[Samba] Winbind vs sssd both have issues
Kees van Vloten
keesvanvloten at gmail.com
Thu Sep 23 19:32:02 UTC 2021
Hi list members,
My 2 cents in the sssd discussion.
I use Debian Bullseye with Louis' repo (samba 4.14). I have setup a DC
and every user has an assigned uidNumber and gidNumber as I have some
users that existed since even before Samba4 and I do not want to get
into troubles with file ownerships.
Now I have recently re-setup the (Linux) desktops and laptops. My
conclusion is that the only way to get everything working. Everything
means: machine domain-membership, nss against samba, pam against samba
and offline support, nfs-krb5 home-dirs with offline support.
I would have preferred to use winbind only, but winbind (nss) hangs when
I pull the network plug and winbind-pam has an issue with account
expiry. Q&A on this list did not help to get around both issues. In
other words a winbind only setup works (for me) pretty well on desktops
(the expiry issue does not occur frequently).
The config files for this:
# /etc/samba/smb.conf
[global]
interfaces = lo
bind interfaces only = yes
netbios name = BACH
security = ADS
realm = COMPOSERS.LAN
workgroup = COMPOSERS
idmap config composers:backend = ad
idmap config composers:schema_mode = rfc2307
idmap config composers:unix_primary_group = yes
idmap config composers:unix_nss_info = yes
idmap config composers:range = 1001-100000 # this is intended
idmap config *:backend = tdb
idmap config *:range = 1000000-1999999
winbind nss info = rfc2307
winbind cache time = 300
winbind enum groups = no
winbind enum users = no
winbind expand groups = 10
winbind normalize names = no
winbind offline logon = yes
lock directory = /var/cache/samba
winbind refresh tickets = yes
winbind scan trusted domains = no
winbind use default domain = yes
kerberos method = secrets and keytab
kerberos encryption types = strong
rpc server dynamic port range = 50000-55000
ntlm auth = mschapv2-and-ntlmv2-only
disable netbios = yes
template homedir = /home/%U
template shell = /bin/bash
tls enabled = yes
tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
tls cafile = /etc/ssl/certs/ca.pem
# /etc/nsswitch.conf
passwd: files systemd winbind
group: files systemd winbind
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns mymachines
networks: files
# /etc/security/pam_winbind.conf
[global]
warn_pwd_expire = 30
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes
# winbind will keep your Ticket Granting Ticket (TGT) up-to-date by
refreshing it whenever necessary
# (needs "winbind refresh tickets = yes" in smb.conf)
krb5_auth = yes
# succeed only if the user is a member of the given SID or NAME
require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118
Now to overcome the issues I mentioned, I started testing with a
combination of sssd and winbind because sssd has its own issues. I found
sssd not refreshing the machine tgt automatically and on Bullseye with
sssd-ad it uses cldap which is not supported by samba (there are bugs
for this on sssd (#5720) and debian (#991274) bugtrackers).
The only working configuration (for me) is winbind for the machine
domain-membership and sssd-ldap+krb5 for nss and pam.
This setup has working offline support and proper password expiry
behavior because that works with sssd and it has proper machine-account
management as that is where winbind works:
# /etc/samba/smb.conf (same as above, but different client)
[global]
log level = 5
interfaces = lo
bind interfaces only = yes
netbios name = HAYDN
security = ADS
realm = COMPOSERS.LAN
workgroup = COMPOSERS
idmap config composers:backend = ad
idmap config composers:schema_mode = rfc2307
idmap config composers:unix_primary_group = yes
idmap config composers:unix_nss_info = yes
idmap config composers:range = 1001-100000
idmap config *:backend = tdb
idmap config *:range = 1000000-1999999
winbind nss info = rfc2307
winbind cache time = 300
winbind enum groups = no
winbind enum users = no
winbind expand groups = 10
winbind normalize names = no
winbind offline logon = yes
lock directory = /var/cache/samba
winbind refresh tickets = yes
winbind scan trusted domains = no
winbind use default domain = yes
kerberos method = secrets and keytab
kerberos encryption types = strong
rpc server dynamic port range = 50000-55000
ntlm auth = mschapv2-and-ntlmv2-only
disable netbios = yes
template homedir = /home/%U
template shell = /bin/bash
tls enabled = yes
tls priority = -VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
tls cafile = /etc/ssl/certs/ca.pem
# /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = composers.lan
reconnection_retries = 3
[pam]
offline_credentials_expiration = 0
[domain/composers.lan]
cache_credentials = true
enumerate = true
id_provider = ldap
access_provider = ldap
auth_provider = krb5
chpass_provider = krb5
autofs_provider = none
sudo_provider = none
# Access for member of specifed group(s)
access_provider = simple
simple_allow_groups = acl-desktops_linux-user_access # same as
'require_membership_of' in /etc/security/pam_winbind.conf above
min_id = 1001
dyndns_update = false
auto_private_groups = false
use_fully_qualified_names = false
pwd_expiration_warning = 30
ldap_uri = ldaps://einaudi.composers.lan/
# 'ldap_tls_cipher_suite' and/or 'ldap_tls_cacert' make it fail, cannot
use for now
# https://github.com/SSSD/sssd/issues/5444
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979995
# ldap_tls_cipher_suite = !ALL:VERS-TLS1.2:VERS-TLS1.3
# ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_search_base = DC=composers,DC=lan
ldap_user_search_base = OU=User Accounts,OU=Client
Users,OU=Users,DC=composers,DC=lan
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_referrals = false
ldap_id_mapping = false
ldap_schema = ad
ldap_group_nesting_level = 10
krb5_realm = COMPOSERS.LAN
krb5_server = 192.168.10.3
krb5_kpasswd = 192.168.10.3
krb5_store_password_if_offline = true
krb5_lifetime = 10h
fallback_homedir = /home/%u
default_shell = /bin/bash
skel_dir = /etc/skel
# /etc/nsswitch.conf
passwd: files systemd sss
group: files systemd sss
shadow: files sss
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns mymachines
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
For now this later setup has fewer critical issues than the first, while
both are imperfect and the latter has a more complex setup.
At least for now winbind only is not possible in my setup, not even with
the help of this list. Draw your own conclusion...
- Kees.
More information about the samba
mailing list