[Samba] PAM Offline Authentication in Ubuntu 22.04

Kees van Vloten keesvanvloten at gmail.com
Tue Jun 27 15:32:13 UTC 2023 

Op 27-06-2023 om 16:16 schreef Rowland Penny via samba:
>
>
> On 27/06/2023 14:45, Kees van Vloten via samba wrote:
>> I can confirm that my setup uses 'unix_nss_info = yes'. If this is 
>> causing the delay I would suspect some attributes (homedir, shell, 
>> etc.) are not in the cache and as a result winbind tries to lookup 
>> them up until it runs into a timeout.
>>
>> It is easy to replace 'unix_nss_info' with 'no'. But doing so means 
>> we will be missing some attributes for Linux users. How are things 
>> working without them? Can you still login and get the right shell, 
>> homedir and so on?
>>
>> I found the settings 'template homedir' and 'template shell' in 'man 
>> smb.conf' but they seem to be for Windows NT users, would they 
>> provide my Linux users with the missing information? (with the 
>> limitation that this is configured per machine instead of per user).
>>
>> - Kees.
>>
>>
>
> The parameters 'template homedir' and 'template shell' are still valid 
> for AD domains, in fact they are there in your smb.conf as default 
> settings, run:
>
> testparm -sv | grep 'template'
>
> To see them.
>
> They default to '/home/%D/%U' and '/bin/false', though you can set 
> them to whatever you require (and is sane). However, every Samba user 
> will get the same settings, unlike the rfc2307 attributes that allow 
> users to have different settings. For instance, setting the majority 
> of your rfc2307 users the /bin/false shell in the loginShell attribute 
> would stop them logging into the Samba machine directly, they could 
> only connect to the shares. You could then give your admin users a 
> valid shell, e.g. /bin/bash.
>
> I for a long time thought that you needed to use the 'ad' idmap 
> backend to ensure that you got the same ID's everywhere, I now know 
> this isn't strictly true.
>
> Yes, if you want the same ID's everywhere on Samba domain machines, 
> you must use the 'ad' idmap backend, but 'everywhere' includes Samba 
> DC's and it isn't really a good idea to use a DC as a fileserver. This 
> leaves you with Unix domain members and unless you really need the 
> rfc2307 attributes, you will probably be better off using the 'rid' 
> idmap backend. The 'rid' idmap backend calculates ID's from the RID in 
> AD and the low range value the admin sets in smb.conf , this is a 
> fairly simple calculation:
>
> ID = RID + LOW_RANGE_ID
>
> I hope you can see, that as the RID never changes and if you always 
> use the same low range value on all Unix domain members, you will 
> always get the same Unix ID. No messing with adding anything to AD, no 
> keeping track of the next uidNumber or gidNumber. The only downside is 
> the lack of the rest of the rfc2307 attributes.
>
> Rowland
>
>
It looks like we have a slight misunderstanding, I will try to explain 
my setup:

I am using rfc2307 because I have users from older implementations (a.o. 
samba3). Since file ownership etc. is all based on uid/gid, those ids 
should never change as long as the user exists or else you have to run 
renumber scripts to fix everything the user ever created. Rfc2307 allows 
me set the right (legacy) uid/gid on each user, which prevents the user 
from changing his/her identity on the filesystem. Changing the idmap 
scheme on an existing domain sounds like a really bad idea to me... I do 
agree that other schemes like 'rid' automate things which I now have to 
maintain manually.

My DCs do not run as fileservers except for the obvious sysvol and 
netlogon shares and they function as dfsroot for shares on the fileserver.

My servers have very restricted ssh access, generally no one will login 
in on them.

Offline authentication comes in play on Linux laptops where users can 
login. The smb.conf I was asking about is this one, it functions as the 
winbind/samba client configuration.
On these machines users with login permission can all use the same 
shell: '/bin/bash' and the same kind of home-dir (/home/%U) . But would 
that work? Are the settings 'template shell' and 'template homedir' 
interpreted by winbind on (offline) user login?

- Kees.

More information about the samba mailing list