[Samba] nss_winbind / offline logon

James Zuelow James_Zuelow at ci.juneau.ak.us
Fri Oct 16 10:36:27 MDT 2009

James Zuelow
Network Specialist
City and Borough of Juneau MIS (907)586-0236 

> -----Original Message-----
> From: samba-bounces at lists.samba.org 
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Petteri Heinonen
> Sent: Friday, 16 October, 2009 03:37
> To: samba at lists.samba.org
> Subject: [Samba] nss_winbind / offline logon
> Hello list users,
> I have been struggling to make my AD integrated Debian Lenny 
> box to work fluently also when network connectivity is down. 
> What I would like to achieve:
> 1) When no network available, local user should still work normally
> 2) If possible, AD located users should still be able to 
> login if they have previously logged in successfully (cached login)
> Number 2 is more like optional, but number 1 would be very 
> much needed. However, it seems that winbind somehow blocks 
> login process for local accounts too if it is not able to get 
> network connection to AD during system boot. These are the 
> relevant lines in my nsswitch.conf:
> passwd:         files winbind
> group:          files winbind
> shadow:         files
> Now, I would think that with this configuration,  that no 
> matter what is the status of winbindd daemon, local users 
> like root should be able to login. But that is not the case 
> here. The login hangs for about 5 minutes, and after that it 
> succeeds. If I remove winbind from nsswitch.conf or configure 
> init system so that winbindd is not started up during boot, 
> then logins for local accounts go through normally.
> a) make nsswitch understand that I do not want it to query 
> anything from winbind if user is found from local files
> b) make winbind even somehow responsive also upon the 
> situation where it has to start up without network connection
> Any help or pointers would be greatly appreciated.

So for goal number 1, local user logins (hopefully without a 5 minute pause) I would check your PAM configuration.

The first thing to look at is make sure that pam_winbind.so is set up as sufficient, and not required.

If it is sufficient and your pam is set up like this:

auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so use_first_pass

What happens if you swap places, so that pam_unix comes before pam_winbind?

I no longer have a system set up for AD account logins, so I can't test.  This is from memory when I had a laptop (Debian Lenny even) that would do AD account logins, but it would always allow local account logins when the network was disconnected without a long pause.  HTH!


More information about the samba mailing list