From 7b23f6a4acc521181ec2cb89ea26c4f445096cf6 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 27 Oct 2023 17:37:49 -0500 Subject: [PATCH] r/winbind: Disable offline login by default The `winbind offline login` setting seems to cause issues when one of the domain controllers is offline. Rather than try the other DC, winbind seems to just "give up" and return NT_STATUS_NO_SUCH_USER for all authentication requests until the offline cache is flushed. There's not really any reason to use this setting on servers anyway, since they are always connected to the LAN, as opposed to laptops that may occasionally disconnect. Let's disable this option in the hopes that it makes logins more resilient to DC downtime. After all, there's not much point in having multiple DCs if they all have to be available in order to log in. --- roles/winbind/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/winbind/defaults/main.yml b/roles/winbind/defaults/main.yml index 92985c2..e464c29 100644 --- a/roles/winbind/defaults/main.yml +++ b/roles/winbind/defaults/main.yml @@ -1,7 +1,7 @@ winbind_idmap_range: 3000000-3009999 winbind_nss_info: rfc2307 winbind_use_default_domain: true -winbind_offline_login: true +winbind_offline_login: false winbind_kerberos_method: secrets and keytab winbind_refresh_tickets: false