[Samba] Winbind vs sssd both have issues

L.P.H. van Belle belle at bazuin.nl
Fri Sep 24 08:06:46 UTC 2021


 
Hai Kees, 

Small tip..

> # /etc/nsswitch.conf
> passwd:         files systemd sss
> group:          files systemd sss
> shadow:         files sss
> gshadow:        files
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mymachines

Change hosts line..
> hosts:          files dns mdns4_minimal [NOTFOUND=return]  mymachines

Helps in delays in revolven and reduces avahi (mDNS) lookups. 
;-) 

Plus, to reduces these "delays", /etc/resolv.conf ..

man resolv.conf, look at the options timeout and attempts. 

>From what im seeing, i run same as you, but only samba+winbind.

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Kees 
> van Vloten via samba
> Verzonden: donderdag 23 september 2021 21:32
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Winbind vs sssd both have issues
> 
> Hi list members,
> 
> My 2 cents in the sssd discussion.
> 
> I use Debian Bullseye with Louis' repo (samba 4.14). I have 
> setup a DC 
> and every user has an assigned uidNumber and gidNumber as I have some 
> users that existed since even before Samba4 and I do not want to get 
> into troubles with file ownerships.
> 
> Now I have recently re-setup the  (Linux) desktops and laptops. My 
> conclusion is that the only way to get everything working. Everything 
> means: machine domain-membership, nss against samba, pam 
> against samba 
> and offline support, nfs-krb5 home-dirs with offline support.
> 
> I would have preferred to use winbind only, but winbind (nss) 
> hangs when 

See my comment. 


> I pull the network plug and winbind-pam has an issue with account 
> expiry. Q&A on this list did not help to get around both issues. In 
> other words a winbind only setup works (for me) pretty well 
> on desktops 
> (the expiry issue does not occur frequently).
> The config files for this:
> 
> # /etc/samba/smb.conf
> [global]
>          interfaces = lo
>          bind interfaces only = yes
>          netbios name = BACH
>          security = ADS
>          realm = COMPOSERS.LAN
>          workgroup = COMPOSERS
>          idmap config composers:backend = ad
>          idmap config composers:schema_mode = rfc2307
>          idmap config composers:unix_primary_group = yes
>          idmap config composers:unix_nss_info = yes
>          idmap config composers:range = 1001-100000  # this 
> is intended
>          idmap config *:backend = tdb
>          idmap config *:range = 1000000-1999999
>          winbind nss info = rfc2307
>          winbind cache time = 300
>          winbind enum groups = no
>          winbind enum users = no
>          winbind expand groups = 10
>          winbind normalize names = no
>          winbind offline logon = yes
>          lock directory = /var/cache/samba
>          winbind refresh tickets = yes
>          winbind scan trusted domains = no
>          winbind use default domain = yes
>          kerberos method = secrets and keytab
>          kerberos encryption types = strong
>          rpc server dynamic port range = 50000-55000
>          ntlm auth = mschapv2-and-ntlmv2-only
>          disable netbios = yes
>          template homedir = /home/%U
>          template shell = /bin/bash
>          tls enabled = yes
>          tls priority = 
> NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>          tls cafile = /etc/ssl/certs/ca.pem
> 
> 
> # /etc/nsswitch.conf
> passwd:         files systemd winbind
> group:          files systemd winbind
> shadow:         files
> gshadow:        files
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mymachines
> networks:       files
> 
> # /etc/security/pam_winbind.conf
> [global]
> warn_pwd_expire = 30
> 
> # request a cached login if possible
> # (needs "winbind offline logon = yes" in smb.conf)
> cached_login = yes
> 
> # winbind will keep your Ticket Granting Ticket (TGT) up-to-date by 
> refreshing it whenever necessary
> # (needs "winbind refresh tickets = yes" in smb.conf)
> krb5_auth = yes
> 
> # succeed only if the user is a member of the given SID or NAME
> require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118
> 
> 
> Now to overcome the issues I mentioned, I started testing with a 
> combination of sssd and winbind because sssd has its own 
> issues. I found 
> sssd not refreshing the machine tgt automatically and on 
> Bullseye with 
> sssd-ad it uses cldap which is not supported by samba (there are bugs 
> for this on sssd (#5720) and debian (#991274) bugtrackers).
> The only working configuration (for me) is winbind for the machine 
> domain-membership and sssd-ldap+krb5 for nss and pam.
> This setup has working offline support and proper password expiry 
> behavior because that works with sssd and it has proper 
> machine-account 
> management as that is where winbind works:
> 
> # /etc/samba/smb.conf (same as above, but different client)
> [global]
>          log level = 5
>          interfaces = lo
>          bind interfaces only = yes
>          netbios name = HAYDN
>          security = ADS
>          realm = COMPOSERS.LAN
>          workgroup = COMPOSERS
>          idmap config composers:backend = ad
>          idmap config composers:schema_mode = rfc2307
>          idmap config composers:unix_primary_group = yes
>          idmap config composers:unix_nss_info = yes
>          idmap config composers:range = 1001-100000
>          idmap config *:backend = tdb
>          idmap config *:range = 1000000-1999999
>          winbind nss info = rfc2307
>          winbind cache time = 300
>          winbind enum groups = no
>          winbind enum users = no
>          winbind expand groups = 10
>          winbind normalize names = no
>          winbind offline logon = yes
>          lock directory = /var/cache/samba
>          winbind refresh tickets = yes
>          winbind scan trusted domains = no
>          winbind use default domain = yes
>          kerberos method = secrets and keytab
>          kerberos encryption types = strong
>          rpc server dynamic port range = 50000-55000
>          ntlm auth = mschapv2-and-ntlmv2-only
>          disable netbios = yes
>          template homedir = /home/%U
>          template shell = /bin/bash
>          tls enabled = yes
>          tls priority = -VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>          tls cafile = /etc/ssl/certs/ca.pem
> 
> 
> # /etc/sssd/sssd.conf
> [sssd]
> config_file_version = 2
> domains = composers.lan
> reconnection_retries = 3
> 
> [pam]
> offline_credentials_expiration = 0
> 
> [domain/composers.lan]
> cache_credentials = true
> enumerate = true
> 
> id_provider = ldap
> access_provider = ldap
> auth_provider = krb5
> chpass_provider = krb5
> autofs_provider = none
> sudo_provider = none
> # Access for member of specifed group(s)
> access_provider = simple
> simple_allow_groups = acl-desktops_linux-user_access  # same as 
> 'require_membership_of' in /etc/security/pam_winbind.conf above
> min_id = 1001
> dyndns_update = false
> auto_private_groups = false
> use_fully_qualified_names = false
> pwd_expiration_warning = 30
> 
> ldap_uri = ldaps://einaudi.composers.lan/
> # 'ldap_tls_cipher_suite' and/or 'ldap_tls_cacert' make it 
> fail, cannot 
> use for now
> # https://github.com/SSSD/sssd/issues/5444
> # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979995
> # ldap_tls_cipher_suite = !ALL:VERS-TLS1.2:VERS-TLS1.3
> # ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
> ldap_search_base = DC=composers,DC=lan
> ldap_user_search_base = OU=User Accounts,OU=Client 
> Users,OU=Users,DC=composers,DC=lan
> ldap_access_order = expire
> ldap_account_expire_policy = ad
> 
> ldap_force_upper_case_realm = true
> ldap_referrals = false
> ldap_id_mapping = false
> ldap_schema = ad
> ldap_group_nesting_level = 10
> 
> krb5_realm = COMPOSERS.LAN
> krb5_server = 192.168.10.3
> krb5_kpasswd = 192.168.10.3
> krb5_store_password_if_offline = true
> krb5_lifetime = 10h
> 
> fallback_homedir = /home/%u
> default_shell = /bin/bash
> skel_dir = /etc/skel
> 
> 
> # /etc/nsswitch.conf
> passwd:         files systemd sss
> group:          files systemd sss
> shadow:         files sss
> gshadow:        files
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mymachines
> networks:       files
> 
> protocols:      db files
> services:       db files sss
> ethers:         db files
> rpc:            db files
> 
> For now this later setup has fewer critical issues than the 
> first, while 
> both are imperfect and the latter has a more complex setup.
> At least for now winbind only is not possible in my setup, 
> not even with 
> the help of this list. Draw your own conclusion...
> 
> - Kees.
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list