From 27b172f0832b55f334a06561a80fa2e1dfe7517d Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 13 Aug 2024 21:04:42 -0500
Subject: [PATCH] r/system-auth: skip session winbind for local users

If winbind is unable to communicate with any domain controller, the
`pam_winbind.so` module will time out.  In _auth_ and _account_ context,
this was not an issue, at least for local users, because other modules
terminated the stack before `pam_winbind.so` was called.  In _session_
context, though, nothing terminated the stack at all, so
`pam_winbind.so` was called unconditionally.  This prevented even _root_
from logging in on the console.  This made troubleshooting difficult,
especially for the VM hosts, when the domain controllers were down.
---
 roles/system-auth/templates/password-auth.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/system-auth/templates/password-auth.j2 b/roles/system-auth/templates/password-auth.j2
index 3032e1a..3d831a2 100644
--- a/roles/system-auth/templates/password-auth.j2
+++ b/roles/system-auth/templates/password-auth.j2
@@ -36,5 +36,6 @@ session     optional      pam_oddjob_mkhomedir.so umask=0077
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 {% if pam_winbind %}
+session     sufficient    pam_localuser.so
 session     optional      pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
 {% endif %}