[Samba] Offline logon and NSS...
rpenny at samba.org
Fri Oct 18 09:40:26 UTC 2019
On 18/10/2019 10:19, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
> In chel di` si favelave...
>> No, if you have 'winbind offline logon = yes' set that is it as far as Samba
>> is concerned, you also have to set up PAM to use cached logins.
>> Winbind caches the users passwd etc, but renews it if the cache time has
>> been exceeded unless an AD DC cannot be contacted i.e. they are all offline.
> Speaking simply (and, of couse, supposing bug fixed):
It isn't fixed :-(
> a) NSS cache are permanent, and does not expire if there's NO DC
That is the way it is supposed to work, if you go offline (all DCs go
down or you wander away with a laptop), the cache is used until you next
connect to the domain (at least one DC comes back online or you wander
back with the laptop), at which point the cache is refreshed.
> b) PAM cache need 'winbind offline logon = yes',
> and cache times, eg:
> idmap cache time
> winbind cache time
> need to be tackled to suit the needs.
> My misundestanding born by the fact that, to have full ''roaming''
> client to work, it need account and group existance (NSS) and password
> cache (PAM), ant i've no clear how the different winbind options play in
> the game.
You should normally just need 'winbind offline logon = yes' in smb.conf
and 'cached_login' in PAM auth (common-auth file on Debian), but it
doesn't seem to work now.
More information about the samba