[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
Rowland Penny
rpenny at samba.org
Thu Dec 5 19:59:21 UTC 2024
On Thu, 5 Dec 2024 14:37:57 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 12/1/24 09:42, Rowland Penny via samba wrote:
> > On Sun, 1 Dec 2024 09:15:27 -0500
> > "John R. Graham via samba" <samba at lists.samba.org> wrote:
> >> I also like the idea of the ad back end and nss_winbind because
> >> it's a better "single source of truth"--and I don't like the
> >> templated /etc/passwd fields. Was that your goal with the
> >> work-around? To not have those restrictions?
> > I used to think that way, but once I realised that if I used the
> > same 'idmap config' lines on all Unix domain members, I would
> > always get the same Unix IDs, then I thought differently. The
> > 'single source of truth' isn't rfc2307, it is the accounts RID and
> > the 'rid' idmap backend calculates the Unix ID from the RID and the
> > DOMAIN low range set in the smb.conf file:
> >
> > ID = RID + low_range
> >
> > So, if the low_range is set to '10000', the Domain Users group will
> > always get the Unix ID '10513' and so on.
> >
> > 10513 = 513 + 10000
> >
> > Coming to to the users shell and home directory, these are always
> > relative to the Unix domain member, they are not mounted from
> > another computer (NOTE: the Windows home directory is not the same
> > as a Unix home directory). From this, I hope you can see that it
> > doesn't matter what home directory or shell you set in AD (by
> > setting the 'unixHomeDirectory' & 'loginShell' attributes), you can
> > get virtually the same results by setting 'template homedir' and
> > 'template shell' in the smb.conf file, the only real difference is
> > that setting them in the smb.conf file means that every user gets
> > the same, but is this really a problem ?
> >
> > Rowland
>
> Where in LDAP is the RID stored so I can query it for various objects
> (groups and users)?
>
> - John
>
>
>
Just about everywhere :-)
The 'RID' is the last part of an objects SID which is stored in the
accounts objectSid attribute.
Easiest way to see one:
samba-tool user show $USERNAME --attributes=objectSid
Replace '$USERNAME' with one of your AD users.
Rowland
More information about the samba
mailing list