[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

Rowland Penny rpenny at samba.org
Sun Dec 1 14:42:52 UTC 2024


On Sun, 1 Dec 2024 09:15:27 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:

> On 11/30/24 16:06, Kees van Vloten via samba wrote:
> > Although I would prefer to have Samba bug 15045 fixed and use 
> > nss_winbind as well, this pragmatic approach with sssd works for
> > now. It has been running on my laptop for some time and it seems to
> > work fine.
> >
> I also like the idea of the ad back end and nss_winbind because it's
> a better "single source of truth"--and I don't like the templated 
> /etc/passwd fields. Was that your goal with the work-around? To not
> have those restrictions?
> 
> 

I used to think that way, but once I realised that if I used the same
'idmap config' lines on all Unix domain members, I would always get
the same Unix IDs, then I thought differently. The 'single source of
truth' isn't rfc2307, it is the accounts RID and the 'rid' idmap
backend calculates the Unix ID from the RID and the DOMAIN low range set
in the smb.conf file:

ID = RID + low_range

So, if the low_range is set to '10000', the Domain Users group will
always get the Unix ID '10513' and so on.

10513 = 513 + 10000

Coming to to the users shell and home directory, these are always
relative to the Unix domain member, they are not mounted from another
computer (NOTE: the Windows home directory is not the same as a Unix
home directory). From this, I hope you can see that it doesn't matter
what home directory or shell you set in AD (by setting the
'unixHomeDirectory' & 'loginShell' attributes), you can get virtually
the same results by setting 'template homedir' and 'template shell' in
the smb.conf file, the only real difference is that setting them in the
smb.conf file means that every user gets the same, but is this really a
problem ?
 
Rowland



More information about the samba mailing list