[Samba] PAM Offline Authentication in Ubuntu 22.04

Marco Gaiarin gaio at lilliput.linux.it
Thu Jun 29 12:55:37 UTC 2023

Mandi! Rowland Penny via samba
  In chel di` si favelave...

>> Rowland, i can really use on a client rid and on the domain rfc2307? I'm
>> thinking about this, and probably yes... at least for a portable system
>> where plausibly i don't need NFS...

> Clients do not care what is in AD (provided there is something there), 
> it relies on the idmap backend to tell it how to get the Unix ID's. The 
> 'ad' idmap backend 'pulls' the rfc2307 attributes from AD and the 'rid' 
> idmap backend uses the RID to calculate the Unix ID. This means that you 
> can use different backends on different machines and it will work.
> If you stop and think about it, Windows doesn't use any idmap backend, 
> but if you copy a file from a Samba machine to a Windows machine, it 
> retains its ownership.

I've switched to RID and indeed works; still does not survive a reboot, even
if i've put:

	lock directory = /var/cache/samba

i need to dig deeper this, but i've tackled too many things in this box in
these days, surely will be some faults of mine.

But, indeed, surely 'offline logon' does not work for rfc2307.

This also explain other ''bugs'' i hit in my domain: i've some DM that are
email servers, and sometimes, if for some reason i put on stress my DCs,
email server start to complain of 'user unknown', that clearly is a bit a
bad thing. ;-)
Generally, my DM do a very excessive amount of LDAP query on DCs, even with
cached logons enabled, so probably using RID will lower the number of query.
So, probably some 'bugs' are also due to 'scarce optimization' for rfc2307.

I'll ask Andrew (or someone from Samba team) here: these are bugs? Or we can
start considering rfc2307 on the road to sunset?

  Meno male
  che adesso non c'e` Nerone...				(E. Bennato)

More information about the samba mailing list