samba - Apr 2007 - Issue with pam_winbind for MS AD authentication and module options

Hello!

I've configured samba with winbind and pam_winbind module to
authenticate users that connect to my linux box against MS AD.

Works like a charm. If a user exists both in AD and locally, login
should assume local users. Again, it works pretty well (It seems at
least with my current config).

If my AD server goes down for any reason, local users should be able to
login. For example, root has to login always no matter if my AD server
exploded.

That's where is the problem. When I shutdown my AD server and I try to
login with a local user (root as well), my guess is that it seems that
pam_winbind waits for a very very long time trying to find my AD server
to authenticate that even the local login times out. I don't really know
if that is the reason for this behaviour, but if it is, I'm wondering if
there is a hidden or maybe a new "timeout" option for pam_winbind
module
as I didn't found anything related in the man pages and the mailing
lists archive. Or maybe if login finds the user in the local database,
bypass winbind authentication, don't know if that is possible.

The reason why I came up with this idea is that when the AD server is
down and I try to login with root for eg. over and over many times,
after a while it goes (looks like pam config order is right), but a few
minutes later it won't again, which made me thought that perhaps winbind
or pam_winbind are trying to estabilish a connection with AD and somehow
because of that the whole process slows down so much that even local
login times out.

Samba is configured to catch UID's, GID's from AD using SFU and ad idmap
backend. Only users that are members of a specified AD group are able to
login. The purpose of the machine is to be an application server and
share folders based on AD users and group permissions.

My system is RHEL AS3 with update 7 and samba-3.0.24

Below are my pam lines in the system-auth file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so
try_first_pass require_membership_of=DOMAIN+group
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so nullok_secure
account     sufficient    /lib/security/$ISA/pam_winbind.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/security/$ISA/pam_mkhomedir.so umask=0022
skel=/etc/skel

Considering that if a user exists both in the local user database and
AD, login has to assume local user (seems to be working fine), could
someone give me a hint if I'm in the right path, and maybe an idea why
or what I could do when my AD servers goes down to my local users
(including root) log in normally??

Any help will be greatly appreciated,

Andre

Hi,

maybe this isn't exactly what you're looking for, but it could help you:

"pam_ccreds"

cached credentials, this should give you full access to your server even 
if the ad-server is down. I haven't used this module yet. Just found it 
today while looking for a solution concerning a similar issue.

Good luck!

Sebastian Knieschewski