[Samba] Linux/AD authentication stops working after ~5 minutes

Wed Jan 18 20:02:45 GMT 2006

I'm trying to do something fairly simple: login to a Linux box using a
Windows AD-based account. I've followed the various recipes available
online for configuring Linux (winbind, PAM, etc.) to this send, and I've
got it working ... almost.

I'm able to authenticate an AD-based user immediately after bringing up
the Linux box, but a short time later (roughly 5 minutes, but it varies)
I can no longer authenticate. Running 'wbinfo -u' fixes the problem
temporarily, although I'm not sure how or why. The 'winbind cache time'
param in smb.conf has no effect on the problem.

Any ideas as to what's going on? Is this more likely to be a
misconfiguration or an issue with my version of Samba? Thanks in advance
for any insight.

System configuration info follows:

AD server is Windows Server 2003 SP1. There is only one AD domain, named
"DOMAIN.LOCAL", and it is small (for testing purposes).

Linux box is Fedora Core 3. Kernel is 2.6.9-1.667. It is joined to the
AD server domain only.

Win2k3 is running as a guest OS in VMware and Fedora is the host OS. (I
doubt this config has anything to do with the problem.)

Samba packages:
samba-common-3.0.10-1.fc3
samba-swat-3.0.10-1.fc3
samba-3.0.10-1.fc3
samba-client-3.0.10-1.fc3

I'm running winbind, but not smbd or nmbd. The latter doesn't seem to be
necessary, nor is it sufficient to solve my problem.

smb.conf:
[global]
         workgroup = DOMAIN
         realm = DOMAIN.LOCAL
         server string = Samba Server
         security = ADS
         password server = vmdc1.domain.local
         log level = 1 ads:10 auth:10 sam:10 rpc:10 winbind:5
         log file = /var/log/samba/%m.log
         max log size = 50
         name resolve order = lmhosts bcast
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         printcap name = /etc/printcap
         dns proxy = No
         idmap uid = 16777216-33554431
         idmap gid = 16777216-33554431
         template shell = /bin/bash
         winbind cache time = 10
         winbind enum users = No
         winbind enum groups = No
         winbind use default domain = Yes
         cups options = raw

[homes]
         comment = Home Directories
         read only = No
         browseable = No

[printers]
         comment = All Printers
         path = /var/spool/samba
         printable = Yes
         browseable = No

PAM packages:
pam-0.77-65
pam_passwdqc-0.7.5-2
pam-devel-0.77-65
pam_smb-1.1.7-5
pam_krb5-2.1.2-1
pam_ccreds-1-3

/etc/pam.d/system-auth (used by /etc/pam.d/sshd, etc.):
#auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
#account
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so
#password
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
#session
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

Relevant nsswitch.conf lines:
passwd:     files winbind
shadow:     files winbind
group:      files winbind

EOM