Hello list users, I have been struggling to make my AD integrated Debian Lenny box to work fluently also when network connectivity is down. What I would like to achieve: 1) When no network available, local user should still work normally 2) If possible, AD located users should still be able to login if they have previously logged in successfully (cached login) Number 2 is more like optional, but number 1 would be very much needed. However, it seems that winbind somehow blocks login process for local accounts too if it is not able to get network connection to AD during system boot. These are the relevant lines in my nsswitch.conf: passwd: files winbind group: files winbind shadow: files Now, I would think that with this configuration, that no matter what is the status of winbindd daemon, local users like root should be able to login. But that is not the case here. The login hangs for about 5 minutes, and after that it succeeds. If I remove winbind from nsswitch.conf or configure init system so that winbindd is not started up during boot, then logins for local accounts go through normally. Currently I use pam_krb5 for authentication, but I have also tried with pam_winbind. This does not affect to the outcome; logins for local users are very slow when machine is not in network, no matter what is the pam configuration. Nsswitch seems to be the culprit here; for some reason it wants to query winbind even though user in question is local. And on the other hand, winbindd seems to be in unresponsive state after startup if it does have connection to AD. Some logs in winbind.log which might be related to this: [2009/10/16 14:32:16, 0] winbindd/winbindd_dual.c:async_request_timeout_handler(182) async_request_timeout_handler: child pid 2418 is not responding. Closing connection to it. [2009/10/16 14:32:16, 1] winbindd/winbindd_util.c:trustdom_recv(260) Could not receive trustdoms When machine is online and winbindd is able to open connections to AD, everything works ok. So I believe that winbind configuration should be ok also. Samba/Winbind version used is 3.2.5. Any clues how to a) make nsswitch understand that I do not want it to query anything from winbind if user is found from local files b) make winbind even somehow responsive also upon the situation where it has to start up without network connection Any help or pointers would be greatly appreciated. Regards, Petteri Heinonen
On Fri, 2009-10-16 at 14:37 +0300, Petteri Heinonen wrote:> Hello list users, > > I have been struggling to make my AD integrated Debian Lenny box to work fluently also when network connectivity is down. What I would like to achieve: > > 1) When no network available, local user should still work normally > 2) If possible, AD located users should still be able to login if they have previously logged in successfully (cached login) > > Number 2 is more like optional, but number 1 would be very much needed. However, it seems that winbind somehow blocks login process for local accounts too if it is not able to get network connection to AD during system boot. These are the relevant lines in my nsswitch.conf: > > passwd: files winbind > group: files winbind > shadow: files >I think this does what you want allowing local account to still function... passwd: compat [!NOTFOUND=return] winbind group: compat winbind shadow: compat
James Zuelow Network Specialist City and Borough of Juneau MIS (907)586-0236> -----Original Message----- > From: samba-bounces at lists.samba.org > [mailto:samba-bounces at lists.samba.org] On Behalf Of Petteri Heinonen > Sent: Friday, 16 October, 2009 03:37 > To: samba at lists.samba.org > Subject: [Samba] nss_winbind / offline logon > > Hello list users, > > I have been struggling to make my AD integrated Debian Lenny > box to work fluently also when network connectivity is down. > What I would like to achieve: > > 1) When no network available, local user should still work normally > 2) If possible, AD located users should still be able to > login if they have previously logged in successfully (cached login) > > Number 2 is more like optional, but number 1 would be very > much needed. However, it seems that winbind somehow blocks > login process for local accounts too if it is not able to get > network connection to AD during system boot. These are the > relevant lines in my nsswitch.conf: > > passwd: files winbind > group: files winbind > shadow: files > > Now, I would think that with this configuration, that no > matter what is the status of winbindd daemon, local users > like root should be able to login. But that is not the case > here. The login hangs for about 5 minutes, and after that it > succeeds. If I remove winbind from nsswitch.conf or configure > init system so that winbindd is not started up during boot, > then logins for local accounts go through normally. > > a) make nsswitch understand that I do not want it to query > anything from winbind if user is found from local files > b) make winbind even somehow responsive also upon the > situation where it has to start up without network connection > > Any help or pointers would be greatly appreciated. >So for goal number 1, local user logins (hopefully without a 5 minute pause) I would check your PAM configuration. The first thing to look at is make sure that pam_winbind.so is set up as sufficient, and not required. If it is sufficient and your pam is set up like this: auth sufficient pam_winbind.so auth sufficient pam_unix.so use_first_pass What happens if you swap places, so that pam_unix comes before pam_winbind? I no longer have a system set up for AD account logins, so I can't test. This is from memory when I had a laptop (Debian Lenny even) that would do AD account logins, but it would always allow local account logins when the network was disconnected without a long pause. HTH! James