[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
John R. Graham
john at graham-family.org
Wed Dec 4 14:07:45 UTC 2024
On 12/1/24 09:42, Rowland Penny via samba wrote:
> On Sun, 1 Dec 2024 09:15:27 -0500
> "John R. Graham via samba" <samba at lists.samba.org> wrote:
>
>> I also like the idea of the ad back end and nss_winbind because it's
>> a better "single source of truth"--and I don't like the templated
>> /etc/passwd fields. Was that your goal with the work-around? To not
>> have those restrictions?
> I used to think that way, but once I realised that if I used the same
> 'idmap config' lines on all Unix domain members, I would always get
> the same Unix IDs, then I thought differently. The 'single source of
> truth' isn't rfc2307, it is the accounts RID and the 'rid' idmap
> backend calculates the Unix ID from the RID and the DOMAIN low range set
> in the smb.conf file:
>
> ID = RID + low_range
>
> So, if the low_range is set to '10000', the Domain Users group will
> always get the Unix ID '10513' and so on.
>
> 10513 = 513 + 10000
>
> Coming to to the users shell and home directory, these are always
> relative to the Unix domain member, they are not mounted from another
> computer (NOTE: the Windows home directory is not the same as a Unix
> home directory). From this, I hope you can see that it doesn't matter
> what home directory or shell you set in AD (by setting the
> 'unixHomeDirectory' & 'loginShell' attributes), you can get virtually
> the same results by setting 'template homedir' and 'template shell' in
> the smb.conf file, the only real difference is that setting them in the
> smb.conf file means that every user gets the same, but is this really a
> problem ?
>
> Rowland
So I'm committed to the rid back end, at least in the near term, because
offline logins work without issue on domain members. But this does leave
my login on the DC producing different UID and GID values. Would it be
the "right thing" to just edit those so that they match the values that
are calculated on the domain members?
I'm still going to study the nss_winbind and winbindd source to see if I
can get caching to work for all login-required values with the ad back
end, though.
- John
More information about the samba
mailing list