[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

John R. Graham john at graham-family.org
Sun Dec 1 15:09:15 UTC 2024


On 12/1/24 09:42, Rowland Penny via samba wrote:
> On Sun, 1 Dec 2024 09:15:27 -0500
> "John R. Graham via samba" <samba at lists.samba.org> wrote:
>> I also like the idea of the ad back end and nss_winbind because it's
>> a better "single source of truth"--and I don't like the templated
>> /etc/passwd fields. Was that your goal with the work-around? To not
>> have those restrictions?
> I used to think that way, but once I realised that if I used the same
> 'idmap config' lines on all Unix domain members, I would always get
> the same Unix IDs, then I thought differently. The 'single source of
> truth' isn't rfc2307, it is the accounts RID and the 'rid' idmap
> backend calculates the Unix ID from the RID and the DOMAIN low range set
> in the smb.conf file:
>
> ID = RID + low_range
>
> So, if the low_range is set to '10000', the Domain Users group will
> always get the Unix ID '10513' and so on.
>
> 10513 = 513 + 10000
>
> Coming to to the users shell and home directory, these are always
> relative to the Unix domain member, they are not mounted from another
> computer (NOTE: the Windows home directory is not the same as a Unix
> home directory). From this, I hope you can see that it doesn't matter
> what home directory or shell you set in AD (by setting the
> 'unixHomeDirectory' & 'loginShell' attributes), you can get virtually
> the same results by setting 'template homedir' and 'template shell' in
> the smb.conf file, the only real difference is that setting them in the
> smb.conf file means that every user gets the same, but is this really a
> problem ?

In truth, it isn't for me right now. I've encountered users that want to 
use an alternate shell (but I don't have any right now) and I like the 
idea of stored UIDs and GIDs better than calculated ones. It 
seems...more pedantically correct to me. I may look into what would be 
required to get bug 15045 addressed.

- John





More information about the samba mailing list