pam_winbind offline logon does not work in 12.04

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1165461/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

Thank you for taking the time to report this bug and helping to make Ubuntu better.. I've assigned this report to the libpam-winbind package, hope this can bring the attention to the interested parties.

I'm not in charge of the bug, but if your problem is missing passwd information, then the behavior of PAM might be correct.
PAM is supposed to handle authentication only, NSS is the responsible part of getting user's info.
You might have a closer look to:
a) nscd, to cache users' info
b) SSSD (System Security Services Daemon), that is included in Ubuntu, to allow NSS information to be propagated and locally cached.
My eur 0.01

nscd and SSSD are not installed / configured.
From my understanding winbind should handle the NSS caching.
/etc/nsswitch.conf:
passwd: compat winbind

On other Linux distribution it works, so in my eyes something seems to be wrong with Ubuntu and winbind.

Thanks for the report - this looks reasonably like bug if someone else can confirm this behaviour.

To progress this bug we need a developer with some interest in winbind with AD working well in samba.

We try to integrate Ubuntu 12.04.02 in our AD with build in winbind and configured the /etc/samba/smb.conf and /etc/security/pam_winbind.conf as decribted below.

An offline login with active directory credentials also only works with a manual entry to /etc/passwd is created for the user.

Winbind seems not to be able to access its cached nss information.

A colleague compiled the "winbind_krb5_locator.so" via
             dpkg-buildpackage -us -uc -nc
from the winbind3 sources package (using "deb-src http://archive.ubuntu.com/ubuntu precise main universe restricted multiverse
" in the sources.list and "apt-get sources winbind3") and we copied the "winbind_krb5_locator.so" to /usr/lib/x86_64-linux-gnu/krb5/plugins/krb5 and join a new installed system to active directory wothout /etc/krb5.conf

Hi everyone,

the bug only occurs if you use the idmap ad backend. With backend tdb everything works fine.

I tracked this down to the file /var/run/samba/gencache.tdb. The file lies in a tmpfs and is cleared on every reboot. Winbind uses it to store the sid2uid and sid2gid mapping information in it.

An easy fix is to tell samba to store the file in an other directory. This can be done with "lock directory = /var/cache/samba/" in smb.conf.

Status changed to 'Confirmed' because the bug affects multiple users.

I'm using idmap backend ad and offline logins failed after rebooting Ubuntu 12.04. I can confirm the change to set "lock directory = /var/cache/samba/" in smb.conf fixed the issue for me.

Thanks Jakob

Changing the lock directory don't works for me with ubuntu 14.04.2 :(

Hi,

same bug here with Ubuntu 14.04 interated to a domain NT4 style.
Offline logon works if I close the session and disconnet LAN wire, but not work if I reboot, this is auth.log :

Sep 21 08:46:42 PC-UPS846 lightdm: pam_unix(lightdm:auth): check pass; user unknown
Sep 21 08:46:42 PC-UPS846 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Sep 21 08:46:42 PC-UPS846 lightdm: pam_winbind(lightdm:auth): getting password (0x00000208)
Sep 21 08:46:42 PC-UPS846 lightdm: pam_winbind(lightdm:auth): pam_get_item returned a password
Sep 21 08:46:45 PC-UPS846 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Sep 21 08:46:45 PC-UPS846 lightdm: PAM adding faulty module: pam_kwallet.so

"user unknow", it seems winbind can't handle the NSS caching. ( I see an error with pam_kwallet.so but not seems to be relevant)

The file gencache.tdb is already in /var/cache/samba/ .

cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files myhostname mdns4_minimal [NOTFOUND=return] dns mdns4 wins
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis