[Samba] PAM Offline Authentication in Ubuntu 22.04
Rowland Penny
rpenny at samba.org
Tue Jun 27 14:16:12 UTC 2023
On 27/06/2023 14:45, Kees van Vloten via samba wrote:
> I can confirm that my setup uses 'unix_nss_info = yes'. If this is
> causing the delay I would suspect some attributes (homedir, shell, etc.)
> are not in the cache and as a result winbind tries to lookup them up
> until it runs into a timeout.
>
> It is easy to replace 'unix_nss_info' with 'no'. But doing so means we
> will be missing some attributes for Linux users. How are things working
> without them? Can you still login and get the right shell, homedir and
> so on?
>
> I found the settings 'template homedir' and 'template shell' in 'man
> smb.conf' but they seem to be for Windows NT users, would they provide
> my Linux users with the missing information? (with the limitation that
> this is configured per machine instead of per user).
>
> - Kees.
>
>
The parameters 'template homedir' and 'template shell' are still valid
for AD domains, in fact they are there in your smb.conf as default
settings, run:
testparm -sv | grep 'template'
To see them.
They default to '/home/%D/%U' and '/bin/false', though you can set them
to whatever you require (and is sane). However, every Samba user will
get the same settings, unlike the rfc2307 attributes that allow users to
have different settings. For instance, setting the majority of your
rfc2307 users the /bin/false shell in the loginShell attribute would
stop them logging into the Samba machine directly, they could only
connect to the shares. You could then give your admin users a valid
shell, e.g. /bin/bash.
I for a long time thought that you needed to use the 'ad' idmap backend
to ensure that you got the same ID's everywhere, I now know this isn't
strictly true.
Yes, if you want the same ID's everywhere on Samba domain machines, you
must use the 'ad' idmap backend, but 'everywhere' includes Samba DC's
and it isn't really a good idea to use a DC as a fileserver. This leaves
you with Unix domain members and unless you really need the rfc2307
attributes, you will probably be better off using the 'rid' idmap
backend. The 'rid' idmap backend calculates ID's from the RID in AD and
the low range value the admin sets in smb.conf , this is a fairly simple
calculation:
ID = RID + LOW_RANGE_ID
I hope you can see, that as the RID never changes and if you always use
the same low range value on all Unix domain members, you will always get
the same Unix ID. No messing with adding anything to AD, no keeping
track of the next uidNumber or gidNumber. The only downside is the lack
of the rest of the rfc2307 attributes.
Rowland
More information about the samba
mailing list