samba48 winbind offline logon problems

zirias@

zirias@

Developer
In my home network, I'm using samba48 as an ADDC. I'm using the same package on the domain controller and on the clients, built with poudriere and the following relevant lines in make.conf:
Code: 
DEFAULT_VERSIONS+= ssl=libressl samba=4.8 php=7.2 pgsql=10 linux=c7

OPTIONS_UNSET+= GSSAPI_BASE ALSA PULSE PULSEAUDIO
OPTIONS_SET+=   GSSAPI_MIT SNDIO PORTAUDIO
net_samba48_UNSET+=     GSSAPI_BUILTIN DEBUG
net_samba48_SET+=       CUPS BIND913
FreeBSD clients use winbind for NSS ("group" and "passwd" as second entry after "files") and PAM (in /etc/pam.d/system as a "sufficient" module before pam_unix.so for auth, account and password, and as an additional "required" module for session).

It all works fine, except for the offline authentication on my laptop, where I have winbind offline logon = yes in my /usr/local/etc/smb4.conf and cached_login = yes in /etc/security/pam_winbind.conf.

In fact, offline authentication seems to work quite well when testing as described here: https://wiki.samba.org/index.php/PAM_Offline_Authentication

I guess I have a problem with resolving UIDs/GIDs instead, this only works sporadically when my laptop can't contact the DC. When I don't have any network connectivity at all, it does work. But when I have connectivity to a "foreign" network, where I can't reach my DC, trying to resolve UIDs/GIDs (e.g. by ls -l, getent passwd <user>, or by attempting a real login) hangs for a long time and then sometimes succeeds, sometimes not. I even got "partial" results like a correct name for the group in ls -l output, but only the UID number instead of the user name.

Any idea where I could look at for solving this issue?
 
Sorry for necrobumping, but I ran into the exact same issue and search engines led me here.

I have FreeBSD 14.2 and samba416 (binary install) running. Login with cached credentials works as described above: working when truely offline, not working when in a network with no route to the DC.

zirias@ have you been able to fix the issue? Or has anybody else a working setup and is willing to post config files?
 
Another solution would be to use security/sssd or security/sssd2 with {id,auth,access,chpass}_provider=ad and cache_credentials=true. When the SAMBA DC cannot be found on a network, I need to wait some seconds but am able to log in. My sssd.conf for sssd2 is as follows:

INI: 
[sssd]
config_file_version = 2
services = nss, pam, ifp
domains = mydomain.example.net

[domain/mydomain.example.net]
cache_credentials = true

id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

ad_server = dc.mydomain.example.net
ad_domain = mydomain.example.net
ad_enable_dns_sites = true
ad_maximum_account_password_age = 0
override_homedir = /home/%u
 
You must log in or register to reply here.
Back
Top