How can I set up my Linux box so that, if the Active Directory domain controller is down, I can still log in as root, without any timeouts or delays?
Following the example of most of the documentation out there, I've listed pam_winbind.so before pam_unix.so in my /etc/pam.d configurations. I believe that this is the cause of the problem. I remember seeing alternate /etc/pam.d setups that change the order and maybe add either pam_localuser or pam_succeed_if (to see if the uid is less than 500), but I can't find any specifics now (and I'm not enough of an expert in PAM to quickly and easily come up with a robust configuration on my own).
What is the recommended setup for PAM with Winbind to avoid timeouts and delays if Active Directory is unavailable?
Not only do you generally want
pam_unixfirst, but when you fire up any session, pam will enumerate the groups you belong to usinginitgroups(3), which will go through allgroupbackends defined in/etc/nsswitch.conf.There are a few reasons for this behaviour, mostly technical limitations around separation of concerns, but in short this allows you to specify in
/etc/groupsthat an LDAP user belongs towheelto allow it tosudo(random example).This leads to stories about
rootlogin being broken or very slow on hosts with remote directory servers, even when the user is defined locally. Those stories are true, but most often due to incorrect configuration.If you use
winbind, you can define users for which groups will not be looked for throughwinbind. The appropriate option iswinbind initgroups blacklist(global) insmb.conf. It was introduced in 2007 through http://git.samba.org/?p=samba.git;a=commitdiff;h=7399ab779d7100059475ed196e6e4435b2b33bbdNote that the default value contains
root, so you probably don't need to overwrite it.For visitors:
If you use
nss_ldap,ldap.confoffers a similarnss_initgroups_ignoreusers. Seenss_ldap(5).