We have our linux servers setup to authenticate against Windows AD using
idmap config DOMAIN: backend = RID
When a domain user logins to the system, all works fine, if its their
first time loggin in then their home directory is created, and by using
RID backend, all UIDs are consistent across all Linux servers.
If we stop winbind, processes running under the username no longer show
username, but show the UID. Same for file ownership, instead of ls -al
showing jsmith as owner, it would return 8756. They return to normal
once winbind is started again.
Also, with winbind stopped, it is impossible for a non root or non
system account to login to the server.
We have no user IDs in /etc/passwd, save for system accounts and root
obviously, and if we try to add an existing domain user using useradd,
it says Account already exists.
So my question is, how can we set it up so that if winbind becomes
unavailable, or the domain controller is offline, someone can still
login to the machine using their domain account.
I did enable winbind offline logon = yes in smb.conf as well as
cached_login = yes in /etc/security/pam_winbind.conf and restarted samba
and winbind but that didn't seem to help.
Thanks,
Taylor