[Samba] winbind offline nss "hangs"

Kees van Vloten keesvanvloten at gmail.com
Mon Jul 26 20:02:31 UTC 2021 

On 26-07-2021 21:37, Rowland Penny via samba wrote:
> On Mon, 2021-07-26 at 21:13 +0200, Kees van Vloten via samba wrote:
>> Hi Samba-team
>>
>>
>> I am using winbind 4.14 from Louis' repo on Debian Buster on a
>> machine
>> that has joined a Samba4 AD domain
>>
>> The command 'id testuser' properly returns the user and group
>> information with the network connected.
>> However when I pull the network plug and wait a little and then
>> issue
>> the same command it hangs.
> Has 'testuser' logged into the computer ?
>
>> I looks like the winbind is not going to cached nss info but still
>> tries
>> to go the Samba4 AD controller.
> Do you have a line in /etc/pam.d/common-auth like this:
>
> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
>
>> What am I missing in the configuration?
> Nothing that I can see, you have a few lines in smb.conf that you don't
> really need and I do not understand why 'winbind expand groups' is set
> to '10'
>
> Rowland
>
>
>
'testuser' has successfully logged on and it shows up in 'net cache 
samlogon list'.

/etc/pam.d/common-auth (was setup like this by the deb package):
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth 
krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

The setting 'winbind expand groups' is set to use nested-groups (to 10 
levels deep).  I do have nested groups in the ldap structure on samba4 
(but far less than 10 levels). Do tell me if I misunderstood the meaning 
of the setting...

- Kees

More information about the samba mailing list