[Samba] Winbind, cached logons and 'user persistency'...

L.P.H. van Belle belle at bazuin.nl
Fri Jan 25 16:15:18 UTC 2019


 
> 
> I come back in this thread, sorry.
We do that lots of times so so worry, no sorry ;-) 

> 
> > Maybe https://wiki.debian.org/LDAP/NSS  is a better 
> solution for the mailserver.
> 
> Probably better use directly LDAP info with native MTA tools also,
> skipping NSS at all.
Yes, but then if the ldap server is down, you will notice problems and your good users email adresses might reject then also. 
Make sure to test this. 

> 
> 
> > But personaly, the mail server should have replied with a better NDR. 
> > Like : 4.4.1 The recipient’s server is not responding, so 
> something like that. 
> 
> Again... it is my configuration that reply generically; this is
> intended to prevent dictionary attack against the SMTP server.

in dutch..  Foei foei.. dont know the italian translation 
In english .. .shame shame..  ;-)  It better not to change ndr's. 

There are much better ways to do this. ( previous link in previous mail ) 
Or : https://github.com/Exim/exim/wiki/MsExchangeAddressVerification 
But again, im a postfix (ab)user..  :-) 
I dont do addressverification, i block at the front. 

> 
> 
> About 'winbind cache time' (default 5 minutes) seems effectively the
> parameter to tackle with, but still a thing does not seems 
> clear to me:
> if i enable 'offline logons', i can have cached credentials.
> 
> But how does it make sense to have cached credential if there's no
> cached user data (NSS)?
Its not, but handy to have for ssh logins. 

> 
> 
> Strictly speaking, why winbind cache ''PAM'' data and not ''NSS'' one (seems to me)?

Yes, that is questionable, thats why i suggested the ldap solution. 

> 
> 
> Thanks.
> 

Your welkom. 
Have a nice weekend. 


Greetz, 

Louis




More information about the samba mailing list