[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
Kees van Vloten
keesvanvloten at gmail.com
Sun Dec 1 14:53:25 UTC 2024
Op 01-12-2024 om 15:15 schreef John R. Graham via samba:
> On 11/30/24 16:06, Kees van Vloten via samba wrote:
>> Although I would prefer to have Samba bug 15045 fixed and use
>> nss_winbind as well, this pragmatic approach with sssd works for now.
>> It has been running on my laptop for some time and it seems to work
>> fine.
>>
> I also like the idea of the ad back end and nss_winbind because it's a
> better "single source of truth"--and I don't like the templated
> /etc/passwd fields. Was that your goal with the work-around? To not
> have those restrictions?
>
>
A user in Posix-land is defined by its UID and GID. Ownership of files
is defined by those same IDs. If you use rfc2307, you manage these two
IDs manually per user in the LDAP attributes uidNumber and gidNumber.
The reason for this is usually to keep the IDs constant everywhere and /
or unchanged since the user was defined long ago, so its files where
ever they are are still owned by that user.
Autorid or Rid will are fine when rfc2307 is not used (i.e. no legacy
users and files) and the configuration across all machines is identical.
Or if accessing files from other machines is over smb and ssh only (then
these will do the UID/GID translations), with nfs, tars, etc. you might
have issues with file ownerships.
In my rfc2307 setup, the **single source of truth are the UID and GID
defined in the uidNumber and gidNumber** attributes on LDAP on the DCs.
I want those to be constant across all machines.
Rid and autorid do not deliver this and hence are not a good solution,
nss_winbind (offline support) is broken hence it is a solution for
always connected desktops (which I do use on these). Then nss-sssd
delivers rfc2307 nss and it has a working offline mode. Therefor on
laptops the setup uses winbind to take care of the offline Kerberos
functionality and nss-sssd for offline rfc2307 UID/GIDs. Problem solved :-)
Indeed not as simple as can be, that will come when bug 15045 is fixed.
- Kees
More information about the samba
mailing list