Samba
Winbind works, mapping to UNIX ID's does not
Alpine doesn't use NSS because of MUSL, need other way of mapping, /etc/samba/user.map requires passwords between AD and UNIX to be in Sync. Maybe switch to SSSD?
kinit administrator@ISLIEF.COM klist
wbinfo -u wbinfo -g wbinfo -i ISLIEF/Administrator administrator:*:3500:3513::/home/ISLIEF/administrator:/bin/false
wbinfo -s S-1-5-21-870187001-592863278-1011463606-1604 ISLIEF/jan 1
wbinfo -n ISLIEF/jan
wbinfo -a jan Enter jan's password: plaintext password authentication succeeded Enter jan's password: challenge/response password authentication succeeded
wbinfo -S S-1-5-21-870187001-592863278-1011463606-1604 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-870187001-592863278-1011463606-1604 to uid
wbinfo -r ISLIEF/administrator 3500 3513 3572 3518 3519 3520 3512 2001 2000
wbinfo -i ISLIEF/jan failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user ISLIEF/jan
smbclient -L //10.0.0.5 -U ISLIEF/jan Password for [ISLIEF\jan]: session setup failed: NT_STATUS_LOGON_FAILURE
https://www.suse.com/support/kb/doc/?id=000017458
NSCD
samba4 as active directory member using winbind to lookup user doesn't work on Alpine Linux because MUSL doesn't use nsswitch, however with musl nscd from pikhq authentication works, but only if the /usr/sbin/nscd process is running while trying an authentication is tried, the authentication hangs until the nscd process is stopped.
https://github.com/pikhq/musl-nscd/blob/master/src/cache.c
I haven't figured out where and why this works, but it is around cache_getpwuid_r
COMPARISON() (res->p.pw_uid == id)
Included in the call is a header, with the actual query between
pthread_rwlock_rdlock(&CACHE.lock);
ret = NSS_STATUS_SUCCESS;
pthread_rwlock_unlock(&CACHE.lock);
https://github.com/pikhq/musl-nscd/blob/master/include/cache_query.h#L39
gdb /usr/sbin/nscd
info functions
set logging enabled on
set confirm off
set height off
rbreak ^s[^@]*$
gprof /usr/sbin/nscd
accept(3, NULL, NULL) = 4
futex(0x56536d729fb8, FUTEX_WAKE_PRIVATE, 2147483647) = 1
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
accept(3, NULL, NULL) = 4
futex(0x56536d729fb8, FUTEX_WAKE_PRIVATE, 2147483647) = 1
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
accept(3, NULL, NULL) = 6
futex(0x56536d7292e0, FUTEX_WAIT_PRIVATE, 2147483648, NULL) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGINT {si_signo=SIGINT, si_code=SI_KERNEL} ---
smb.conf
[global] allow insecure wide links = Yes bind interfaces only = Yes client min protocol = SMB2 dedicated keytab file = /etc/krb5.keytab disable netbios = Yes disable spoolss = Yes dos charset = cp866 interfaces = lo wg0 lan kerberos method = secrets and keytab log level = 3 passdb:5 auth:5 ntlm auth = mschapv2-and-ntlmv2-only printcap name = /dev/null realm = ISLIEF.COM restrict anonymous = 2 security = ADS server min protocol = SMB2 server role = member server server string = Samba Server smb ports = 445 template homedir = /home/%U template shell = /bin/ash unix charset = utf-8 username map = /etc/samba/user.map winbind cache time = 3600 winbind enum groups = Yes winbind enum users = Yes winbind offline logon = Yes winbind refresh tickets = Yes winbind separator = / winbind use default domain = Yes workgroup = ISLIEF idmap_ldb:use rfc2307 = Yes idmap config * : backend = tdb idmap config * : range = 2000-2999 idmap config islief:range = 3000-9999999 idmap config islief:backend = rid map acl inherit = Yes store dos attributes = Yes [share] path = /share read only = No valid users = ISLIEF/me [homes] comment = Home Directories read only = No valid users = %S