[Samba] making pam_winbind to work

Rowland Penny rpenny at samba.org
Mon Feb 14 13:56:49 UTC 2022 

On Mon, 2022-02-14 at 16:41 +0300, Michael Tokarev wrote:
> 14.02.2022 16:32, Rowland Penny via samba wrote:
> > On Mon, 2022-02-14 at 16:22 +0300, Michael Tokarev via samba wrote:
> > > Hello!
> > > 
> > > Another day, another issue which I can't resolve so far.
> > > 
> > > We switched our user from local /etc/passwd to samba AD.
> > > And it was apparently a big mistake, since nothing work
> > > besides samba now.
> > 
> > Anything that uses nsswitch should work, provided that everything
> > is
> > set up correctly.
> 
> Are you sure you really mean nsswitch, not pam?

They both work together.

> 
> Nsswitch is for mapping uid<=>users and the like, it is NOT for auth.

The conf file for nsswitch '/etc/nsswitch.conf' tells nsswitch were to
search for users etc.
 
> Auth can be done using /etc/shadow

Big shock here, AD does not use /etc/shadow.

>  - it does not work with nsswitch.

See above.

> And in order for any service to look for user's local shadow password
> entry, pw_passwd should contain value "x", but samba returns "*", so
> no service will try to open local /etc/shadow for any samba user, so
> no auth will work.

But as I said above, AD does not use 'shadow'

> 
> pam_winbind is exactly for this auth stuff.  You can't log into the
> system based on nsswitch, passwords are stored elsewhere.

Not entirely true, yes the password is stored in AD, but you can log in
to a Unix domain member with the Ad password.

> 
> Is the mlock() failure somehow relevant?  I'm looking at the source
> now, but so far I don't understand the process model.

Please do not read the source, there is no point.

> 

> Here's global smb.conf section:
> [global]
>  server string = %h samba server %v
>  netbios name = TSRV
>  netbios aliases = LINUX FS

Do not use 'netbios aliases' , use a CNAME instead
 
>   realm = TLS.MSK.RU
>  workgroup = TLS
>  server role = member server
>  security = ADS

>  idmap config TLS : backend = ad
>  idmap config TLS : range = 1000-3000
>   #idmap config TLS : schema_mode = rfc2307 # rfc2307 is the default

No it isn't, there is no default, see 'man idmap_ad'
If you want to use rfc2307 attributes from Ad, you will also need
'unix_nss_info = yes'

>   idmap config TLS : unix_primary_group = yes
>  template homedir = /home/%U
>  template shell = /bin/bash
>  idmap config * : backend = tdb
>  idmap config * : range = 5000-7000
>  winbind use default domain = yes

>  acl allow execute always = true

>  hostname lookups = yes

You do not need that either

>   log file = /var/log/samba/log.%m
>  max log size = 1000
>  log level = 2

>  # disable user shares
>  usershare max shares = 0

>  load printers = no
>  printing = bsd
>  disable spoolss = yes

>  map hidden = yes
>  create mask = 0775
>  directory mask = 0775

Rowland

More information about the samba mailing list