Gaiseric Vandal
2011-Jun-28 21:11 UTC
[Samba] Windows 7 caching credentials breaks with hibernation
I am running Samba 3.5.5 on Solaris 10. I have one machine as a PDC, one as a BDC. If I logon to the domain from a Windows 7 Pro (64-bit) laptop, hibernate the machine, unplug the network cable and wake the machine, I can not unlock the screen. I will get the message "There are currently no logon servers available to service the logon request." Other users have reported this. I am able to switch users and login as another domain user (assuming that that user had logged in at least once to the domain.) If I reboot the laptop, I am still unable to log into the domain. This suggests to me that the cached credentials are deleted when I log into the network, cached again when I log out, but not cached on a hibernation. I also have two Windows Active Directory domains which are separate from the samba domain. If I join the Windows 7 pro to either domain, I do not have a problem with hibernating and disconnecting. I know that the client handles the caching, but I think with Samba it would be caching NTLM passwords while with Active Directory it would be caching Kerberos passwords. XP Pro laptops do not have a problem with hibernation and cached credentials. I suspect that the cached credentials might get updated but not actually deleted. I also have a problem with using offline files in Windows 7 with a Samba domain- if I enable offline files in the "sync center" I am unable to log in offline. Not sure why, and offline files aren't actually that important, but I suspect it is related. Any advice? Thanks
Gaiseric Vandal
2011-Jun-30 02:56 UTC
[Samba] Windows 7 caching credentials breaks with hibernation
I made some progress on this- I have fixed the problem with hibernation (but not with offline folders.) I actually had 3 domain controller configured. I had shutdown samba on one of the DC's (lets call it BDC2) weeks ago, but had not deleted the machine account. I had come across a post on google about offline authentication not working after a samba domain named change. I had a look at the registry settings showing the last ntuserlogon and last samuserlogon (those aren't exact keys) and saw that the last SAM user was BDC2\username, not DOMAIN\username. NTFS files (local and network) would show time show file permisson entries with BDC2\username not DOMAIN\username (this would include c:\users\username\ntuser.dat.) System properties would also show the each domain user profile as owned by BDC2\username. Domain Controllers all same the same machine SID (that of the domain sid) so typically the wrong name domainname being displayed didn't really matter. The file permissions actually get set for the user or group SID- so as long as the user (or group) SID is correct, file permissions are ok. I guess it displays the wrong domain name because it trys to resolve the domain SID back to a domain name (maybe via a netbios lookup from WINS ?) and locates the BDC2 (which alphabeterically came before the domain name or ther DC's>0 HOwever, when you logon with cached credentials, and you login as "DOMAIN\username" , the PC looks for that profile (and more specifically the ntuser.dat file with the cached credentials.) So if it can't find the profile, you are out of luck. Why this affected a user who had hibernated the machine but not other users I don't know. If I hibernated the machine, I could not unlock the computer offline as DOMAIN\myusername but I could login as BDC2\myusername. I deleted the BDC2 machine account from the domain, which fixed the offline login + hibernation issue. Offline logons is stil broken- although I think once the old bdc expires from the wins and browser databases. After I took BDC2 offline, some Windows 2003 servers complained about not being able to authenticate users in the BDC2 domain, until I rebooted those servers. XP machines did not have any problems. -----Original Message----- From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com] Sent: Tuesday, June 28, 2011 5:12 PM To: Samba Subject: Windows 7 caching credentials breaks with hibernation I am running Samba 3.5.5 on Solaris 10. I have one machine as a PDC, one as a BDC. If I logon to the domain from a Windows 7 Pro (64-bit) laptop, hibernate the machine, unplug the network cable and wake the machine, I can not unlock the screen. I will get the message "There are currently no logon servers available to service the logon request." Other users have reported this. I am able to switch users and login as another domain user (assuming that that user had logged in at least once to the domain.) If I reboot the laptop, I am still unable to log into the domain. This suggests to me that the cached credentials are deleted when I log into the network, cached again when I log out, but not cached on a hibernation. I also have two Windows Active Directory domains which are separate from the samba domain. If I join the Windows 7 pro to either domain, I do not have a problem with hibernating and disconnecting. I know that the client handles the caching, but I think with Samba it would be caching NTLM passwords while with Active Directory it would be caching Kerberos passwords. XP Pro laptops do not have a problem with hibernation and cached credentials. I suspect that the cached credentials might get updated but not actually deleted. I also have a problem with using offline files in Windows 7 with a Samba domain- if I enable offline files in the "sync center" I am unable to log in offline. Not sure why, and offline files aren't actually that important, but I suspect it is related. Any advice? Thanks