I'm having the hardest time trying to come up with the optimal configuration with NSS Winbind support. I want it to work right offline. That is, name lookups shouldn't take 30 minutes to time out or lock the system up. And if the name lookup is for a local name, I want Winbind to be 100% out of hte picture. I've tried this, without much luck: passwd: compat [SUCCESS=return] winbind groups: compat [SUCCESS=return] winbind My naive understanding is that this would make name lookups that suceeded in `compat` completely avoid winbind. That was my understanding until I disconnected the machine and could not log in as root. What am I missing?
On Thu, 2007-06-14 at 19:18 -0500, Jerome Haltom wrote:> I'm having the hardest time trying to come up with the optimal > configuration with NSS Winbind support. I want it to work right offline. > That is, name lookups shouldn't take 30 minutes to time out or lock the > system up. And if the name lookup is for a local name, I want Winbind to > be 100% out of hte picture. > > I've tried this, without much luck: > > passwd: compat [SUCCESS=return] winbind > groups: compat [SUCCESS=return] winbind > > My naive understanding is that this would make name lookups that > suceeded in `compat` completely avoid winbind. That was my understanding > until I disconnected the machine and could not log in as root. > > What am I missing? > >What do your PAM files look like?? What is your distribution? I know for a while that SUSE was putting winbind in as a required auth mechanism which kind of sucks for anything offline or for local users. Try looking at it from that path. Perhaps a method of 'sufficient' would be good for all 4 methods (auth, acc, sess, pass). Regards, Frank
--- Jerome Haltom <wasabi@larvalstage.net> wrote:> I'm having the hardest time trying to come up with the optimal > configuration with NSS Winbind support. I want it to work right > offline. > That is, name lookups shouldn't take 30 minutes to time out or lock > the > system up. And if the name lookup is for a local name, I want > Winbind to > be 100% out of hte picture. > > I've tried this, without much luck: > > passwd: compat [SUCCESS=return] winbind > groups: compat [SUCCESS=return] winbind > > My naive understanding is that this would make name lookups that > suceeded in `compat` completely avoid winbind. That was my > understanding > until I disconnected the machine and could not log in as root. >My nsswitch.conf looks like this (this is Solaris 8, btw): passwd: files winbind [NOTFOUND=return UNAVAIL=return TRYAGAIN=return] group: files winbind [NOTFOUND=return UNAVAIL=return TRYAGAIN=return] Actually, only the TRYAGAIN=return was necessary to prevent the "hang till timeout" in my scenario, but I put in the rest just in case. L8r, Mike Powered by Gee! - Wireless Access Anywhere