winbind offline logon cache expiry

[David Mansfield]

Hi All,

We're trying to set up some remote (work-at-home) machines with samba4 
winbind (running on Fedora) using winbind offline login = yes. Once the 
user is logged in, they connect the VPN and that allows communication to 
the DC (also samba4).

This works fine for a while but if the user doesn't log in for a 3-4 
days (which can be simulated by shutting down winbind, setting system 
clock and restarting winbind), the offline login fails. Here's what 
happens when logging into a virtual console in linux (logging into GDM 
is more complicated):

  Aug 10 00:22:57 Ladybug login: pam_unix(login:auth): check pass; user 
unknown
  Aug 10 00:22:57 Ladybug login: pam_unix(login:auth): authentication 
failure; logname=LOGIN uid=0 euid=0 tty=tty3 ruser= rhost=
  Aug 10 00:23:00 Ladybug login: FAILED LOGIN 1 FROM tty3 FOR (unknown), 
User not known to the underlying authentication module


So it seems that the ability to resolve the login name is failing.

According to the man page, winbind offline logon doesn't honor the 
winbind cache time, but it doesn't say if there is something that does 
control it.

If I could make this last, say, 2 weeks instead of <4 days I think that 
would do the trick.  Can it be done?

Thanks,
David Mansfield
Cobite, INC.