[Samba] pam_unix failing after pam_winbind when Samba is running in Standalone Server mode

Rowland Penny rpenny at samba.org
Fri Aug 4 15:26:47 UTC 2023 


On 04/08/2023 16:00, Jöran Malek via samba wrote:
> Ah, didn't thought about that.
> 
> So, scenario is as follows:
> I want to create a homebrew NAS system, which I don't have to
> synchronize passwords with each and every additional sharing service I
> add (webdav, sftp, ftp, nfs, smb) but use existing infrastructure
> (PAM) to perform this.
> Up until 2014 there was pam_smbpass which allowed PAM to authenticate
> against the Samba passdb, performing this service: I can create a
> dummy unix user, add that to smbpasswd and login with these
> credentials to my local system.
> 
> Now that pam_smbpass is deprecated and removed - pam_winbind should be
> the drop-in replacement which, as far as I read from that bug ticket,
> should allow smbpasswd authentication of unix users, if the smb server
> is running in standalone mode.
> If I'm not mistaken, the patch mentioned in that ticket is around this place:
> https://gitlab.com/samba-team/samba/-/blob/samba-4.17.9/source3/winbindd/winbindd_util.c?ref_type=tags#L1576
> Which has a check for standalone role:
> https://gitlab.com/samba-team/samba/-/blob/samba-4.17.9/source3/winbindd/winbindd_util.c?ref_type=tags#L1527
> 
> So as shown in the syslog pam_winbind is able to find and authenticate
> the user, but the user passed on to pam_unix has the netbios name
> attached, which causes it to fail (and not find the username).
> As the conversation in that ticket progresses, I don't know whether
> the off-tracker converstation had any success.
> 
> I really don't want to run a directory service just for logging in three users.
> 
> Best,
> Jöran Malek
> 

You seem to be describing running Samba in a workgroup (bit rusty on 
this, it has been a long time). In a workgroup, (if I remember 
correctly) even if you use the same workgroup name, every Samba computer 
will have a different SID, that is where I think the problem lies.

You could try this, start with one machine and setup Samba as a 
standalone server, then add your Unix users and make them Samba users 
with 'smbpasswd -a USERNAME'. Do this on all workgroup computers, ensure 
that you use the same workgroup name. Now create a user.map file on each 
computer, lets say your user is 'fred' and you are using the workgroup 
'HOME', add lines like this:

!fred = HOME\fred

I have no idea if that will work, I think it will, but it is the only 
thing I can think of at the moment.

Rowland

More information about the samba mailing list