# samba48 winbind offline logon problems



## zirias@ (Apr 26, 2019)

In my home network, I'm using samba48 as an ADDC. I'm using the same package on the domain controller and on the clients, built with `poudriere` and the following relevant lines in make.conf:

```
DEFAULT_VERSIONS+= ssl=libressl samba=4.8 php=7.2 pgsql=10 linux=c7

OPTIONS_UNSET+= GSSAPI_BASE ALSA PULSE PULSEAUDIO
OPTIONS_SET+=   GSSAPI_MIT SNDIO PORTAUDIO
net_samba48_UNSET+=     GSSAPI_BUILTIN DEBUG
net_samba48_SET+=       CUPS BIND913
```
FreeBSD clients use `winbind` for NSS ("group" and "passwd" as second entry after "files") and PAM (in /etc/pam.d/system as a "sufficient" module before pam_unix.so for auth, account and password, and as an additional "required" module for session).

It all works fine, except for the offline authentication on my laptop, where I have `winbind offline logon = yes` in my /usr/local/etc/smb4.conf and `cached_login = yes` in /etc/security/pam_winbind.conf.

In fact, offline authentication seems to work quite well when testing as described here: https://wiki.samba.org/index.php/PAM_Offline_Authentication

I guess I have a problem with resolving UIDs/GIDs instead, this only works sporadically when my laptop can't contact the DC. When I don't have any network connectivity at all, it _does_ work. But when I have connectivity to a "foreign" network, where I can't reach my DC, trying to resolve UIDs/GIDs (e.g. by `ls -l`, `getent passwd <user>`, or by attempting a real login) hangs for a long time and then sometimes succeeds, sometimes not. I even got "partial" results like a correct name for the group in `ls -l` output, but only the UID number instead of the user name.

Any idea where I could look at for solving this issue?


----------

