[Samba] winbind offline logon

Rowland Penny rpenny at samba.org
Mon Jan 8 11:23:01 UTC 2024 

On Sun, 7 Jan 2024 15:00:27 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! bd730c5053df9efb via samba
>   In chel di` si favelave...
> 
> >         idmap config smadom:schema_mode = rfc2307
> 
> Sorry but is a bug of RFC2307:
> 
> 	https://bugzilla.samba.org/show_bug.cgi?id=15405
> 

Sorry, but allowing for bug 14618, it works for myself.

https://bugzilla.samba.org/show_bug.cgi?id=14618

On a Unix domain member using the 'rid' backend, I get this:

adminuser at testdm12:~$ getent passwd rowland
rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash

The user 'rowland' can logon, but if the user logs out and the network
is disconnected, the user cannot logon until:

A) the network is reconnected.
B) 'lock directory = /var/cache/samba' is added to smb.conf and Samba
is restarted.
C) the user 'rowland' logs on at least once with the network connected.

At this point, if the user logs out and the network is disconnected,
the user can still logon.

This to myself proves that offline logon works with the 'rid' backend.

If I now change the rid' backend to the 'ad' backend:

Change:

  idmap config SAMDOM : backend  = rid
  idmap config SAMDOM : range = 10000-999999

To:

  idmap config SAMDOM : backend  = ad
  idmap config SAMDOM : range = 10000-999999
  idmap config SAMDOM : schema_mode = rfc2307

Give rowland the uidNumber 10000 and Domain Users the gidNumber 10000
and restart Samba on the Unix domain member:

adminuser at testdm12:~$ sudo systemctl restart winbind smbd
adminuser at testdm12:~$ sudo net cache flush
adminuser at testdm12:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

When I then tried to log on as 'rowland', I was denied, but changing
the ownership of /home/rowland cured this:

adminuser at testdm12:~$ sudo chown 10000:10000 -R /home/rowland 

I could then log on.

I logged out, disconnected the network and tried again, I logged in
straight away.

This looks like logging in using the 'ad' backend works as well.

Rowland

More information about the samba mailing list