[Samba] nss_winbind / offline logon

Petteri Heinonen petteri.j.heinonen at kolumbus.fi
Fri Oct 16 05:37:07 MDT 2009 

Hello list users,

I have been struggling to make my AD integrated Debian Lenny box to work fluently also when network connectivity is down. What I would like to achieve:

1) When no network available, local user should still work normally
2) If possible, AD located users should still be able to login if they have previously logged in successfully (cached login)

Number 2 is more like optional, but number 1 would be very much needed. However, it seems that winbind somehow blocks login process for local accounts too if it is not able to get network connection to AD during system boot. These are the relevant lines in my nsswitch.conf:

passwd:         files winbind
group:          files winbind
shadow:         files

Now, I would think that with this configuration,  that no matter what is the status of winbindd daemon, local users like root should be able to login. But that is not the case here. The login hangs for about 5 minutes, and after that it succeeds. If I remove winbind from nsswitch.conf or configure init system so that winbindd is not started up during boot, then logins for local accounts go through normally.

Currently I use pam_krb5 for authentication, but I have also tried with pam_winbind. This does not affect to the outcome; logins for local users are very slow when machine is not in network, no matter what is the pam configuration. Nsswitch seems to be the culprit here; for some reason it wants to query winbind even though user in question is local. And on the other hand, winbindd seems to be in unresponsive state after startup if it does have connection to AD.

Some logs in winbind.log which might be related to this:

[2009/10/16 14:32:16,  0] winbindd/winbindd_dual.c:async_request_timeout_handler(182)
  async_request_timeout_handler: child pid 2418 is not responding. Closing connection to it.
[2009/10/16 14:32:16,  1] winbindd/winbindd_util.c:trustdom_recv(260)
  Could not receive trustdoms

When machine is online and winbindd is able to open connections to AD, everything works ok. So I believe that winbind configuration should be ok also. Samba/Winbind version used is 3.2.5.

Any clues how to

a) make nsswitch understand that I do not want it to query anything from winbind if user is found from local files
b) make winbind even somehow responsive also upon the situation where it has to start up without network connection

Any help or pointers would be greatly appreciated.

Regards, Petteri Heinonen

More information about the samba mailing list