[Samba] winbind offline nss "hangs"

Kees van Vloten keesvanvloten at gmail.com
Mon Jul 26 19:13:39 UTC 2021

Hi Samba-team

I am using winbind 4.14 from Louis' repo on Debian Buster on a machine 
that has joined a Samba4 AD domain

passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

         interfaces = lo
         bind interfaces only = yes
         netbios name = HOST1
         security = ADS
         realm = EXAMPLE.COM
         workgroup = EXAMPLE
         idmap config example:backend = ad
         idmap config example:schema_mode = rfc2307
         idmap config example:unix_primary_group = yes
         idmap config example:unix_nss_info = yes
         idmap config example:range = 1001-100000  # low uid is on purpose
         idmap config *:backend = tdb
         idmap config *:range = 1000000-1999999
         winbind nss info = rfc2307
         winbind cache time = 300
         winbind enum groups = no
         winbind enum users = no
         winbind expand groups = 10
         winbind normalize names = no
         winbind offline logon = yes
         lock directory = /var/cache/samba
         winbind refresh tickets = yes
         winbind scan trusted domains = no
         winbind use default domain = yes
         kerberos method = secrets and keytab
         kerberos encryption types = strong
         rpc server dynamic port range = 50000-55000
         ntlm auth = mschapv2-and-ntlmv2-only
         disable netbios = yes
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes
         smb ports = 445
         template homedir = /home/%U
         template shell = /bin/bash
         tls enabled = yes
         tls keyfile = /var/lib/samba/private/tls/host1.example.com.key
         tls certfile = /etc/ssl/certs/host1.example.com.crt
         tls cafile = /etc/ssl/certs/ca.pem
         smbd profiling level = on
         server min protocol = SMB3
         client min protocol = SMB3
         client max protocol = SMB3
         restrict anonymous = 2
         map acl inherit = yes
         store dos attributes = yes
         tls priority = -VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
         # smb encrypt = desired

The command 'id testuser' properly returns the user and group 
information with the network connected.
However when I pull the network plug and wait a little and then issue 
the same command it hangs.
I looks like the winbind is not going to cached nss info but still tries 
to go the Samba4 AD controller.

What am I missing in the configuration?

- Kees

More information about the samba mailing list