[Samba] Winbind offline logon

Anders.Strandberg at tietoenator.com Anders.Strandberg at tietoenator.com
Mon Apr 16 08:17:32 GMT 2007


I have a question about Winbinds offline logon capabilities. 

We are working on integration of laptops  with winbind in to our Linux Workstation Managment System, but have some difficulties to verify the desired  functionality. For that we are running the latest samba (currently 3.0.25rc1) . Authentication is setup against Windows AD 2003 with R2 extensions (rfc2703bis) .


        workgroup = MY
        realm = MY.DOMAIN.COM
        security = ADS
        auth methods = winbind
        password server = dc11.my.domain.com dc12.my.domain.com *
        name resolve order = host
        socket options = SO_REUSEADDR TCP_NODELAY
        os level = 0
        preferred master = No
        socket address =
        idmap domains = MY
        template homedir = /home/%u
        winbind cache time = 600
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        idmap config MY:readonly = yes
        idmap config MY:default = yes
        idmap config MY:range = 300 - 300000000
        idmap config MY:backend = ad
        include = /env/samba/lib/smb.include.shares

It seems to work OK when connected to the network, but when disconnected it gets out of order.  When I pull the network plug and log out I cannot log with ssh as my personal user. I get (after a while) a notification that login is done witch cached credentials but the login fails. When I attempt to login again I am immediatley returned to the login prompt. Looking at the log it seems that the user is autheticated but the account is not found. The behaviour is similar if I log out and attempt a gui login.

The SID for my user seems to be retrieved OK, but winbind cannot retrieve user info for the sid. Eventually winbindd core dumps.

Winbind seems to have some trouble locating the unreachable DC:s .

My questions are:

What level of offline functionality is expected with winbind ?  What is working and what is not ? Are there any additional requirements to be fullfilled in addition to get it working while connected ?

Can I expect this setup to work, i.e. (winbind + ad) pull the network cable and be able to login with cached credentials ?  I suppose that  this is similar to doing a reboot and attempt an offline login, haven't got this working either.

When I connect the network cable again it seems that winbind does not catch up immediatley. On some occations the functionality is restored after several minutes , on other I have to restart the service to be able to login again.

I think Novel has this working for SLED 10 , but I have not been able to verify it on my laptop. I think they are running an older samba.


Anders Strandberg, TietoEnator Processing & Network AB
E-mail:   Anders.Strandberg at tietoenator.com		| Voice:  +46 920 452 037
Internet: http://www.tietoenator.com/			| Fax:    +46 920 452 906
Laboratoriegränd 11, Box 50006, S-973 21  Luleå, Sweden	| Mobile: +46 70 345 3285

More information about the samba mailing list