James Zuelow Network Specialist City and Borough of Juneau MIS (907)586-0236
> -----Original Message----- > From: samba-boun...@lists.samba.org > [mailto:samba-boun...@lists.samba.org] On Behalf Of Petteri Heinonen > Sent: Friday, 16 October, 2009 03:37 > To: samba@lists.samba.org > Subject: [Samba] nss_winbind / offline logon > > Hello list users, > > I have been struggling to make my AD integrated Debian Lenny > box to work fluently also when network connectivity is down. > What I would like to achieve: > > 1) When no network available, local user should still work normally > 2) If possible, AD located users should still be able to > login if they have previously logged in successfully (cached login) > > Number 2 is more like optional, but number 1 would be very > much needed. However, it seems that winbind somehow blocks > login process for local accounts too if it is not able to get > network connection to AD during system boot. These are the > relevant lines in my nsswitch.conf: > > passwd: files winbind > group: files winbind > shadow: files > > Now, I would think that with this configuration, that no > matter what is the status of winbindd daemon, local users > like root should be able to login. But that is not the case > here. The login hangs for about 5 minutes, and after that it > succeeds. If I remove winbind from nsswitch.conf or configure > init system so that winbindd is not started up during boot, > then logins for local accounts go through normally. > > a) make nsswitch understand that I do not want it to query > anything from winbind if user is found from local files > b) make winbind even somehow responsive also upon the > situation where it has to start up without network connection > > Any help or pointers would be greatly appreciated. > So for goal number 1, local user logins (hopefully without a 5 minute pause) I would check your PAM configuration. The first thing to look at is make sure that pam_winbind.so is set up as sufficient, and not required. If it is sufficient and your pam is set up like this: auth sufficient pam_winbind.so auth sufficient pam_unix.so use_first_pass What happens if you swap places, so that pam_unix comes before pam_winbind? I no longer have a system set up for AD account logins, so I can't test. This is from memory when I had a laptop (Debian Lenny even) that would do AD account logins, but it would always allow local account logins when the network was disconnected without a long pause. HTH! James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba