[Samba] PAM Offline Authentication in Ubuntu 22.04

Tue Jun 27 14:16:12 UTC 2023

On 27/06/2023 14:45, Kees van Vloten via samba wrote:
> I can confirm that my setup uses 'unix_nss_info = yes'. If this is 
> causing the delay I would suspect some attributes (homedir, shell, etc.) 
> are not in the cache and as a result winbind tries to lookup them up 
> until it runs into a timeout.
> 
> It is easy to replace 'unix_nss_info' with 'no'. But doing so means we 
> will be missing some attributes for Linux users. How are things working 
> without them? Can you still login and get the right shell, homedir and 
> so on?
> 
> I found the settings 'template homedir' and 'template shell' in 'man 
> smb.conf' but they seem to be for Windows NT users, would they provide 
> my Linux users with the missing information? (with the limitation that 
> this is configured per machine instead of per user).
> 
> - Kees.
> 
> 

The parameters 'template homedir' and 'template shell' are still valid 
for AD domains, in fact they are there in your smb.conf as default 
settings, run:

testparm -sv | grep 'template'

To see them.

They default to '/home/%D/%U' and '/bin/false', though you can set them 
to whatever you require (and is sane). However, every Samba user will 
get the same settings, unlike the rfc2307 attributes that allow users to 
have different settings. For instance, setting the majority of your 
rfc2307 users the /bin/false shell in the loginShell attribute would 
stop them logging into the Samba machine directly, they could only 
connect to the shares. You could then give your admin users a valid 
shell, e.g. /bin/bash.

I for a long time thought that you needed to use the 'ad' idmap backend 
to ensure that you got the same ID's everywhere, I now know this isn't 
strictly true.

Yes, if you want the same ID's everywhere on Samba domain machines, you 
must use the 'ad' idmap backend, but 'everywhere' includes Samba DC's 
and it isn't really a good idea to use a DC as a fileserver. This leaves 
you with Unix domain members and unless you really need the rfc2307 
attributes, you will probably be better off using the 'rid' idmap 
backend. The 'rid' idmap backend calculates ID's from the RID in AD and 
the low range value the admin sets in smb.conf , this is a fairly simple 
calculation:

ID = RID + LOW_RANGE_ID

I hope you can see, that as the RID never changes and if you always use 
the same low range value on all Unix domain members, you will always get 
the same Unix ID. No messing with adding anything to AD, no keeping 
track of the next uidNumber or gidNumber. The only downside is the lack 
of the rest of the rfc2307 attributes.

Rowland