[Samba] nss_winbind / offline logon
James_Zuelow at ci.juneau.ak.us
Fri Oct 16 10:36:27 MDT 2009
City and Borough of Juneau MIS (907)586-0236
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Petteri Heinonen
> Sent: Friday, 16 October, 2009 03:37
> To: samba at lists.samba.org
> Subject: [Samba] nss_winbind / offline logon
> Hello list users,
> I have been struggling to make my AD integrated Debian Lenny
> box to work fluently also when network connectivity is down.
> What I would like to achieve:
> 1) When no network available, local user should still work normally
> 2) If possible, AD located users should still be able to
> login if they have previously logged in successfully (cached login)
> Number 2 is more like optional, but number 1 would be very
> much needed. However, it seems that winbind somehow blocks
> login process for local accounts too if it is not able to get
> network connection to AD during system boot. These are the
> relevant lines in my nsswitch.conf:
> passwd: files winbind
> group: files winbind
> shadow: files
> Now, I would think that with this configuration, that no
> matter what is the status of winbindd daemon, local users
> like root should be able to login. But that is not the case
> here. The login hangs for about 5 minutes, and after that it
> succeeds. If I remove winbind from nsswitch.conf or configure
> init system so that winbindd is not started up during boot,
> then logins for local accounts go through normally.
> a) make nsswitch understand that I do not want it to query
> anything from winbind if user is found from local files
> b) make winbind even somehow responsive also upon the
> situation where it has to start up without network connection
> Any help or pointers would be greatly appreciated.
So for goal number 1, local user logins (hopefully without a 5 minute pause) I would check your PAM configuration.
The first thing to look at is make sure that pam_winbind.so is set up as sufficient, and not required.
If it is sufficient and your pam is set up like this:
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
What happens if you swap places, so that pam_unix comes before pam_winbind?
I no longer have a system set up for AD account logins, so I can't test. This is from memory when I had a laptop (Debian Lenny even) that would do AD account logins, but it would always allow local account logins when the network was disconnected without a long pause. HTH!
More information about the samba