I updated this bug on samba.org. https://bugzilla.samba.org/show_bug.cgi?id=10455
Did nobody notice the overlapping idmappings in the suplied config. idmap config DOMINIOCSA : range = 10000-25000 idmap config DOMINIOCSA : backend = rid idmap config * : range = 10000-25000 idmap config * : backend = tdb I suggest first fix the errors in smb.conf first. I can confirm that offline logons work fine on debian jessie. samba 4.4.5 ( a rebuild from Debian stretch ) If one if affected by it. ( on debian ) try running : pam-auth-update and select. [*] Winbind NT/Active Directory authentication content of that file is : cat /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass Password-Initial: [success=end default=ignore] pam_winbind.so Session-Type: Additional Session: optional pam_winbind.so from the wiki: https://wiki.samba.org/index.php/PAM_Offline_Authentication my smb.conf has : "winbind offline logon = yes" i did NOT set /etc/security/pam_winbind.conf # Test result. # wbinfo -K NTDOM\\username -p Enter NTDOM\username's password: plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 Ping to winbindd succeeded # smbcontrol winbind offline # wbinfo -K NTDOM\\username -p Enter NTDOM\username's password: plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT credentials were put in: FILE:/tmp/krb5cc_0 Ping to winbindd succeeded Greetz, Louis