Hi Samba-team I am using winbind 4.14 from Louis' repo on Debian Buster on a machine that has joined a Samba4 AD domain /etc/nsswitch.conf passwd:???????? files systemd winbind group:????????? files systemd winbind shadow:???????? files gshadow:??????? files /etc/smb.conf [global] ??????? interfaces = lo ??????? bind interfaces only = yes ??????? netbios name = HOST1 ??????? security = ADS ??????? realm = EXAMPLE.COM ??????? workgroup = EXAMPLE ??????? idmap config example:backend = ad ??????? idmap config example:schema_mode = rfc2307 ??????? idmap config example:unix_primary_group = yes ??????? idmap config example:unix_nss_info = yes ??????? idmap config example:range = 1001-100000? # low uid is on purpose ??????? idmap config *:backend = tdb ??????? idmap config *:range = 1000000-1999999 ??????? winbind nss info = rfc2307 ??????? winbind cache time = 300 ??????? winbind enum groups = no ??????? winbind enum users = no ??????? winbind expand groups = 10 ??????? winbind normalize names = no ??????? winbind offline logon = yes ??????? lock directory = /var/cache/samba ??????? winbind refresh tickets = yes ??????? winbind scan trusted domains = no ??????? winbind use default domain = yes ??????? kerberos method = secrets and keytab ??????? kerberos encryption types = strong ??????? rpc server dynamic port range = 50000-55000 ??????? ntlm auth = mschapv2-and-ntlmv2-only ??????? disable netbios = yes ??????? load printers = no ??????? printing = bsd ??????? printcap name = /dev/null ??????? disable spoolss = yes ??????? smb ports = 445 ??????? template homedir = /home/%U ??????? template shell = /bin/bash ??????? tls enabled = yes ??????? tls keyfile = /var/lib/samba/private/tls/host1.example.com.key ??????? tls certfile = /etc/ssl/certs/host1.example.com.crt ??????? tls cafile = /etc/ssl/certs/ca.pem ??????? smbd profiling level = on ??????? server min protocol = SMB3 ??????? client min protocol = SMB3 ??????? client max protocol = SMB3 ??????? restrict anonymous = 2 ??????? map acl inherit = yes ??????? store dos attributes = yes ??????? tls priority = -VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 ??????? # smb encrypt = desired The command 'id testuser' properly returns the user and group information with the network connected. However when I pull the network plug and wait a little and then issue the same command it hangs. I looks like the winbind is not going to cached nss info but still tries to go the Samba4 AD controller. What am I missing in the configuration? - Kees
On Mon, 2021-07-26 at 21:13 +0200, Kees van Vloten via samba wrote:> Hi Samba-team > > > I am using winbind 4.14 from Louis' repo on Debian Buster on a > machine > that has joined a Samba4 AD domain > > The command 'id testuser' properly returns the user and group > information with the network connected. > However when I pull the network plug and wait a little and then > issue > the same command it hangs.Has 'testuser' logged into the computer ?> I looks like the winbind is not going to cached nss info but still > tries > to go the Samba4 AD controller.Do you have a line in /etc/pam.d/common-auth like this: auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass> > What am I missing in the configuration?Nothing that I can see, you have a few lines in smb.conf that you don't really need and I do not understand why 'winbind expand groups' is set to '10' Rowland