Bug 15561 - winbind systemd service unit depends on nmb preventing cached logins when no network is available
Summary: winbind systemd service unit depends on nmb preventing cached logins when no ...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.19.4
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-26 09:56 UTC by David Fillingham
Modified: 2024-01-26 09:56 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Fillingham 2024-01-26 09:56:58 UTC
The systemd service unit winbind.service has `nmb.service` listed in it's `After` directive.
`nmb.service` has `network-online.target` in it's `After` directive, this means it won't start until the network comes "up".

This causes a problem for utilising winbind cached logins  (`winbind offline logon = yes` in smb.conf) on any device that doesn't have a network connection.

Scenario I face was joining laptop to my domain at home, logging in with active directory user to get credentials cached, then shutting down my laptop and taking it to a friends house.
On powering up the laptop, I was unable to login to my account.
Switching to a different tty and logging in as root allowed me to see that winbind was not yet started, as it was waiting for nmb which was itself waiting for the network to come up before starting.
This is a chicken-and-egg problem: winbind won't start until I login and configure credentials for the friend's WiFi network, but I can't login because winbind hasn't started.

There's also the scenario of simply not having a network connection.

Steps to reproduce:

1. Configure winbind to allow cached logins
2. Join machine to AD domain
3. Login with AD user to cache the user credential
4. Disconnect the network (remove the cable, or remove WiFi credentials)
5. Reboot machine
6. Observe login is not possible with cached AD credential
7. Switch to different tty and login with root/another local user
8. Observe that `nmb.service` is waiting for `network-online.target` to start, and `winbind.service` is waiting for `nmb.service`
9. Manually start `winbind.service`
10. Switch back to original tty, login with AD credential, observe login is successful

My current workaround has been to disable the `winbind.service` file shipped with the package and instead place enable this one with `nmb.service` reference removed in `/etc/systemd/system/winbind.service`:

```
[Unit]
Description=Samba Winbind Daemon
Documentation=man:winbindd(8) man:samba(7) man:smb.conf(5)
After=network.target

[Service]
Type=notify
PIDFile=/run/winbindd.pid
EnvironmentFile=-/etc/conf.d/samba
ExecStart=/usr/bin/winbindd --foreground --no-process-group $WINBINDOPTIONS
ExecReload=/bin/kill -HUP $MAINPID
LimitCORE=infinity


[Install]
WantedBy=multi-user.target

```