[Samba] PAM Offline Authentication in Ubuntu 22.04

Tue Jun 27 13:45:31 UTC 2023

Op 27-06-2023 om 15:14 schreef Rowland Penny via samba:
>
>
> On 26/06/2023 19:55, Markus Dellermann via samba wrote:
>> Hi Marco, Rowland, Kees, and all other...
>>
>> Am Montag, 26. Juni 2023, 20:12:26 CEST schrieb Rowland Penny via samba:
>>> On 26/06/2023 18:20, Kees van Vloten via samba wrote:
>>>> I am quite convinced it is not a DNS issue, although those lookups
>>>> obviously fail when you pull the network plug (I guess installing
>>>> something like dnsmasq can prevent that). The issue is in the nss
>>>> lookups of users and groups: getent passwd <user> or getent passwd
>>>> <group>, which implies something in winbind-nss.
>>>> I have been using the "lock directory" parameter on my Debian 
>>>> (Bullseye)
>>>> machines since nearly forever and added the "winbind request timeout"
>>>> recently (after the discussion here), which probably help to reduce 
>>>> the
>>>> effects but do not solve the issue.
>>>
>>> The problem for me is that I struggle to get the symptoms that Marco 
>>> does.
>>> I have Ubuntu 22.04 running in a VM, it is setup as a Unix domain
>>> member, using the 'rid' idmap backend.
>>>
>>> It works as expected, if I disconnect the network, sometimes it starts
>>> running slow, but only sometimes, other times you cannot tell the
>>> difference.
>>>
>>> Now you could be correct about the dns, and I am now beginning to think
>>> that Marco's problem has nothing to do with Samba, there is something
>>> not set up correctly in the OS, but what, I do not know.
>>>
>>> As anyone got any suggestions that Marco can try ?
>>>
>>> Rowland
>>
>> Marco, you are using the ad-Backend, right?
>>
>> Have you tried with rid-backend or at least
>> "idmap config LNFFVG : unix_nss_info = no"
>> in smb.conf ?
>> Some time ago i have had "this"  Problems with some openSUSE based 
>> clients.
>> If i remeber correctly, behavior was better after changing smb.conf 
>> to rid-
>> backend.
>>
>> To update to 4.18 could be also an good idea, because there are some 
>> changes
>> wich should help..
>>
>> Good Luck!
>> (sorry, for bad english)
>>
>> Markus
>
> Test number ?? No idea lost track LOL
>
> I added a number of users to my AD with rfc2307 attributes, I also 
> added a similar number of groups with gidNumber attributes
>
> I then modified the smb.conf on the Ubuntu machine to use these users 
> and rebooted (with the network connected) and logged on as one of the 
> new users.
>
> So far so good.
>
> Now disconnected the network and everything went extremely slow, so 
> slow in fact that I had time to go and make myself a coffee in the 
> time between trying to log out and the box popping up asking if I 
> really wanted to log out, we are talking minutes here, not seconds.
>
> changing 'unix_nss_info = yes' to 'unix_nss_info = no', speeded things 
> up dramatically.
>
> What I think is happening is this (from my understanding of the 
> relevant code);
>
> If 'unix_nss_info = yes' is set, winbind tries to get the users 
> homedir, shell and full name and there is a pause involved with each 
> one, of course I could be wrong.
>
> Using 'unix_nss_info = no' means that winbind falls back to the 
> templates and these will be much faster.
>
> Is this a bug ? No idea, but if it is, I have no idea how to fix it.
I would think it is, it is certainly worth creating a ticket so that 
this information is not lost and somebody can look at it when (s)he is 
working in that code area.
>
> I would suggest either using the 'rid' idmap backend (which, provided 
> you use the same 'idmap config' lines on all Samba domain members, 
> will get you the same ID's on all Unix domain members), or use the 
> 'ad' idmap backend with 'unix_nss_info = no' and set the 'template' 
> lines as required.
>
> Rowland
>
I can confirm that my setup uses 'unix_nss_info = yes'. If this is 
causing the delay I would suspect some attributes (homedir, shell, etc.) 
are not in the cache and as a result winbind tries to lookup them up 
until it runs into a timeout.

It is easy to replace 'unix_nss_info' with 'no'. But doing so means we 
will be missing some attributes for Linux users. How are things working 
without them? Can you still login and get the right shell, homedir and 
so on?

I found the settings 'template homedir' and 'template shell' in 'man 
smb.conf' but they seem to be for Windows NT users, would they provide 
my Linux users with the missing information? (with the limitation that 
this is configured per machine instead of per user).

- Kees.