[Samba] PAM Offline Authentication in Ubuntu 22.04

[Rowland Penny]

On 26/06/2023 19:55, Markus Dellermann via samba wrote:
> Hi Marco, Rowland, Kees, and all other...
> 
> Am Montag, 26. Juni 2023, 20:12:26 CEST schrieb Rowland Penny via samba:
>> On 26/06/2023 18:20, Kees van Vloten via samba wrote:
>>> I am quite convinced it is not a DNS issue, although those lookups
>>> obviously fail when you pull the network plug (I guess installing
>>> something like dnsmasq can prevent that). The issue is in the nss
>>> lookups of users and groups: getent passwd <user> or getent passwd
>>> <group>, which implies something in winbind-nss.
>>> I have been using the "lock directory" parameter on my Debian (Bullseye)
>>> machines since nearly forever and added the "winbind request timeout"
>>> recently (after the discussion here), which probably help to reduce the
>>> effects but do not solve the issue.
>>
>> The problem for me is that I struggle to get the symptoms that Marco does.
>> I have Ubuntu 22.04 running in a VM, it is setup as a Unix domain
>> member, using the 'rid' idmap backend.
>>
>> It works as expected, if I disconnect the network, sometimes it starts
>> running slow, but only sometimes, other times you cannot tell the
>> difference.
>>
>> Now you could be correct about the dns, and I am now beginning to think
>> that Marco's problem has nothing to do with Samba, there is something
>> not set up correctly in the OS, but what, I do not know.
>>
>> As anyone got any suggestions that Marco can try ?
>>
>> Rowland
> 
> Marco, you are using the ad-Backend, right?
> 
> Have you tried with rid-backend or at least
> "idmap config LNFFVG : unix_nss_info = no"
> in smb.conf ?
> Some time ago i have had "this"  Problems with some openSUSE based clients.
> If i remeber correctly, behavior was better after changing smb.conf to rid-
> backend.
> 
> To update to 4.18 could be also an good idea, because there are some changes
> wich should help..
> 
> Good Luck!
> (sorry, for bad english)
> 
> Markus

Test number ?? No idea lost track LOL

I added a number of users to my AD with rfc2307 attributes, I also added 
a similar number of groups with gidNumber attributes

I then modified the smb.conf on the Ubuntu machine to use these users 
and rebooted (with the network connected) and logged on as one of the 
new users.

So far so good.

Now disconnected the network and everything went extremely slow, so slow 
in fact that I had time to go and make myself a coffee in the time 
between trying to log out and the box popping up asking if I really 
wanted to log out, we are talking minutes here, not seconds.

changing 'unix_nss_info = yes' to 'unix_nss_info = no', speeded things 
up dramatically.

What I think is happening is this (from my understanding of the relevant 
code);

If 'unix_nss_info = yes' is set, winbind tries to get the users homedir, 
shell and full name and there is a pause involved with each one, of 
course I could be wrong.

Using 'unix_nss_info = no' means that winbind falls back to the 
templates and these will be much faster.

Is this a bug ? No idea, but if it is, I have no idea how to fix it.

I would suggest either using the 'rid' idmap backend (which, provided 
you use the same 'idmap config' lines on all Samba domain members, will 
get you the same ID's on all Unix domain members), or use the 'ad' idmap 
backend with 'unix_nss_info = no' and set the 'template' lines as required.

Rowland