I haven't tested but perhaps this pam entry in system-auth will help (insert before winbind account entry)
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet Noal -----Original Message----- From: Andre Fernando Goldacker [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 11:06 AM To: Andre Fernando Goldacker Cc: Miles, Noal; samba@lists.samba.org Subject: Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions I made a mistake, group in nsswitch.conf looks like this: group: files winbind sorry about that!! Andre Andre Fernando Goldacker wrote: > Hello! > > passwd, shadow and group looks as follows in nsswitch.conf: > > passwd: files winbind > shadow: files > group: files group > > What really confuses me is that when my AD server is up and running, > root or any local user logs in with no problem. And even when AD > server is down, after trying a zillion times, root and other local > users login, and then if I log them out and try again a few minutes > later it won't go again, then again after a few minutes it works again > and it keeps going like that. > > My guess is that when it's not going pam_winbind and winbind are > trying to connect to the AD Server resulting in a huge delay in the > login process afecting also local users login. That's why I was > wondering if there is a "timeout" option or something for pam_winbind > to avoid that. Well, that's my guess I could be wrong and maybe the > problem is something else. > > Anyway thank's so far for your help, if you or anyone has a light... > > Andre > > > > Miles, Noal wrote: > >> You have files before winbind in /etc/nsswitch.conf for passwd, >> shadow, group? >> >> Noal >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On >> Behalf Of Andre Fernando Goldacker >> Sent: Wednesday, April 04, 2007 8:40 AM >> To: samba@lists.samba.org >> Subject: [Samba] Issue with pam_winbind for MS AD authentication and >> moduleoptions >> >> >> Hello! >> >> I've configured samba with winbind and pam_winbind module to >> authenticate users that connect to my linux box against MS AD. >> >> Works like a charm. If a user exists both in AD and locally, login >> should assume local users. Again, it works pretty well (It seems at >> least with my current config). >> >> If my AD server goes down for any reason, local users should be able >> to login. For example, root has to login always no matter if my AD >> server exploded. >> >> That's where is the problem. When I shutdown my AD server and I try >> to login with a local user (root as well), my guess is that it seems >> that pam_winbind waits for a very very long time trying to find my AD >> server to authenticate that even the local login times out. I don't >> really know if that is the reason for this behaviour, but if it is, >> I'm wondering if there is a hidden or maybe a new "timeout" option >> for pam_winbind module as I didn't found anything related in the man >> pages and the mailing lists archive. Or maybe if login finds the user >> in the local database, bypass winbind authentication, don't know if >> that is possible. >> >> The reason why I came up with this idea is that when the AD server is >> down and I try to login with root for eg. over and over many times, >> after a while it goes (looks like pam config order is right), but a >> few minutes later it won't again, which made me thought that perhaps >> winbind or pam_winbind are trying to estabilish a connection with AD >> and somehow because of that the whole process slows down so much that >> even local login times out. >> >> Samba is configured to catch UID's, GID's from AD using SFU and ad >> idmap backend. Only users that are members of a specified AD group >> are able to login. The purpose of the machine is to be an application >> server and share folders based on AD users and group permissions. >> >> My system is RHEL AS3 with update 7 and samba-3.0.24 >> >> Below are my pam lines in the system-auth file: >> >> #%PAM-1.0 >> # This file is auto-generated. >> # User changes will be destroyed the next time authconfig is run. >> auth required /lib/security/$ISA/pam_env.so >> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok >> auth sufficient /lib/security/$ISA/pam_winbind.so >> try_first_pass require_membership_of=DOMAIN+group >> auth required /lib/security/$ISA/pam_deny.so >> >> account required /lib/security/$ISA/pam_unix.so nullok_secure >> account sufficient /lib/security/$ISA/pam_winbind.so >> >> password required /lib/security/$ISA/pam_cracklib.so retry=3 >> password sufficient /lib/security/$ISA/pam_unix.so nullok >> use_authtok md5 shadow >> password required /lib/security/$ISA/pam_deny.so >> >> session required /lib/security/$ISA/pam_limits.so >> session required /lib/security/$ISA/pam_unix.so >> session required /lib/security/$ISA/pam_mkhomedir.so umask=0022 >> skel=/etc/skel >> >> Considering that if a user exists both in the local user database and >> AD, login has to assume local user (seems to be working fine), could >> someone give me a hint if I'm in the right path, and maybe an idea >> why or what I could do when my AD servers goes down to my local users >> (including root) log in normally?? >> >> Any help will be greatly appreciated, >> >> Andre >> >> >> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba