samba - Dec 2024 - pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

On 12/1/24 09:42, Rowland Penny via samba wrote:
> On Sun, 1 Dec 2024 09:15:27 -0500
> "John R. Graham via samba" <samba at lists.samba.org>
wrote:
>
>> I also like the idea of the ad back end and nss_winbind because
it's
>> a better "single source of truth"--and I don't like the
templated
>> /etc/passwd fields. Was that your goal with the work-around? To not
>> have those restrictions?
> I used to think that way, but once I realised that if I used the same
> 'idmap config' lines on all Unix domain members, I would always get
> the same Unix IDs, then I thought differently. The 'single source of
> truth' isn't rfc2307, it is the accounts RID and the 'rid'
idmap
> backend calculates the Unix ID from the RID and the DOMAIN low range set
> in the smb.conf file:
>
> ID = RID + low_range
>
> So, if the low_range is set to '10000', the Domain Users group will
> always get the Unix ID '10513' and so on.
>
> 10513 = 513 + 10000
>
> Coming to to the users shell and home directory, these are always
> relative to the Unix domain member, they are not mounted from another
> computer (NOTE: the Windows home directory is not the same as a Unix
> home directory). From this, I hope you can see that it doesn't matter
> what home directory or shell you set in AD (by setting the
> 'unixHomeDirectory' & 'loginShell' attributes), you can
get virtually
> the same results by setting 'template homedir' and 'template
shell' in
> the smb.conf file, the only real difference is that setting them in the
> smb.conf file means that every user gets the same, but is this really a
> problem ?
>   
> Rowland
So I'm committed to the rid back end, at least in the near term, because 
offline logins work without issue on domain members. But this does leave 
my login on the DC producing different UID and GID values. Would it be 
the "right thing" to just edit those so that they match the values
that
are calculated on the domain members?

I'm still going to study the nss_winbind and winbindd source to see if I 
can get caching to work for all login-required values with the ad back 
end, though.

- John

On Wed, 4 Dec 2024 09:07:45 -0500
"John R. Graham via samba" <samba at lists.samba.org>
wrote:
> 
> So I'm committed to the rid back end, at least in the near term,
> because offline logins work without issue on domain members. But this
> does leave my login on the DC producing different UID and GID values.
> Would it be the "right thing" to just edit those so that they
match
> the values that are calculated on the domain members?
There is no need and I would advise against even attempting it.

Samba knows who the user is, here is a quick test to show this:

On a DC create a share (yes, I know this isn't really recommended, but
this just a quick test).

Then ensure the share is owned by a user, in this case, me.

adminuser at rpidc1:~ $ sudo ls -lad /srv/test
drwxrwx--- 2 SAMDOM\rowland root 4096 Dec  4 14:23 /srv/test

This DC does not have 'idmap_ldb:use rfc2307  = yes' set (not that it
matters, I do not have any rfc2307 attributes in AD).

adminuser at rpidc1:~ $ sudo ls -land /srv/test
drwxrwx--- 2 3000020 0 4096 Dec  4 14:23 /srv/test

So, as far as the DC is concerned, my Unix ID is '3000020'

I then created a file in the share as 'rowland':

SAMDOM\rowland at rpidc1:~ $ nano /srv/test/test.txt

SAMDOM\rowland at rpidc1:~ $ ls -la /srv/test/test.txt 
-rw-r--r-- 1 SAMDOM\rowland users 16 Dec  4 14:28 /srv/test/test.txt

and with the numeric ID:

SAMDOM\rowland at rpidc1:~ $ ls -lan /srv/test/test.txt 
-rw-r--r-- 1 3000020 100 16 Dec  4 14:28 /srv/test/test.txt

I then went to a Unix domain member and used smbclient to download
'test.txt'

rowland at devstation:~/useridtest$ smbclient //rpidc1/share
Password for [rowland at SAMDOM.EXAMPLE.COM]:
Try "help" to get a list of possible commands.
smb: \> get test.txt
getting file \test.txt of size 16 as test.txt (2.0 KiloBytes/sec) (average 2.0
KiloBytes/sec)
smb: \> q

Checking the ownership of the file, shows this:

rowland at devstation:~/useridtest$ ls -la
total 20
drwxrwx---+  2 rowland domain users 4096 Dec  4 14:33 .
drwxr-xr-x+ 42 rowland domain users 4096 Dec  4 14:30 ..
-rw-r-----+  1 rowland domain users   16 Dec  4 14:33 test.txt

It quite correctly belongs to me, but what about the numeric ID ?

rowland at devstation:~/useridtest$ ls -lan
total 20
drwxrwx---+  2 11104 10513 4096 Dec  4 14:33 .
drwxr-xr-x+ 42 11104 10513 4096 Dec  4 14:30 ..
-rw-r-----+  1 11104 10513   16 Dec  4 14:33 test.txt

'3000020' has become '11104' and '100' has become
'10513', magic isn't
it ;-)
> 
> I'm still going to study the nss_winbind and winbindd source to see
> if I can get caching to work for all login-required values with the
> ad back end, though.
I wouldn't attempt to stop you, it sounds like a possible bug, but
without reading and understanding the code, this will never be known,
good luck with your attempt.

Rowland