[Samba] Winbind vs sssd both have issues

Patrick Goetz pgoetz at math.utexas.edu
Thu Sep 23 23:13:36 UTC 2021 


On 9/23/21 14:32, Kees van Vloten via samba wrote:
> Hi list members,
> 
> My 2 cents in the sssd discussion.
> 
> I use Debian Bullseye with Louis' repo (samba 4.14). I have setup a DC 
> and every user has an assigned uidNumber and gidNumber as I have some 
> users that existed since even before Samba4 and I do not want to get 
> into troubles with file ownerships.
> 
> Now I have recently re-setup the  (Linux) desktops and laptops. My 
> conclusion is that the only way to get everything working. Everything 
> means: machine domain-membership, nss against samba, pam against samba 
> and offline support, nfs-krb5 home-dirs with offline support.
> 
> I would have preferred to use winbind only, but winbind (nss) hangs when 
> I pull the network plug and winbind-pam has an issue with account 
> expiry. Q&A on this list did not help to get around both issues. In 
> other words a winbind only setup works (for me) pretty well on desktops 
> (the expiry issue does not occur frequently).
> The config files for this:
> 
> # /etc/samba/smb.conf
> [global]
>          interfaces = lo
>          bind interfaces only = yes
>          netbios name = BACH
>          security = ADS
>          realm = COMPOSERS.LAN
>          workgroup = COMPOSERS
>          idmap config composers:backend = ad
>          idmap config composers:schema_mode = rfc2307
>          idmap config composers:unix_primary_group = yes
>          idmap config composers:unix_nss_info = yes
>          idmap config composers:range = 1001-100000  # this is intended
>          idmap config *:backend = tdb
>          idmap config *:range = 1000000-1999999
>          winbind nss info = rfc2307
>          winbind cache time = 300
>          winbind enum groups = no
>          winbind enum users = no
>          winbind expand groups = 10
>          winbind normalize names = no
>          winbind offline logon = yes
>          lock directory = /var/cache/samba
>          winbind refresh tickets = yes
>          winbind scan trusted domains = no
>          winbind use default domain = yes
>          kerberos method = secrets and keytab
>          kerberos encryption types = strong
>          rpc server dynamic port range = 50000-55000
>          ntlm auth = mschapv2-and-ntlmv2-only
>          disable netbios = yes
>          template homedir = /home/%U
>          template shell = /bin/bash
>          tls enabled = yes
>          tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>          tls cafile = /etc/ssl/certs/ca.pem
> 
> 
> # /etc/nsswitch.conf
> passwd:         files systemd winbind
> group:          files systemd winbind
> shadow:         files
> gshadow:        files
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mymachines
> networks:       files
> 
> # /etc/security/pam_winbind.conf
> [global]
> warn_pwd_expire = 30
> 
> # request a cached login if possible
> # (needs "winbind offline logon = yes" in smb.conf)
> cached_login = yes
> 
> # winbind will keep your Ticket Granting Ticket (TGT) up-to-date by 
> refreshing it whenever necessary
> # (needs "winbind refresh tickets = yes" in smb.conf)
> krb5_auth = yes
> 
> # succeed only if the user is a member of the given SID or NAME
> require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118
> 
> 
> Now to overcome the issues I mentioned, I started testing with a 
> combination of sssd and winbind because sssd has its own issues. I found 
> sssd not refreshing the machine tgt automatically and on Bullseye with 
> sssd-ad it uses cldap which is not supported by samba (there are bugs 
> for this on sssd (#5720) and debian (#991274) bugtrackers).


Add something like this to your /etc/crontab on the client:


00 12 * * 1 root  msktutil --update --computer-name my-pc --verbose 
--server dc.samdom.com


> The only working configuration (for me) is winbind for the machine 
> domain-membership and sssd-ldap+krb5 for nss and pam.
> This setup has working offline support and proper password expiry 
> behavior because that works with sssd and it has proper machine-account 
> management as that is where winbind works:
> 
> # /etc/samba/smb.conf (same as above, but different client)
> [global]
>          log level = 5
>          interfaces = lo
>          bind interfaces only = yes
>          netbios name = HAYDN
>          security = ADS
>          realm = COMPOSERS.LAN
>          workgroup = COMPOSERS
>          idmap config composers:backend = ad
>          idmap config composers:schema_mode = rfc2307
>          idmap config composers:unix_primary_group = yes
>          idmap config composers:unix_nss_info = yes
>          idmap config composers:range = 1001-100000
>          idmap config *:backend = tdb
>          idmap config *:range = 1000000-1999999
>          winbind nss info = rfc2307
>          winbind cache time = 300
>          winbind enum groups = no
>          winbind enum users = no
>          winbind expand groups = 10
>          winbind normalize names = no
>          winbind offline logon = yes
>          lock directory = /var/cache/samba
>          winbind refresh tickets = yes
>          winbind scan trusted domains = no
>          winbind use default domain = yes
>          kerberos method = secrets and keytab
>          kerberos encryption types = strong
>          rpc server dynamic port range = 50000-55000
>          ntlm auth = mschapv2-and-ntlmv2-only
>          disable netbios = yes
>          template homedir = /home/%U
>          template shell = /bin/bash
>          tls enabled = yes
>          tls priority = -VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>          tls cafile = /etc/ssl/certs/ca.pem
> 
> 
> # /etc/sssd/sssd.conf
> [sssd]
> config_file_version = 2
> domains = composers.lan
> reconnection_retries = 3
> 
> [pam]
> offline_credentials_expiration = 0
> 
> [domain/composers.lan]
> cache_credentials = true
> enumerate = true
> 
> id_provider = ldap
> access_provider = ldap
> auth_provider = krb5
> chpass_provider = krb5
> autofs_provider = none
> sudo_provider = none
> # Access for member of specifed group(s)
> access_provider = simple
> simple_allow_groups = acl-desktops_linux-user_access  # same as 
> 'require_membership_of' in /etc/security/pam_winbind.conf above
> min_id = 1001
> dyndns_update = false
> auto_private_groups = false
> use_fully_qualified_names = false
> pwd_expiration_warning = 30
> 
> ldap_uri = ldaps://einaudi.composers.lan/
> # 'ldap_tls_cipher_suite' and/or 'ldap_tls_cacert' make it fail, cannot 
> use for now
> # https://github.com/SSSD/sssd/issues/5444
> # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979995
> # ldap_tls_cipher_suite = !ALL:VERS-TLS1.2:VERS-TLS1.3
> # ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
> ldap_search_base = DC=composers,DC=lan
> ldap_user_search_base = OU=User Accounts,OU=Client 
> Users,OU=Users,DC=composers,DC=lan
> ldap_access_order = expire
> ldap_account_expire_policy = ad
> 
> ldap_force_upper_case_realm = true
> ldap_referrals = false
> ldap_id_mapping = false
> ldap_schema = ad
> ldap_group_nesting_level = 10
> 
> krb5_realm = COMPOSERS.LAN
> krb5_server = 192.168.10.3
> krb5_kpasswd = 192.168.10.3
> krb5_store_password_if_offline = true
> krb5_lifetime = 10h
> 
> fallback_homedir = /home/%u
> default_shell = /bin/bash
> skel_dir = /etc/skel
> 
> 
> # /etc/nsswitch.conf
> passwd:         files systemd sss
> group:          files systemd sss
> shadow:         files sss
> gshadow:        files
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mymachines
> networks:       files
> 
> protocols:      db files
> services:       db files sss
> ethers:         db files
> rpc:            db files
> 
> For now this later setup has fewer critical issues than the first, while 
> both are imperfect and the latter has a more complex setup.
> At least for now winbind only is not possible in my setup, not even with 
> the help of this list. Draw your own conclusion...
> 
> - Kees.
> 
>

More information about the samba mailing list