[Samba] Winbind vs sssd both have issues
L.P.H. van Belle
belle at bazuin.nl
Fri Sep 24 08:06:46 UTC 2021
Hai Kees,
Small tip..
> # /etc/nsswitch.conf
> passwd: files systemd sss
> group: files systemd sss
> shadow: files sss
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns mymachines
Change hosts line..
> hosts: files dns mdns4_minimal [NOTFOUND=return] mymachines
Helps in delays in revolven and reduces avahi (mDNS) lookups.
;-)
Plus, to reduces these "delays", /etc/resolv.conf ..
man resolv.conf, look at the options timeout and attempts.
>From what im seeing, i run same as you, but only samba+winbind.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Kees
> van Vloten via samba
> Verzonden: donderdag 23 september 2021 21:32
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Winbind vs sssd both have issues
>
> Hi list members,
>
> My 2 cents in the sssd discussion.
>
> I use Debian Bullseye with Louis' repo (samba 4.14). I have
> setup a DC
> and every user has an assigned uidNumber and gidNumber as I have some
> users that existed since even before Samba4 and I do not want to get
> into troubles with file ownerships.
>
> Now I have recently re-setup the (Linux) desktops and laptops. My
> conclusion is that the only way to get everything working. Everything
> means: machine domain-membership, nss against samba, pam
> against samba
> and offline support, nfs-krb5 home-dirs with offline support.
>
> I would have preferred to use winbind only, but winbind (nss)
> hangs when
See my comment.
> I pull the network plug and winbind-pam has an issue with account
> expiry. Q&A on this list did not help to get around both issues. In
> other words a winbind only setup works (for me) pretty well
> on desktops
> (the expiry issue does not occur frequently).
> The config files for this:
>
> # /etc/samba/smb.conf
> [global]
> interfaces = lo
> bind interfaces only = yes
> netbios name = BACH
> security = ADS
> realm = COMPOSERS.LAN
> workgroup = COMPOSERS
> idmap config composers:backend = ad
> idmap config composers:schema_mode = rfc2307
> idmap config composers:unix_primary_group = yes
> idmap config composers:unix_nss_info = yes
> idmap config composers:range = 1001-100000 # this
> is intended
> idmap config *:backend = tdb
> idmap config *:range = 1000000-1999999
> winbind nss info = rfc2307
> winbind cache time = 300
> winbind enum groups = no
> winbind enum users = no
> winbind expand groups = 10
> winbind normalize names = no
> winbind offline logon = yes
> lock directory = /var/cache/samba
> winbind refresh tickets = yes
> winbind scan trusted domains = no
> winbind use default domain = yes
> kerberos method = secrets and keytab
> kerberos encryption types = strong
> rpc server dynamic port range = 50000-55000
> ntlm auth = mschapv2-and-ntlmv2-only
> disable netbios = yes
> template homedir = /home/%U
> template shell = /bin/bash
> tls enabled = yes
> tls priority =
> NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
> tls cafile = /etc/ssl/certs/ca.pem
>
>
> # /etc/nsswitch.conf
> passwd: files systemd winbind
> group: files systemd winbind
> shadow: files
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns mymachines
> networks: files
>
> # /etc/security/pam_winbind.conf
> [global]
> warn_pwd_expire = 30
>
> # request a cached login if possible
> # (needs "winbind offline logon = yes" in smb.conf)
> cached_login = yes
>
> # winbind will keep your Ticket Granting Ticket (TGT) up-to-date by
> refreshing it whenever necessary
> # (needs "winbind refresh tickets = yes" in smb.conf)
> krb5_auth = yes
>
> # succeed only if the user is a member of the given SID or NAME
> require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118
>
>
> Now to overcome the issues I mentioned, I started testing with a
> combination of sssd and winbind because sssd has its own
> issues. I found
> sssd not refreshing the machine tgt automatically and on
> Bullseye with
> sssd-ad it uses cldap which is not supported by samba (there are bugs
> for this on sssd (#5720) and debian (#991274) bugtrackers).
> The only working configuration (for me) is winbind for the machine
> domain-membership and sssd-ldap+krb5 for nss and pam.
> This setup has working offline support and proper password expiry
> behavior because that works with sssd and it has proper
> machine-account
> management as that is where winbind works:
>
> # /etc/samba/smb.conf (same as above, but different client)
> [global]
> log level = 5
> interfaces = lo
> bind interfaces only = yes
> netbios name = HAYDN
> security = ADS
> realm = COMPOSERS.LAN
> workgroup = COMPOSERS
> idmap config composers:backend = ad
> idmap config composers:schema_mode = rfc2307
> idmap config composers:unix_primary_group = yes
> idmap config composers:unix_nss_info = yes
> idmap config composers:range = 1001-100000
> idmap config *:backend = tdb
> idmap config *:range = 1000000-1999999
> winbind nss info = rfc2307
> winbind cache time = 300
> winbind enum groups = no
> winbind enum users = no
> winbind expand groups = 10
> winbind normalize names = no
> winbind offline logon = yes
> lock directory = /var/cache/samba
> winbind refresh tickets = yes
> winbind scan trusted domains = no
> winbind use default domain = yes
> kerberos method = secrets and keytab
> kerberos encryption types = strong
> rpc server dynamic port range = 50000-55000
> ntlm auth = mschapv2-and-ntlmv2-only
> disable netbios = yes
> template homedir = /home/%U
> template shell = /bin/bash
> tls enabled = yes
> tls priority = -VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
> tls cafile = /etc/ssl/certs/ca.pem
>
>
> # /etc/sssd/sssd.conf
> [sssd]
> config_file_version = 2
> domains = composers.lan
> reconnection_retries = 3
>
> [pam]
> offline_credentials_expiration = 0
>
> [domain/composers.lan]
> cache_credentials = true
> enumerate = true
>
> id_provider = ldap
> access_provider = ldap
> auth_provider = krb5
> chpass_provider = krb5
> autofs_provider = none
> sudo_provider = none
> # Access for member of specifed group(s)
> access_provider = simple
> simple_allow_groups = acl-desktops_linux-user_access # same as
> 'require_membership_of' in /etc/security/pam_winbind.conf above
> min_id = 1001
> dyndns_update = false
> auto_private_groups = false
> use_fully_qualified_names = false
> pwd_expiration_warning = 30
>
> ldap_uri = ldaps://einaudi.composers.lan/
> # 'ldap_tls_cipher_suite' and/or 'ldap_tls_cacert' make it
> fail, cannot
> use for now
> # https://github.com/SSSD/sssd/issues/5444
> # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979995
> # ldap_tls_cipher_suite = !ALL:VERS-TLS1.2:VERS-TLS1.3
> # ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
> ldap_search_base = DC=composers,DC=lan
> ldap_user_search_base = OU=User Accounts,OU=Client
> Users,OU=Users,DC=composers,DC=lan
> ldap_access_order = expire
> ldap_account_expire_policy = ad
>
> ldap_force_upper_case_realm = true
> ldap_referrals = false
> ldap_id_mapping = false
> ldap_schema = ad
> ldap_group_nesting_level = 10
>
> krb5_realm = COMPOSERS.LAN
> krb5_server = 192.168.10.3
> krb5_kpasswd = 192.168.10.3
> krb5_store_password_if_offline = true
> krb5_lifetime = 10h
>
> fallback_homedir = /home/%u
> default_shell = /bin/bash
> skel_dir = /etc/skel
>
>
> # /etc/nsswitch.conf
> passwd: files systemd sss
> group: files systemd sss
> shadow: files sss
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns mymachines
> networks: files
>
> protocols: db files
> services: db files sss
> ethers: db files
> rpc: db files
>
> For now this later setup has fewer critical issues than the
> first, while
> both are imperfect and the latter has a more complex setup.
> At least for now winbind only is not possible in my setup,
> not even with
> the help of this list. Draw your own conclusion...
>
> - Kees.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list