[Samba] Offline logon and NSS...

Rowland penny rpenny at samba.org
Fri Oct 18 09:40:26 UTC 2019

On 18/10/2019 10:19, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>> No, if you have 'winbind offline logon = yes' set that is it as far as Samba
>> is concerned, you also have to set up PAM to use cached logins.
>> Winbind caches the users passwd etc, but renews it if the cache time has
>> been exceeded unless an AD DC cannot be contacted i.e. they are all offline.
> Speaking simply (and, of couse, supposing bug fixed):
It isn't fixed :-(
> a) NSS cache are permanent, and does not expire if there's NO DC
>   reachable.
That is the way it is supposed to work, if you go offline (all DCs go 
down or you wander away with a laptop), the cache is used until you next 
connect to the domain (at least one DC comes back online or you wander 
back with the laptop), at which point the cache is refreshed.
> b) PAM cache need 'winbind offline logon = yes',
>   and cache times, eg:
> 	idmap cache time
> 	winbind cache time
>   need to be tackled to suit the needs.
> Righ?
> My misundestanding born by the fact that, to have full ''roaming''
> client to work, it need account and group existance (NSS) and password
> cache (PAM), ant i've no clear how the different winbind options play in
> the game.

You should normally just need 'winbind offline logon = yes' in smb.conf 
and 'cached_login' in PAM auth (common-auth file on Debian), but it 
doesn't seem to work now.


More information about the samba mailing list