[Samba] nss_winbind / offline logon

Petteri Heinonen petteri.j.heinonen at kolumbus.fi
Sat Oct 17 03:23:01 MDT 2009

James Zuelow wrote:
> James Zuelow
> Network Specialist
> City and Borough of Juneau MIS (907)586-0236 
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org 
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Petteri Heinonen
>> Sent: Friday, 16 October, 2009 03:37
>> To: samba at lists.samba.org
>> Subject: [Samba] nss_winbind / offline logon
>> Hello list users,
>> I have been struggling to make my AD integrated Debian Lenny 
>> box to work fluently also when network connectivity is down. 
>> What I would like to achieve:
>> 1) When no network available, local user should still work normally
>> 2) If possible, AD located users should still be able to 
>> login if they have previously logged in successfully (cached login)
>> Number 2 is more like optional, but number 1 would be very 
>> much needed. However, it seems that winbind somehow blocks 
>> login process for local accounts too if it is not able to get 
>> network connection to AD during system boot. These are the 
>> relevant lines in my nsswitch.conf:
>> passwd:         files winbind
>> group:          files winbind
>> shadow:         files
>> Now, I would think that with this configuration,  that no 
>> matter what is the status of winbindd daemon, local users 
>> like root should be able to login. But that is not the case 
>> here. The login hangs for about 5 minutes, and after that it 
>> succeeds. If I remove winbind from nsswitch.conf or configure 
>> init system so that winbindd is not started up during boot, 
>> then logins for local accounts go through normally.
>> a) make nsswitch understand that I do not want it to query 
>> anything from winbind if user is found from local files
>> b) make winbind even somehow responsive also upon the 
>> situation where it has to start up without network connection
>> Any help or pointers would be greatly appreciated.
> So for goal number 1, local user logins (hopefully without a 5 minute pause) I would check your PAM configuration.
> The first thing to look at is make sure that pam_winbind.so is set up as sufficient, and not required.
> If it is sufficient and your pam is set up like this:
> auth       sufficient   pam_winbind.so
> auth       sufficient   pam_unix.so use_first_pass
> What happens if you swap places, so that pam_unix comes before pam_winbind?
> I no longer have a system set up for AD account logins, so I can't test.  This is from memory when I had a laptop (Debian Lenny even) that would do AD account logins, but it would always allow local account logins when the network was disconnected without a long pause.  HTH!
> James
Hi James.

I have at least somehow ruled out the PAM as the source of this problem. 
As I explained, removing/adding winbind in nsswitch.conf has direct 
relation to the functionality: if winbind is in nsswitch.conf, logins 
take forever. If winbind is not listed in nsswitch.conf, logins of local 
users are fast as normal. But anyway, here are the relevant parts of my 
pam config:

auth    sufficient      pam_unix.so nullok_secure
auth    sufficient      pam_krb5.so debug minimum_uid=10000 use_first_pass
auth    required        pam_deny.so

account         sufficient      pam_unix.so
account         sufficient      pam_krb5.so debug minimum_uid=10000
account         required        pam_deny.so

session optional        pam_unix.so
session optional        pam_krb5.so debug minimum_uid=10000
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel

I have also tried with PAM winbind module instead of krb5. That does not 
change the behavior. Here is also my smb.conf in case someone notices 
something being wrong there. Although I really think that it should not 
matter what is the winbind config in this case; nss_winbind should 
return something in reasonable time whatever the winbind/samba config 
is. Offline logon and refresh tickets have been disable there, as they 
are only related to PAM winbind module, which is not in use currently.

workgroup = COMPANY
netbios name = SMBTR01
domain master = no
local master = no
preferred master = no
server string =
wins support = no
wins server = dc1-fi.company.com
dns proxy = no
security = ads
encrypt passwords = yes
password server = dc1-fi.company.com
use kerberos keytab = yes
client use spnego = yes

# logging
log level = 2
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0

# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes

# winbind
#winbind separator = \
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
idmap backend = ldap:ldaps://ldaptr01.company.com:636
idmap cache time = 300
idmap negative cache time = 300

winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind cache time = 300
winbind normalize names = yes
#winbind offline logon = yes
#winbind refresh tickets = yes

ldap suffix = dc=company,dc=com
ldap admin dn = cn=admin,dc=company,dc=com
ldap connection timeout = 5
ldap idmap suffix = ou=idmap

More information about the samba mailing list