15561 – winbind systemd service unit depends on nmb preventing cached logins when no network is available

Bug 15561 - winbind systemd service unit depends on nmb preventing cached logins when no network is available

Summary: winbind systemd service unit depends on nmb preventing cached logins when no ...

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.19.4
Hardware:	All Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-01-26 09:56 UTC by David Fillingham
Modified:	2024-01-26 09:56 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Fillingham 2024-01-26 09:56:58 UTC

The systemd service unit winbind.service has `nmb.service` listed in it's `After` directive.
`nmb.service` has `network-online.target` in it's `After` directive, this means it won't start until the network comes "up".

This causes a problem for utilising winbind cached logins (`winbind offline logon = yes` in smb.conf) on any device that doesn't have a network connection.

Scenario I face was joining laptop to my domain at home, logging in with active directory user to get credentials cached, then shutting down my laptop and taking it to a friends house.
On powering up the laptop, I was unable to login to my account.
Switching to a different tty and logging in as root allowed me to see that winbind was not yet started, as it was waiting for nmb which was itself waiting for the network to come up before starting.
This is a chicken-and-egg problem: winbind won't start until I login and configure credentials for the friend's WiFi network, but I can't login because winbind hasn't started.

There's also the scenario of simply not having a network connection.

Steps to reproduce:

1. Configure winbind to allow cached logins
2. Join machine to AD domain
3. Login with AD user to cache the user credential
4. Disconnect the network (remove the cable, or remove WiFi credentials)
5. Reboot machine
6. Observe login is not possible with cached AD credential
7. Switch to different tty and login with root/another local user
8. Observe that `nmb.service` is waiting for `network-online.target` to start, and `winbind.service` is waiting for `nmb.service`
9. Manually start `winbind.service`
10. Switch back to original tty, login with AD credential, observe login is successful

My current workaround has been to disable the `winbind.service` file shipped with the package and instead place enable this one with `nmb.service` reference removed in `/etc/systemd/system/winbind.service`:

```
[Unit]
Description=Samba Winbind Daemon
Documentation=man:winbindd(8) man:samba(7) man:smb.conf(5)
After=network.target

[Service]
Type=notify
PIDFile=/run/winbindd.pid
EnvironmentFile=-/etc/conf.d/samba
ExecStart=/usr/bin/winbindd --foreground --no-process-group $WINBINDOPTIONS
ExecReload=/bin/kill -HUP $MAINPID
LimitCORE=infinity

[Install]
WantedBy=multi-user.target

```