[Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

Andre Fernando Goldacker samba at teka.com.br
Wed Apr 4 16:05:44 GMT 2007

I made a mistake, group in nsswitch.conf looks like this:

group:    files winbind

sorry about that!!


Andre Fernando Goldacker wrote:
> Hello!
> passwd, shadow and group looks as follows in nsswitch.conf:
> passwd:  files winbind
> shadow:  files
> group:     files group
> What really confuses me is that when my AD server is up and running,
> root or any local user logs in with no problem.
> And even when AD server is down, after trying a zillion times, root and
> other local users login, and then if I log them out and try again a few
> minutes later it won't go again, then again after a few minutes it works
> again and it keeps going like that.
> My guess is that when it's not going pam_winbind and winbind are trying
> to connect to the AD Server resulting in a huge delay in the login
> process afecting also local users login. That's why I was wondering if
> there is a "timeout" option or something for pam_winbind to avoid that.
> Well, that's my guess I could be wrong and maybe the problem is
> something else.
> Anyway thank's so far for your help, if you or anyone has a light...
> Andre
> Miles, Noal wrote:
>> You have files before winbind in /etc/nsswitch.conf for passwd, shadow,
>> group?
>> Noal
>> -----Original Message-----
>> From: samba-bounces+noal.miles=tdstelecom.com at lists.samba.org
>> [mailto:samba-bounces+noal.miles=tdstelecom.com at lists.samba.org] On
>> Behalf Of Andre Fernando Goldacker
>> Sent: Wednesday, April 04, 2007 8:40 AM
>> To: samba at lists.samba.org
>> Subject: [Samba] Issue with pam_winbind for MS AD authentication and
>> moduleoptions
>> Hello!
>> I've configured samba with winbind and pam_winbind module to
>> authenticate users that connect to my linux box against MS AD.
>> Works like a charm. If a user exists both in AD and locally, login
>> should assume local users. Again, it works pretty well (It seems at
>> least with my current config).
>> If my AD server goes down for any reason, local users should be able to
>> login. For example, root has to login always no matter if my AD server
>> exploded.
>> That's where is the problem. When I shutdown my AD server and I try to
>> login with a local user (root as well), my guess is that it seems that
>> pam_winbind waits for a very very long time trying to find my AD server
>> to authenticate that even the local login times out. I don't really know
>> if that is the reason for this behaviour, but if it is, I'm wondering if
>> there is a hidden or maybe a new "timeout" option for pam_winbind module
>> as I didn't found anything related in the man pages and the mailing
>> lists archive. Or maybe if login finds the user in the local database,
>> bypass winbind authentication, don't know if that is possible.
>> The reason why I came up with this idea is that when the AD server is
>> down and I try to login with root for eg. over and over many times,
>> after a while it goes (looks like pam config order is right), but a few
>> minutes later it won't again, which made me thought that perhaps winbind
>> or pam_winbind are trying to estabilish a connection with AD and somehow
>> because of that the whole process slows down so much that even local
>> login times out.
>> Samba is configured to catch UID's, GID's from AD using SFU and ad idmap
>> backend. Only users that are members of a specified AD group are able to
>> login. The purpose of the machine is to be an application server and
>> share folders based on AD users and group permissions.
>> My system is RHEL AS3 with update 7 and samba-3.0.24
>> Below are my pam lines in the system-auth file:
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth        required      /lib/security/$ISA/pam_env.so
>> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>> auth        sufficient    /lib/security/$ISA/pam_winbind.so
>> try_first_pass require_membership_of=DOMAIN+group
>> auth        required      /lib/security/$ISA/pam_deny.so
>> account     required      /lib/security/$ISA/pam_unix.so nullok_secure
>> account     sufficient    /lib/security/$ISA/pam_winbind.so
>> password    required      /lib/security/$ISA/pam_cracklib.so retry=3
>> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
>> use_authtok md5 shadow
>> password    required      /lib/security/$ISA/pam_deny.so
>> session     required      /lib/security/$ISA/pam_limits.so
>> session     required      /lib/security/$ISA/pam_unix.so
>> session     required      /lib/security/$ISA/pam_mkhomedir.so umask=0022
>> skel=/etc/skel
>> Considering that if a user exists both in the local user database and
>> AD, login has to assume local user (seems to be working fine), could
>> someone give me a hint if I'm in the right path, and maybe an idea why
>> or what I could do when my AD servers goes down to my local users
>> (including root) log in normally??
>> Any help will be greatly appreciated,
>> Andre

More information about the samba mailing list