[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

Rowland Penny rpenny at samba.org
Wed Dec 4 14:52:04 UTC 2024


On Wed, 4 Dec 2024 09:07:45 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> 
> So I'm committed to the rid back end, at least in the near term,
> because offline logins work without issue on domain members. But this
> does leave my login on the DC producing different UID and GID values.
> Would it be the "right thing" to just edit those so that they match
> the values that are calculated on the domain members?

There is no need and I would advise against even attempting it.

Samba knows who the user is, here is a quick test to show this:

On a DC create a share (yes, I know this isn't really recommended, but
this just a quick test).

Then ensure the share is owned by a user, in this case, me.

adminuser at rpidc1:~ $ sudo ls -lad /srv/test
drwxrwx--- 2 SAMDOM\rowland root 4096 Dec  4 14:23 /srv/test

This DC does not have 'idmap_ldb:use rfc2307  = yes' set (not that it
matters, I do not have any rfc2307 attributes in AD).

adminuser at rpidc1:~ $ sudo ls -land /srv/test
drwxrwx--- 2 3000020 0 4096 Dec  4 14:23 /srv/test

So, as far as the DC is concerned, my Unix ID is '3000020'

I then created a file in the share as 'rowland':

SAMDOM\rowland at rpidc1:~ $ nano /srv/test/test.txt

SAMDOM\rowland at rpidc1:~ $ ls -la /srv/test/test.txt 
-rw-r--r-- 1 SAMDOM\rowland users 16 Dec  4 14:28 /srv/test/test.txt

and with the numeric ID:

SAMDOM\rowland at rpidc1:~ $ ls -lan /srv/test/test.txt 
-rw-r--r-- 1 3000020 100 16 Dec  4 14:28 /srv/test/test.txt

I then went to a Unix domain member and used smbclient to download
'test.txt'

rowland at devstation:~/useridtest$ smbclient //rpidc1/share
Password for [rowland at SAMDOM.EXAMPLE.COM]:
Try "help" to get a list of possible commands.
smb: \> get test.txt
getting file \test.txt of size 16 as test.txt (2.0 KiloBytes/sec) (average 2.0 KiloBytes/sec)
smb: \> q

Checking the ownership of the file, shows this:

rowland at devstation:~/useridtest$ ls -la
total 20
drwxrwx---+  2 rowland domain users 4096 Dec  4 14:33 .
drwxr-xr-x+ 42 rowland domain users 4096 Dec  4 14:30 ..
-rw-r-----+  1 rowland domain users   16 Dec  4 14:33 test.txt

It quite correctly belongs to me, but what about the numeric ID ?

rowland at devstation:~/useridtest$ ls -lan
total 20
drwxrwx---+  2 11104 10513 4096 Dec  4 14:33 .
drwxr-xr-x+ 42 11104 10513 4096 Dec  4 14:30 ..
-rw-r-----+  1 11104 10513   16 Dec  4 14:33 test.txt

'3000020' has become '11104' and '100' has become '10513', magic isn't
it ;-)

> 
> I'm still going to study the nss_winbind and winbindd source to see
> if I can get caching to work for all login-required values with the
> ad back end, though.

I wouldn't attempt to stop you, it sounds like a possible bug, but
without reading and understanding the code, this will never be known,
good luck with your attempt.

Rowland





More information about the samba mailing list