On 08/01/2021 10:41, raphael grosjean via samba wrote:> Hello,
>
> When loggin on, on a domain member, when the DC is not reachable, the
loggon succeed but with a delay of 2 minutes.
>
> How can we short the delay before going in offline mode for winbind ?
>
> Thanks,
>
> Rapha?l
>
> #
> # pam_winbind configuration file
> #
> # /etc/security/pam_winbind.conf
> #
> # For more details see man pam_winbind.conf(5)
>
> [global]
>
> cached_login = yes
>
> -----
>
> [global]
>
> workgroup = CHAPINS-TEST
> security = ADS
> realm = CHAPINS-TEST.ORG
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind use default domain = yes
>
> winbind offline logon = yes
>
> winbind enum users = yes
> winbind enum groups = yes
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the CHAPINS-TEST domain
> idmap config CHAPINS-TEST : backend = rid
> idmap config CHAPINS-TEST : range = 10000-999999
>
> # Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /home/%U
>
> username map = /etc/samba/user.map
>
>
>
>
Have you read this:
https://wiki.samba.org/index.php/PAM_Offline_Authentication
You will also need the pam kerberos lib installed (libpam-krb5 on Debian)
Rowland