[Samba] Winbind vs sssd both have issues

Kees van Vloten keesvanvloten at gmail.com
Thu Sep 23 19:32:02 UTC 2021 

Hi list members,

My 2 cents in the sssd discussion.

I use Debian Bullseye with Louis' repo (samba 4.14). I have setup a DC 
and every user has an assigned uidNumber and gidNumber as I have some 
users that existed since even before Samba4 and I do not want to get 
into troubles with file ownerships.

Now I have recently re-setup the  (Linux) desktops and laptops. My 
conclusion is that the only way to get everything working. Everything 
means: machine domain-membership, nss against samba, pam against samba 
and offline support, nfs-krb5 home-dirs with offline support.

I would have preferred to use winbind only, but winbind (nss) hangs when 
I pull the network plug and winbind-pam has an issue with account 
expiry. Q&A on this list did not help to get around both issues. In 
other words a winbind only setup works (for me) pretty well on desktops 
(the expiry issue does not occur frequently).
The config files for this:

# /etc/samba/smb.conf
[global]
         interfaces = lo
         bind interfaces only = yes
         netbios name = BACH
         security = ADS
         realm = COMPOSERS.LAN
         workgroup = COMPOSERS
         idmap config composers:backend = ad
         idmap config composers:schema_mode = rfc2307
         idmap config composers:unix_primary_group = yes
         idmap config composers:unix_nss_info = yes
         idmap config composers:range = 1001-100000  # this is intended
         idmap config *:backend = tdb
         idmap config *:range = 1000000-1999999
         winbind nss info = rfc2307
         winbind cache time = 300
         winbind enum groups = no
         winbind enum users = no
         winbind expand groups = 10
         winbind normalize names = no
         winbind offline logon = yes
         lock directory = /var/cache/samba
         winbind refresh tickets = yes
         winbind scan trusted domains = no
         winbind use default domain = yes
         kerberos method = secrets and keytab
         kerberos encryption types = strong
         rpc server dynamic port range = 50000-55000
         ntlm auth = mschapv2-and-ntlmv2-only
         disable netbios = yes
         template homedir = /home/%U
         template shell = /bin/bash
         tls enabled = yes
         tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
         tls cafile = /etc/ssl/certs/ca.pem


# /etc/nsswitch.conf
passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns mymachines
networks:       files

# /etc/security/pam_winbind.conf
[global]
warn_pwd_expire = 30

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

# winbind will keep your Ticket Granting Ticket (TGT) up-to-date by 
refreshing it whenever necessary
# (needs "winbind refresh tickets = yes" in smb.conf)
krb5_auth = yes

# succeed only if the user is a member of the given SID or NAME
require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118


Now to overcome the issues I mentioned, I started testing with a 
combination of sssd and winbind because sssd has its own issues. I found 
sssd not refreshing the machine tgt automatically and on Bullseye with 
sssd-ad it uses cldap which is not supported by samba (there are bugs 
for this on sssd (#5720) and debian (#991274) bugtrackers).
The only working configuration (for me) is winbind for the machine 
domain-membership and sssd-ldap+krb5 for nss and pam.
This setup has working offline support and proper password expiry 
behavior because that works with sssd and it has proper machine-account 
management as that is where winbind works:

# /etc/samba/smb.conf (same as above, but different client)
[global]
         log level = 5
         interfaces = lo
         bind interfaces only = yes
         netbios name = HAYDN
         security = ADS
         realm = COMPOSERS.LAN
         workgroup = COMPOSERS
         idmap config composers:backend = ad
         idmap config composers:schema_mode = rfc2307
         idmap config composers:unix_primary_group = yes
         idmap config composers:unix_nss_info = yes
         idmap config composers:range = 1001-100000
         idmap config *:backend = tdb
         idmap config *:range = 1000000-1999999
         winbind nss info = rfc2307
         winbind cache time = 300
         winbind enum groups = no
         winbind enum users = no
         winbind expand groups = 10
         winbind normalize names = no
         winbind offline logon = yes
         lock directory = /var/cache/samba
         winbind refresh tickets = yes
         winbind scan trusted domains = no
         winbind use default domain = yes
         kerberos method = secrets and keytab
         kerberos encryption types = strong
         rpc server dynamic port range = 50000-55000
         ntlm auth = mschapv2-and-ntlmv2-only
         disable netbios = yes
         template homedir = /home/%U
         template shell = /bin/bash
         tls enabled = yes
         tls priority = -VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
         tls cafile = /etc/ssl/certs/ca.pem


# /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = composers.lan
reconnection_retries = 3

[pam]
offline_credentials_expiration = 0

[domain/composers.lan]
cache_credentials = true
enumerate = true

id_provider = ldap
access_provider = ldap
auth_provider = krb5
chpass_provider = krb5
autofs_provider = none
sudo_provider = none
# Access for member of specifed group(s)
access_provider = simple
simple_allow_groups = acl-desktops_linux-user_access  # same as 
'require_membership_of' in /etc/security/pam_winbind.conf above
min_id = 1001
dyndns_update = false
auto_private_groups = false
use_fully_qualified_names = false
pwd_expiration_warning = 30

ldap_uri = ldaps://einaudi.composers.lan/
# 'ldap_tls_cipher_suite' and/or 'ldap_tls_cacert' make it fail, cannot 
use for now
# https://github.com/SSSD/sssd/issues/5444
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979995
# ldap_tls_cipher_suite = !ALL:VERS-TLS1.2:VERS-TLS1.3
# ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_search_base = DC=composers,DC=lan
ldap_user_search_base = OU=User Accounts,OU=Client 
Users,OU=Users,DC=composers,DC=lan
ldap_access_order = expire
ldap_account_expire_policy = ad

ldap_force_upper_case_realm = true
ldap_referrals = false
ldap_id_mapping = false
ldap_schema = ad
ldap_group_nesting_level = 10

krb5_realm = COMPOSERS.LAN
krb5_server = 192.168.10.3
krb5_kpasswd = 192.168.10.3
krb5_store_password_if_offline = true
krb5_lifetime = 10h

fallback_homedir = /home/%u
default_shell = /bin/bash
skel_dir = /etc/skel


# /etc/nsswitch.conf
passwd:         files systemd sss
group:          files systemd sss
shadow:         files sss
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns mymachines
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

For now this later setup has fewer critical issues than the first, while 
both are imperfect and the latter has a more complex setup.
At least for now winbind only is not possible in my setup, not even with 
the help of this list. Draw your own conclusion...

- Kees.

More information about the samba mailing list