samba48 winbind offline logon problems

zirias@

Developer
In my home network, I'm using samba48 as an ADDC. I'm using the same package on the domain controller and on the clients, built with poudriere and the following relevant lines in make.conf:
Code:
DEFAULT_VERSIONS+= ssl=libressl samba=4.8 php=7.2 pgsql=10 linux=c7

OPTIONS_UNSET+= GSSAPI_BASE ALSA PULSE PULSEAUDIO
OPTIONS_SET+=   GSSAPI_MIT SNDIO PORTAUDIO
net_samba48_UNSET+=     GSSAPI_BUILTIN DEBUG
net_samba48_SET+=       CUPS BIND913
FreeBSD clients use winbind for NSS ("group" and "passwd" as second entry after "files") and PAM (in /etc/pam.d/system as a "sufficient" module before pam_unix.so for auth, account and password, and as an additional "required" module for session).

It all works fine, except for the offline authentication on my laptop, where I have winbind offline logon = yes in my /usr/local/etc/smb4.conf and cached_login = yes in /etc/security/pam_winbind.conf.

In fact, offline authentication seems to work quite well when testing as described here: https://wiki.samba.org/index.php/PAM_Offline_Authentication

I guess I have a problem with resolving UIDs/GIDs instead, this only works sporadically when my laptop can't contact the DC. When I don't have any network connectivity at all, it does work. But when I have connectivity to a "foreign" network, where I can't reach my DC, trying to resolve UIDs/GIDs (e.g. by ls -l, getent passwd <user>, or by attempting a real login) hangs for a long time and then sometimes succeeds, sometimes not. I even got "partial" results like a correct name for the group in ls -l output, but only the UID number instead of the user name.

Any idea where I could look at for solving this issue?
 
Back
Top