[Samba] Winbind vs sssd both have issues

Kees van Vloten keesvanvloten at gmail.com
Fri Sep 24 11:17:03 UTC 2021 

On 24-09-2021 10:06, L.P.H. van Belle wrote:
>   
> Hai Kees,
>
> Small tip..
>
>> # /etc/nsswitch.conf
>> passwd:         files systemd sss
>> group:          files systemd sss
>> shadow:         files sss
>> gshadow:        files
>>
>> hosts:          files mdns4_minimal [NOTFOUND=return] dns mymachines
> Change hosts line..
>> hosts:          files dns mdns4_minimal [NOTFOUND=return]  mymachines
> Helps in delays in revolven and reduces avahi (mDNS) lookups.
> ;-)
>
> Plus, to reduces these "delays", /etc/resolv.conf ..
>
> man resolv.conf, look at the options timeout and attempts.
>
>  From what im seeing, i run same as you, but only samba+winbind.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Kees
>> van Vloten via samba
>> Verzonden: donderdag 23 september 2021 21:32
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Winbind vs sssd both have issues
>>
>> Hi list members,
>>
>> My 2 cents in the sssd discussion.
>>
>> I use Debian Bullseye with Louis' repo (samba 4.14). I have
>> setup a DC
>> and every user has an assigned uidNumber and gidNumber as I have some
>> users that existed since even before Samba4 and I do not want to get
>> into troubles with file ownerships.
>>
>> Now I have recently re-setup the  (Linux) desktops and laptops. My
>> conclusion is that the only way to get everything working. Everything
>> means: machine domain-membership, nss against samba, pam
>> against samba
>> and offline support, nfs-krb5 home-dirs with offline support.
>>
>> I would have preferred to use winbind only, but winbind (nss)
>> hangs when
> See my comment.
>
>
>> I pull the network plug and winbind-pam has an issue with account
>> expiry. Q&A on this list did not help to get around both issues. In
>> other words a winbind only setup works (for me) pretty well
>> on desktops
>> (the expiry issue does not occur frequently).
>> The config files for this:
>>
>> # /etc/samba/smb.conf
>> [global]
>>           interfaces = lo
>>           bind interfaces only = yes
>>           netbios name = BACH
>>           security = ADS
>>           realm = COMPOSERS.LAN
>>           workgroup = COMPOSERS
>>           idmap config composers:backend = ad
>>           idmap config composers:schema_mode = rfc2307
>>           idmap config composers:unix_primary_group = yes
>>           idmap config composers:unix_nss_info = yes
>>           idmap config composers:range = 1001-100000  # this
>> is intended
>>           idmap config *:backend = tdb
>>           idmap config *:range = 1000000-1999999
>>           winbind nss info = rfc2307
>>           winbind cache time = 300
>>           winbind enum groups = no
>>           winbind enum users = no
>>           winbind expand groups = 10
>>           winbind normalize names = no
>>           winbind offline logon = yes
>>           lock directory = /var/cache/samba
>>           winbind refresh tickets = yes
>>           winbind scan trusted domains = no
>>           winbind use default domain = yes
>>           kerberos method = secrets and keytab
>>           kerberos encryption types = strong
>>           rpc server dynamic port range = 50000-55000
>>           ntlm auth = mschapv2-and-ntlmv2-only
>>           disable netbios = yes
>>           template homedir = /home/%U
>>           template shell = /bin/bash
>>           tls enabled = yes
>>           tls priority =
>> NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>>           tls cafile = /etc/ssl/certs/ca.pem
>>
>>
>> # /etc/nsswitch.conf
>> passwd:         files systemd winbind
>> group:          files systemd winbind
>> shadow:         files
>> gshadow:        files
>>
>> hosts:          files mdns4_minimal [NOTFOUND=return] dns mymachines
>> networks:       files
>>
>> # /etc/security/pam_winbind.conf
>> [global]
>> warn_pwd_expire = 30
>>
>> # request a cached login if possible
>> # (needs "winbind offline logon = yes" in smb.conf)
>> cached_login = yes
>>
>> # winbind will keep your Ticket Granting Ticket (TGT) up-to-date by
>> refreshing it whenever necessary
>> # (needs "winbind refresh tickets = yes" in smb.conf)
>> krb5_auth = yes
>>
>> # succeed only if the user is a member of the given SID or NAME
>> require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118
>>
>>
>> Now to overcome the issues I mentioned, I started testing with a
>> combination of sssd and winbind because sssd has its own
>> issues. I found
>> sssd not refreshing the machine tgt automatically and on
>> Bullseye with
>> sssd-ad it uses cldap which is not supported by samba (there are bugs
>> for this on sssd (#5720) and debian (#991274) bugtrackers).
>> The only working configuration (for me) is winbind for the machine
>> domain-membership and sssd-ldap+krb5 for nss and pam.
>> This setup has working offline support and proper password expiry
>> behavior because that works with sssd and it has proper
>> machine-account
>> management as that is where winbind works:
>>
>> # /etc/samba/smb.conf (same as above, but different client)
>> [global]
>>           log level = 5
>>           interfaces = lo
>>           bind interfaces only = yes
>>           netbios name = HAYDN
>>           security = ADS
>>           realm = COMPOSERS.LAN
>>           workgroup = COMPOSERS
>>           idmap config composers:backend = ad
>>           idmap config composers:schema_mode = rfc2307
>>           idmap config composers:unix_primary_group = yes
>>           idmap config composers:unix_nss_info = yes
>>           idmap config composers:range = 1001-100000
>>           idmap config *:backend = tdb
>>           idmap config *:range = 1000000-1999999
>>           winbind nss info = rfc2307
>>           winbind cache time = 300
>>           winbind enum groups = no
>>           winbind enum users = no
>>           winbind expand groups = 10
>>           winbind normalize names = no
>>           winbind offline logon = yes
>>           lock directory = /var/cache/samba
>>           winbind refresh tickets = yes
>>           winbind scan trusted domains = no
>>           winbind use default domain = yes
>>           kerberos method = secrets and keytab
>>           kerberos encryption types = strong
>>           rpc server dynamic port range = 50000-55000
>>           ntlm auth = mschapv2-and-ntlmv2-only
>>           disable netbios = yes
>>           template homedir = /home/%U
>>           template shell = /bin/bash
>>           tls enabled = yes
>>           tls priority = -VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>>           tls cafile = /etc/ssl/certs/ca.pem
>>
>>
>> # /etc/sssd/sssd.conf
>> [sssd]
>> config_file_version = 2
>> domains = composers.lan
>> reconnection_retries = 3
>>
>> [pam]
>> offline_credentials_expiration = 0
>>
>> [domain/composers.lan]
>> cache_credentials = true
>> enumerate = true
>>
>> id_provider = ldap
>> access_provider = ldap
>> auth_provider = krb5
>> chpass_provider = krb5
>> autofs_provider = none
>> sudo_provider = none
>> # Access for member of specifed group(s)
>> access_provider = simple
>> simple_allow_groups = acl-desktops_linux-user_access  # same as
>> 'require_membership_of' in /etc/security/pam_winbind.conf above
>> min_id = 1001
>> dyndns_update = false
>> auto_private_groups = false
>> use_fully_qualified_names = false
>> pwd_expiration_warning = 30
>>
>> ldap_uri = ldaps://einaudi.composers.lan/
>> # 'ldap_tls_cipher_suite' and/or 'ldap_tls_cacert' make it
>> fail, cannot
>> use for now
>> # https://github.com/SSSD/sssd/issues/5444
>> # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979995
>> # ldap_tls_cipher_suite = !ALL:VERS-TLS1.2:VERS-TLS1.3
>> # ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
>> ldap_search_base = DC=composers,DC=lan
>> ldap_user_search_base = OU=User Accounts,OU=Client
>> Users,OU=Users,DC=composers,DC=lan
>> ldap_access_order = expire
>> ldap_account_expire_policy = ad
>>
>> ldap_force_upper_case_realm = true
>> ldap_referrals = false
>> ldap_id_mapping = false
>> ldap_schema = ad
>> ldap_group_nesting_level = 10
>>
>> krb5_realm = COMPOSERS.LAN
>> krb5_server = 192.168.10.3
>> krb5_kpasswd = 192.168.10.3
>> krb5_store_password_if_offline = true
>> krb5_lifetime = 10h
>>
>> fallback_homedir = /home/%u
>> default_shell = /bin/bash
>> skel_dir = /etc/skel
>>
>>
>> # /etc/nsswitch.conf
>> passwd:         files systemd sss
>> group:          files systemd sss
>> shadow:         files sss
>> gshadow:        files
>>
>> hosts:          files mdns4_minimal [NOTFOUND=return] dns mymachines
>> networks:       files
>>
>> protocols:      db files
>> services:       db files sss
>> ethers:         db files
>> rpc:            db files
>>
>> For now this later setup has fewer critical issues than the
>> first, while
>> both are imperfect and the latter has a more complex setup.
>> At least for now winbind only is not possible in my setup,
>> not even with
>> the help of this list. Draw your own conclusion...
>>
>> - Kees.
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
Hi Louis,

Tnx, that is nice optimization, I will update my systems.

Unfortunately it does not do anything for the issue with offline 
winbind-nss: getent passwd <samba-user> returns after a very very long 
time (minute or so?) and with no result.
Whereas I would expect the settings 'winbind offline logon = yes' in 
smb.conf and 'cached_login = yes' in pam_winbind.conf enable me to 
resolve users and groups while being offline and to allow my 
<samba-user> to login (at least on the console).

This is the main reason (and on the 2nd place the expiry issue) to have 
sssd as well (but as you see above there I also run into issues with 
cldap, the cipher-suite, machine-account management and domain sid 
retrieval), i.e. not the silver-bullet either.

- Kees.

More information about the samba mailing list