[Samba] Winbind, cached logons and 'user persistency'...

Rowland Penny rpenny at samba.org
Mon Jan 28 12:20:06 UTC 2019 

On Mon, 28 Jan 2019 12:52:45 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > > Strictly speaking, why winbind cache ''PAM'' data and not ''NSS''
> > > one (seems to me)?
> > The problem is (for myself anyway), I do not understand the
> > difference between 'PAM' and 'NSS' data.
> 
> 'PAM' is authorization scenario (eg, «user X use the correct
> password»), while 'NSS' enable the system to 'see' user (eg, «user X
> exist in the system»).

Now this is what I do not understand, my understanding is that 'PAM' is
used to find the correct authentication system and 'NSS' just connects
to that authentication system. For instance, in /etc/pam.d/common-auth
I have:

auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=10000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

And /etc/nsswitch.conf has these two lines:

passwd:         compat winbind
group:          compat winbind

This is on my laptop and I have 'winbind offline logon = yes' set in
smb.conf

If I go anywhere (away from the domain), I can still log into the
laptop as my domain user, read and save files etc. All files are saved
as the domain user and when I do re-connect to the domain, it is if I
haven't been anywhere.

> 
> Make really little sense to me to have an 'offline' system that can
> answer to the first question but not to the second... also because if
> user are not known to the underlying system, there's no credential to
> check.

You seem to be doing something wrong ;-)

> 
> 
> 'nscd' do NSS offline cache, but if i remember well all samba expert
> here suggest not to use winbind and nscd togeter(
> 	https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
> «You should also ensure that nscd is not installed, it will interfere
> with winbind.»)

Not entirely true that you cannot run nscd with winbind, you just have
to stop nscd caching everything that winbind does and by the time you
do that, there isn't much left.

> 
> There's a more general approach, really offline (nssl_updatedb,
> https://www.padl.com/OSS/nss_updatedb.html) but seems overkilled here.

Well, mainly because that will do what winbind is already doing.

> 
> I think that, to be effective, winbind have to be some sort of 'NSS
> cache', and seems to me this is not.
> 'nscd' can provide simple and effective NSS cache, but 'interfere with
> winbind'.

I think the time has come to ask, what isn't working if you disconnect
from the domain e.g. walk away with a laptop, also why is it not
working, what can it not find ?

Rowland

More information about the samba mailing list