivers rfc2307 nss and it has a working offline mode. Therefor on 
laptops the setup uses winbind to take care of the offline Kerberos 
functionality and nss-sssd for offline rfc2307 UID/GIDs. Problem solved :-)

Indeed not as simple as can be, that will come when bug 15045 is fixed.


- Kees