[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication

Kees van Vloten keesvanvloten at gmail.com
Sat Nov 30 21:06:56 UTC 2024


Op 29-11-2024 om 18:04 schreef Marco Gaiarin via samba:
> Mandi! John R. Graham via samba
>    In chel di` si favelave...
>
>> When I put winbindd in offline mode,
> RFC2307? A known bug:
>
> 	https://bugzilla.samba.org/show_bug.cgi?id=15405
>
I have figured out a workaround for this.

The bug in winbind is that it it fails to lookup users and groups when 
offline in rfc2307 mode (= smb.conf: idmap config <domain>:backend = ad).

A working option is to use just pam_winbind but take the nss services of 
sssd instead of nss_winbind:

  * Install (on Debian): sssd-dbus, sssd-ldap, sssd-tools, libnss-sss
  * Set /etc/nsswitch.conf passwd and group to "files systemd sss"
  * In /etc/samba/smb.conf set the nss backend to "idmap config
    <domain>:backend = nss" and add "sync machine password script
    /usr/local/sbin/machinepw_update" (the latter requires Samba 4.21)
  * Configure sssd:

[sssd]
config_file_version = 2
services = nss,ifp
domains = <dns-domain>
debug_level = 4
reconnection_retries = 3

[domain/<dns-domain>]
cache_credentials = true
enumerate = true

id_provider = ldap
access_provider = ldap

min_id = 1000
dns_discovery_domain = <dns-domain>

ldap_default_bind_dn = <ldap-machine-dn>
# machine password:
ldap_default_authtok = <machine-password>
ldap_search_base = <ldap-base-dn>
ldap_user_search_base = <ldap-users-base-dn>
ldap_access_order = expire
ldap_account_expire_policy = ad

ldap_force_upper_case_realm = true
ldap_referrals = false
ldap_id_mapping = false
ldap_schema = ad
ldap_group_nesting_level = 10

fallback_homedir = /home/%u
default_shell = /bin/bash
#skel_dir = /etc/skel

Download: wget -o /usr/local/sbin/accountmachinepw 
https://gitlab.com/samba-team/samba/raw/v4-21-stable/source4/scripting/bin/machineaccountpw

In "/usr/local/sbin/machinepw_update" put something like:

#!/bin/bash
PW="$(/usr/local/sbin/accountmachinepw)"
sed -ie "/^ldap_default_authtok = (.+)$/ldap_default_authtok = $(PW)/" 
/etc/sssd/sssd.conf
systemctl restart sssd

Do not forget to make both scripts executable "chmod 750 
/usr/local/sbin/machinepw_update /usr/local/sbin/accountmachinepw"


Although I would prefer to have Samba bug 15045 fixed and use 
nss_winbind as well, this pragmatic approach with sssd works for now. It 
has been running on my laptop for some time and it seems to work fine.

- Kees.


More information about the samba mailing list