[Samba] pam_winbind Appears to need a Network Connection to Succeed at Offline Authentication
Kees van Vloten
keesvanvloten at gmail.com
Sat Nov 30 21:06:56 UTC 2024
Op 29-11-2024 om 18:04 schreef Marco Gaiarin via samba:
> Mandi! John R. Graham via samba
> In chel di` si favelave...
>
>> When I put winbindd in offline mode,
> RFC2307? A known bug:
>
> https://bugzilla.samba.org/show_bug.cgi?id=15405
>
I have figured out a workaround for this.
The bug in winbind is that it it fails to lookup users and groups when
offline in rfc2307 mode (= smb.conf: idmap config <domain>:backend = ad).
A working option is to use just pam_winbind but take the nss services of
sssd instead of nss_winbind:
* Install (on Debian): sssd-dbus, sssd-ldap, sssd-tools, libnss-sss
* Set /etc/nsswitch.conf passwd and group to "files systemd sss"
* In /etc/samba/smb.conf set the nss backend to "idmap config
<domain>:backend = nss" and add "sync machine password script
/usr/local/sbin/machinepw_update" (the latter requires Samba 4.21)
* Configure sssd:
[sssd]
config_file_version = 2
services = nss,ifp
domains = <dns-domain>
debug_level = 4
reconnection_retries = 3
[domain/<dns-domain>]
cache_credentials = true
enumerate = true
id_provider = ldap
access_provider = ldap
min_id = 1000
dns_discovery_domain = <dns-domain>
ldap_default_bind_dn = <ldap-machine-dn>
# machine password:
ldap_default_authtok = <machine-password>
ldap_search_base = <ldap-base-dn>
ldap_user_search_base = <ldap-users-base-dn>
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_referrals = false
ldap_id_mapping = false
ldap_schema = ad
ldap_group_nesting_level = 10
fallback_homedir = /home/%u
default_shell = /bin/bash
#skel_dir = /etc/skel
Download: wget -o /usr/local/sbin/accountmachinepw
https://gitlab.com/samba-team/samba/raw/v4-21-stable/source4/scripting/bin/machineaccountpw
In "/usr/local/sbin/machinepw_update" put something like:
#!/bin/bash
PW="$(/usr/local/sbin/accountmachinepw)"
sed -ie "/^ldap_default_authtok = (.+)$/ldap_default_authtok = $(PW)/"
/etc/sssd/sssd.conf
systemctl restart sssd
Do not forget to make both scripts executable "chmod 750
/usr/local/sbin/machinepw_update /usr/local/sbin/accountmachinepw"
Although I would prefer to have Samba bug 15045 fixed and use
nss_winbind as well, this pragmatic approach with sssd works for now. It
has been running on my laptop for some time and it seems to work fine.
- Kees.
More information about the samba
mailing list