[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

Kees van Vloten keesvanvloten at gmail.com
Sun Dec 1 14:53:25 UTC 2024


Op 01-12-2024 om 15:15 schreef John R. Graham via samba:
> On 11/30/24 16:06, Kees van Vloten via samba wrote:
>> Although I would prefer to have Samba bug 15045 fixed and use 
>> nss_winbind as well, this pragmatic approach with sssd works for now. 
>> It has been running on my laptop for some time and it seems to work 
>> fine.
>>
> I also like the idea of the ad back end and nss_winbind because it's a 
> better "single source of truth"--and I don't like the templated 
> /etc/passwd fields. Was that your goal with the work-around? To not 
> have those restrictions?
>
>
A user in Posix-land is defined by its UID and GID. Ownership of files 
is defined by those same IDs. If you use rfc2307, you manage these two 
IDs manually per user in the LDAP attributes uidNumber and gidNumber. 
The reason for this is usually to keep the IDs constant everywhere and / 
or unchanged since the user was defined long ago, so its files where 
ever they are are still owned by that user.

Autorid or Rid will are fine when rfc2307 is not used (i.e. no legacy 
users and files) and the configuration across all machines is identical. 
Or if accessing files from other machines is over smb and ssh only (then 
these will do the UID/GID translations), with nfs, tars, etc. you might 
have issues with file ownerships.


In my rfc2307 setup, the **single source of truth are the UID and GID 
defined in the uidNumber and gidNumber** attributes on LDAP on the DCs. 
I want those to be constant across all machines.

Rid and autorid do not deliver this and hence are not a good solution, 
nss_winbind (offline support) is broken hence it is a solution for 
always connected desktops (which I do use on these). Then nss-sssd 
delivers rfc2307 nss and it has a working offline mode. Therefor on 
laptops the setup uses winbind to take care of the offline Kerberos 
functionality and nss-sssd for offline rfc2307 UID/GIDs. Problem solved :-)

Indeed not as simple as can be, that will come when bug 15045 is fixed.


- Kees





More information about the samba mailing list