[Samba] winbind : suspend nightmare

Jon Gerdes gerdesj at blueloop.net
Wed Oct 23 23:58:33 UTC 2019

On Tue, 2019-10-22 at 22:26 -0700, Jeremy Allison via samba wrote:
> On Mon, Oct 21, 2019 at 10:07:20AM +0200, Prunk Dump via samba wrote:
> > I don't know if winbind "officially" support suspending. Currently
> > I
> > have written a systemd hook that kill winbind before suspend and
> > restarting it after.
> It hasn't been tested in that mode as far as I know.
> Congratulations, you're the first ! :-).

(Sorry for the wall of words)

Not exactly the first. I have been using winbind for several years now
to integrate my workstations and laptops into a Windows world.  My goal
is to be able to hand a Linux laptop to an end user and off they trot
with everything in place and properly useable.

I'm rather close to my goal.  Evolution for Exchange, Libre Office for
errrr office, Kerberos all over the shop for as much as possible (Evo
EWS can do Kerb).  autofs with mount.cifs and Kerb for "drive
mappings". CUPS can take Kerb auth and supports everything that prints
(ta Apple).  You can import your AD CA cert to the OpenSSL trust store
so LDAPS works properly and your browsers can be persuaded to trust it
as well. If you enable NDES on your AD CA then you can grab SSL certs
for your Linux boxes with Certmonger and then you can do Wifi 802.1X
and trusted web server etc.

The last major hurdle is the laptop experience, ie suspend/resume.  To
be honest it isn't too bad and not too far from using Windows but
Windows will always allow you to login with cached creds but a winbind
based box will give you a fairly random result.

I use nss_winbind and the rid idmap backed to get the same user on each
device.  It really does work very nicely for ethernet wired
workstations - by the time everything has woken up in a short time, the
user is available for auth via winbind.  On a laptop with say VPNs over
wifi to wake up you have to wait a while otherwise your userid will
come up as unknown and it looks like there is some sort of caching
(I've binned nscd) for quite a while.  If you restart winbind then the
userid will become available much quicker, so that systemd hook sounds
like a great idea, that I will try out soon.

winbind has a concept of offline and online but I don't know what that
is, nor how nss works with it.  I've tried using smbcontrol to tell
winbind it is offline or online but that does not seem to work. 
Restarting winbind normally gets my account working again. If I had to
guess, then offline and online mean "network available" (layer 2/3) and
not "AD available" (layer 3/4)


More information about the samba mailing list