samba - Dec 2024 - pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

On Sun, 1 Dec 2024 09:15:27 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 11/30/24 16:06, Kees van Vloten via samba wrote:
> > Although I would prefer to have Samba bug 15045 fixed and use 
> > nss_winbind as well, this pragmatic approach with sssd works for
> > now. It has been running on my laptop for some time and it seems to
> > work fine.
> >
> I also like the idea of the ad back end and nss_winbind because it's
> a better "single source of truth"--and I don't like the
templated
> /etc/passwd fields. Was that your goal with the work-around? To not
> have those restrictions?
> 
> 
I used to think that way, but once I realised that if I used the same
'idmap config' lines on all Unix domain members, I would always get
the same Unix IDs, then I thought differently. The 'single source of
truth' isn't rfc2307, it is the accounts RID and the 'rid' idmap
backend calculates the Unix ID from the RID and the DOMAIN low range set
in the smb.conf file:

ID = RID + low_range

So, if the low_range is set to '10000', the Domain Users group will
always get the Unix ID '10513' and so on.

10513 = 513 + 10000

Coming to to the users shell and home directory, these are always
relative to the Unix domain member, they are not mounted from another
computer (NOTE: the Windows home directory is not the same as a Unix
home directory). From this, I hope you can see that it doesn't matter
what home directory or shell you set in AD (by setting the
'unixHomeDirectory' & 'loginShell' attributes), you can get
virtually
the same results by setting 'template homedir' and 'template
shell' in
the smb.conf file, the only real difference is that setting them in the
smb.conf file means that every user gets the same, but is this really a
problem ?
 
Rowland

On 12/1/24 09:42, Rowland Penny via samba wrote:
> On Sun, 1 Dec 2024 09:15:27 -0500
> "John R. Graham via samba" <samba at lists.samba.org>
wrote:
>> I also like the idea of the ad back end and nss_winbind because
it's
>> a better "single source of truth"--and I don't like the
templated
>> /etc/passwd fields. Was that your goal with the work-around? To not
>> have those restrictions?
> I used to think that way, but once I realised that if I used the same
> 'idmap config' lines on all Unix domain members, I would always get
> the same Unix IDs, then I thought differently. The 'single source of
> truth' isn't rfc2307, it is the accounts RID and the 'rid'
idmap
> backend calculates the Unix ID from the RID and the DOMAIN low range set
> in the smb.conf file:
>
> ID = RID + low_range
>
> So, if the low_range is set to '10000', the Domain Users group will
> always get the Unix ID '10513' and so on.
>
> 10513 = 513 + 10000
>
> Coming to to the users shell and home directory, these are always
> relative to the Unix domain member, they are not mounted from another
> computer (NOTE: the Windows home directory is not the same as a Unix
> home directory). From this, I hope you can see that it doesn't matter
> what home directory or shell you set in AD (by setting the
> 'unixHomeDirectory' & 'loginShell' attributes), you can
get virtually
> the same results by setting 'template homedir' and 'template
shell' in
> the smb.conf file, the only real difference is that setting them in the
> smb.conf file means that every user gets the same, but is this really a
> problem ?
In truth, it isn't for me right now. I've encountered users that want to
use an alternate shell (but I don't have any right now) and I like the 
idea of stored UIDs and GIDs better than calculated ones. It 
seems...more pedantically correct to me. I may look into what would be 
required to get bug 15045 addressed.

- John

On 12/1/24 09:42, Rowland Penny via samba wrote:
> On Sun, 1 Dec 2024 09:15:27 -0500
> "John R. Graham via samba" <samba at lists.samba.org>
wrote:
>
>> I also like the idea of the ad back end and nss_winbind because
it's
>> a better "single source of truth"--and I don't like the
templated
>> /etc/passwd fields. Was that your goal with the work-around? To not
>> have those restrictions?
> I used to think that way, but once I realised that if I used the same
> 'idmap config' lines on all Unix domain members, I would always get
> the same Unix IDs, then I thought differently. The 'single source of
> truth' isn't rfc2307, it is the accounts RID and the 'rid'
idmap
> backend calculates the Unix ID from the RID and the DOMAIN low range set
> in the smb.conf file:
>
> ID = RID + low_range
>
> So, if the low_range is set to '10000', the Domain Users group will
> always get the Unix ID '10513' and so on.
>
> 10513 = 513 + 10000
>
> Coming to to the users shell and home directory, these are always
> relative to the Unix domain member, they are not mounted from another
> computer (NOTE: the Windows home directory is not the same as a Unix
> home directory). From this, I hope you can see that it doesn't matter
> what home directory or shell you set in AD (by setting the
> 'unixHomeDirectory' & 'loginShell' attributes), you can
get virtually
> the same results by setting 'template homedir' and 'template
shell' in
> the smb.conf file, the only real difference is that setting them in the
> smb.conf file means that every user gets the same, but is this really a
> problem ?
>   
> Rowland
So I'm committed to the rid back end, at least in the near term, because 
offline logins work without issue on domain members. But this does leave 
my login on the DC producing different UID and GID values. Would it be 
the "right thing" to just edit those so that they match the values
that
are calculated on the domain members?

I'm still going to study the nss_winbind and winbindd source to see if I 
can get caching to work for all login-required values with the ad back 
end, though.

- John

On 12/1/24 09:42, Rowland Penny via samba wrote:
> On Sun, 1 Dec 2024 09:15:27 -0500
> "John R. Graham via samba" <samba at lists.samba.org>
wrote:
>> I also like the idea of the ad back end and nss_winbind because
it's
>> a better "single source of truth"--and I don't like the
templated
>> /etc/passwd fields. Was that your goal with the work-around? To not
>> have those restrictions?
> I used to think that way, but once I realised that if I used the same
> 'idmap config' lines on all Unix domain members, I would always get
> the same Unix IDs, then I thought differently. The 'single source of
> truth' isn't rfc2307, it is the accounts RID and the 'rid'
idmap
> backend calculates the Unix ID from the RID and the DOMAIN low range set
> in the smb.conf file:
>
> ID = RID + low_range
>
> So, if the low_range is set to '10000', the Domain Users group will
> always get the Unix ID '10513' and so on.
>
> 10513 = 513 + 10000
>
> Coming to to the users shell and home directory, these are always
> relative to the Unix domain member, they are not mounted from another
> computer (NOTE: the Windows home directory is not the same as a Unix
> home directory). From this, I hope you can see that it doesn't matter
> what home directory or shell you set in AD (by setting the
> 'unixHomeDirectory' & 'loginShell' attributes), you can
get virtually
> the same results by setting 'template homedir' and 'template
shell' in
> the smb.conf file, the only real difference is that setting them in the
> smb.conf file means that every user gets the same, but is this really a
> problem ?
>   
> Rowland
Where in LDAP is the RID stored so I can query it for various objects 
(groups and users)?

- John