Mandi! Rowland penny via samba In chel di` si favelave...> No, if you have 'winbind offline logon = yes' set that is it as far as Samba > is concerned, you also have to set up PAM to use cached logins. > Winbind caches the users passwd etc, but renews it if the cache time has > been exceeded unless an AD DC cannot be contacted i.e. they are all offline.Speaking simply (and, of couse, supposing bug fixed): a) NSS cache are permanent, and does not expire if there's NO DC reachable. b) PAM cache need 'winbind offline logon = yes', and cache times, eg: idmap cache time winbind cache time need to be tackled to suit the needs. Righ? My misundestanding born by the fact that, to have full ''roaming'' client to work, it need account and group existance (NSS) and password cache (PAM), ant i've no clear how the different winbind options play in the game. Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On 18/10/2019 10:19, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba > In chel di` si favelave... > >> No, if you have 'winbind offline logon = yes' set that is it as far as Samba >> is concerned, you also have to set up PAM to use cached logins. >> Winbind caches the users passwd etc, but renews it if the cache time has >> been exceeded unless an AD DC cannot be contacted i.e. they are all offline. > Speaking simply (and, of couse, supposing bug fixed):It isn't fixed :-(> > a) NSS cache are permanent, and does not expire if there's NO DC > reachable.That is the way it is supposed to work, if you go offline (all DCs go down or you wander away with a laptop), the cache is used until you next connect to the domain (at least one DC comes back online or you wander back with the laptop), at which point the cache is refreshed.> > b) PAM cache need 'winbind offline logon = yes',Yes> and cache times, eg: > idmap cache time > winbind cache timeNo> > need to be tackled to suit the needs. > > Righ? > > > My misundestanding born by the fact that, to have full ''roaming'' > client to work, it need account and group existance (NSS) and password > cache (PAM), ant i've no clear how the different winbind options play in > the game.You should normally just need 'winbind offline logon = yes' in smb.conf and 'cached_login' in PAM auth (common-auth file on Debian), but it doesn't seem to work now. Rowland
Mandi! Rowland penny via samba In chel di` si favelave...> > a) NSS cache are permanent, and does not expire if there's NO DC > > reachable. > That is the way it is supposed to work, if you go offline (all DCs go down > or you wander away with a laptop), the cache is used until you next connect > to the domain (at least one DC comes back online or you wander back with the > laptop), at which point the cache is refreshed.Wonderful.> > b) PAM cache need 'winbind offline logon = yes', > Yes > > and cache times, eg: > > idmap cache time > > winbind cache time > NoOk, but still i don't fully understand. manpage says: winbind cache time (G) This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server again. This does not apply to authentication requests, these are always evaluated in real time unless the winbind offline logon option has been enabled. Default: winbind cache time = 300 and: idmap cache time (G) This parameter specifies the number of seconds that Winbind's idmap interface will cache positive SID/uid/gid query results. By default, Samba will cache these results for one week. Default: idmap cache time = 604800 and these, at least to me, apply more to 'NSS' part then on 'PAM' part... Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)