[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
Rowland Penny
rpenny at samba.org
Wed Dec 4 14:52:04 UTC 2024
On Wed, 4 Dec 2024 09:07:45 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
>
> So I'm committed to the rid back end, at least in the near term,
> because offline logins work without issue on domain members. But this
> does leave my login on the DC producing different UID and GID values.
> Would it be the "right thing" to just edit those so that they match
> the values that are calculated on the domain members?
There is no need and I would advise against even attempting it.
Samba knows who the user is, here is a quick test to show this:
On a DC create a share (yes, I know this isn't really recommended, but
this just a quick test).
Then ensure the share is owned by a user, in this case, me.
adminuser at rpidc1:~ $ sudo ls -lad /srv/test
drwxrwx--- 2 SAMDOM\rowland root 4096 Dec 4 14:23 /srv/test
This DC does not have 'idmap_ldb:use rfc2307 = yes' set (not that it
matters, I do not have any rfc2307 attributes in AD).
adminuser at rpidc1:~ $ sudo ls -land /srv/test
drwxrwx--- 2 3000020 0 4096 Dec 4 14:23 /srv/test
So, as far as the DC is concerned, my Unix ID is '3000020'
I then created a file in the share as 'rowland':
SAMDOM\rowland at rpidc1:~ $ nano /srv/test/test.txt
SAMDOM\rowland at rpidc1:~ $ ls -la /srv/test/test.txt
-rw-r--r-- 1 SAMDOM\rowland users 16 Dec 4 14:28 /srv/test/test.txt
and with the numeric ID:
SAMDOM\rowland at rpidc1:~ $ ls -lan /srv/test/test.txt
-rw-r--r-- 1 3000020 100 16 Dec 4 14:28 /srv/test/test.txt
I then went to a Unix domain member and used smbclient to download
'test.txt'
rowland at devstation:~/useridtest$ smbclient //rpidc1/share
Password for [rowland at SAMDOM.EXAMPLE.COM]:
Try "help" to get a list of possible commands.
smb: \> get test.txt
getting file \test.txt of size 16 as test.txt (2.0 KiloBytes/sec) (average 2.0 KiloBytes/sec)
smb: \> q
Checking the ownership of the file, shows this:
rowland at devstation:~/useridtest$ ls -la
total 20
drwxrwx---+ 2 rowland domain users 4096 Dec 4 14:33 .
drwxr-xr-x+ 42 rowland domain users 4096 Dec 4 14:30 ..
-rw-r-----+ 1 rowland domain users 16 Dec 4 14:33 test.txt
It quite correctly belongs to me, but what about the numeric ID ?
rowland at devstation:~/useridtest$ ls -lan
total 20
drwxrwx---+ 2 11104 10513 4096 Dec 4 14:33 .
drwxr-xr-x+ 42 11104 10513 4096 Dec 4 14:30 ..
-rw-r-----+ 1 11104 10513 16 Dec 4 14:33 test.txt
'3000020' has become '11104' and '100' has become '10513', magic isn't
it ;-)
>
> I'm still going to study the nss_winbind and winbindd source to see
> if I can get caching to work for all login-required values with the
> ad back end, though.
I wouldn't attempt to stop you, it sounds like a possible bug, but
without reading and understanding the code, this will never be known,
good luck with your attempt.
Rowland
More information about the samba
mailing list