Have tested it but it didn't made any difference unfortunatelly. Perhaps my pam config is still wrong, don't know, but it looks like a small bug to me that maybe has not been noticed yet, and if so, perhaps a timeout option in pam_winbind could do the job, who knows!!
cheers, Andre Miles, Noal wrote: > I haven't tested but perhaps this pam entry in system-auth will help > (insert before winbind account entry) > > account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 > quiet > > Noal > > -----Original Message----- > From: Andre Fernando Goldacker [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 04, 2007 11:06 AM > To: Andre Fernando Goldacker > Cc: Miles, Noal; [email protected] > Subject: Re: [Samba] Issue with pam_winbind for MS AD authentication and > moduleoptions > > > I made a mistake, group in nsswitch.conf looks like this: > > group: files winbind > > sorry about that!! > > Andre > > Andre Fernando Goldacker wrote: > >> Hello! >> >> passwd, shadow and group looks as follows in nsswitch.conf: >> >> passwd: files winbind >> shadow: files >> group: files group >> >> What really confuses me is that when my AD server is up and running, >> root or any local user logs in with no problem. And even when AD >> server is down, after trying a zillion times, root and other local >> users login, and then if I log them out and try again a few minutes >> later it won't go again, then again after a few minutes it works again >> > > >> and it keeps going like that. >> >> My guess is that when it's not going pam_winbind and winbind are >> trying to connect to the AD Server resulting in a huge delay in the >> login process afecting also local users login. That's why I was >> wondering if there is a "timeout" option or something for pam_winbind >> to avoid that. Well, that's my guess I could be wrong and maybe the >> problem is something else. >> >> Anyway thank's so far for your help, if you or anyone has a light... >> >> Andre >> >> >> >> Miles, Noal wrote: >> >> >>> You have files before winbind in /etc/nsswitch.conf for passwd, >>> shadow, group? >>> >>> Noal >>> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] On >>> Behalf Of Andre Fernando Goldacker >>> Sent: Wednesday, April 04, 2007 8:40 AM >>> To: [email protected] >>> Subject: [Samba] Issue with pam_winbind for MS AD authentication and >>> moduleoptions >>> >>> >>> Hello! >>> >>> I've configured samba with winbind and pam_winbind module to >>> authenticate users that connect to my linux box against MS AD. >>> >>> Works like a charm. If a user exists both in AD and locally, login >>> should assume local users. Again, it works pretty well (It seems at >>> least with my current config). >>> >>> If my AD server goes down for any reason, local users should be able >>> to login. For example, root has to login always no matter if my AD >>> server exploded. >>> >>> That's where is the problem. When I shutdown my AD server and I try >>> to login with a local user (root as well), my guess is that it seems >>> that pam_winbind waits for a very very long time trying to find my AD >>> > > >>> server to authenticate that even the local login times out. I don't >>> really know if that is the reason for this behaviour, but if it is, >>> I'm wondering if there is a hidden or maybe a new "timeout" option >>> for pam_winbind module as I didn't found anything related in the man >>> pages and the mailing lists archive. Or maybe if login finds the user >>> > > >>> in the local database, bypass winbind authentication, don't know if >>> that is possible. >>> >>> The reason why I came up with this idea is that when the AD server is >>> > > >>> down and I try to login with root for eg. over and over many times, >>> after a while it goes (looks like pam config order is right), but a >>> few minutes later it won't again, which made me thought that perhaps >>> winbind or pam_winbind are trying to estabilish a connection with AD >>> and somehow because of that the whole process slows down so much that >>> > > >>> even local login times out. >>> >>> Samba is configured to catch UID's, GID's from AD using SFU and ad >>> idmap backend. Only users that are members of a specified AD group >>> are able to login. The purpose of the machine is to be an application >>> > > >>> server and share folders based on AD users and group permissions. >>> >>> My system is RHEL AS3 with update 7 and samba-3.0.24 >>> >>> Below are my pam lines in the system-auth file: >>> >>> #%PAM-1.0 >>> # This file is auto-generated. >>> # User changes will be destroyed the next time authconfig is run. >>> auth required /lib/security/$ISA/pam_env.so >>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth >>> > nullok > >>> auth sufficient /lib/security/$ISA/pam_winbind.so >>> try_first_pass require_membership_of=DOMAIN+group >>> auth required /lib/security/$ISA/pam_deny.so >>> >>> account required /lib/security/$ISA/pam_unix.so >>> > nullok_secure > >>> account sufficient /lib/security/$ISA/pam_winbind.so >>> >>> password required /lib/security/$ISA/pam_cracklib.so retry=3 >>> password sufficient /lib/security/$ISA/pam_unix.so nullok >>> use_authtok md5 shadow >>> password required /lib/security/$ISA/pam_deny.so >>> >>> session required /lib/security/$ISA/pam_limits.so >>> session required /lib/security/$ISA/pam_unix.so >>> session required /lib/security/$ISA/pam_mkhomedir.so >>> > umask=0022 > >>> skel=/etc/skel >>> >>> Considering that if a user exists both in the local user database and >>> > > >>> AD, login has to assume local user (seems to be working fine), could >>> someone give me a hint if I'm in the right path, and maybe an idea >>> why or what I could do when my AD servers goes down to my local users >>> > > >>> (including root) log in normally?? >>> >>> Any help will be greatly appreciated, >>> >>> Andre >>> >>> >>> >>> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
