samba - Feb 2005 - cached credentials local login -- notebook domain members

Hallo,

I wonder if cached credentials local logins are expected to work with samba.

I have users with notebooks that I want to be domain members.

If the notebook is in the wild I want the users to use their profiles 
(either local or roaming) stored on the notebooks.

But once disconnected from the network the users can't login.

I found a thread:
http://lists.samba.org/archive/samba/2003-December/077300.html

in which some state that cached credentials logins are impossible in 
samba while other say that it's client-side issue.

I have tested both win2k and winXP with both local and roaming profiles 
with the same results: once disconnected the users can't login.
I'm using samba 3.0.10 with LDAP.

Am I doing something wrong or does samba really not support cached 
credentials local logins?

Regards,

-- 
Mgr. Martin Povoln?, soLNet, s.r.o.,
+420777714458, <martin.povolny@solnet.cz>

> Am I doing something wrong or does samba really not support cached 
> credentials local logins?
I can assure you that it works just fine.  I go home every night and log 
in just fine off the company 'net.  It also works just fine on default 
domain setups, so there must be some step you've added that isn't liked 
very well.

What is the exact error you are getting?  For example, I get an error 
about not finding my roaming profile, but that's expected. 

What method did you use to set up your server?  Did you follow a howto 
or something that we could reference to find out what is causing you 
problems?

-- 
--
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger@ae-solutions.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Martin,
the normal behavior of windows is to cache the profile,
if you have a server side profile and it cant be reached at logon , the
minimum of a win client machine should be , give you access to login and
give you a temp profile, or use the last one cached.
If there is no cached profile of the login user you can only get a temp one.
In a roaming profile network
there are a lot of setups thinkable with profiles, the best way
is to controll it by policies, i use to make different policies for
Laptops and Workstations, to make sure that Laptops  will get and cache
the server side profile if the are in the intranet, and have it
cached for offline use. ( this can be done with local profile too i think )
In policies you can also control the timeouts after how long time
the cached profile should be used if the server stored one is not
reachable ( this may be the case in low speed networking i.e Vpn)
My workstation policy is not to cache the users profile to make sure
only the profile on the server gets used and no merge to cached profiles
at login is done.( my meaning is that this is more usefull and quicker
and i dont have to mess with cached profiles on machines and with the
file storage on that machines )
The working of profiles is deeply depend to your policy, reg and samba
settings but in principal there is no difference from a samba domain to
a win nt 4 domain.
I a few cases a profile can be corupted if a roaming user, log through
many workstations with many different software installed,
or just kills the machine during the resync of the profile during logout.
So i recommend to read the samba faqs and varias technet or windows
sites about profiles.
Sometimes there are happening "magical" things about profiles, which
are
ugly to debug...but its more a windows theme than a samba problem.
I hope i descriped the thing right , sometimes i got crazy about this
stuff too, and it more easy done, than described to another, but i think
there are others on the list which will give you further info about that.
Best Regards

Martin schrieb:
| Hallo,
|
| I wonder if cached credentials local logins are expected to work with
| samba.
|
| I have users with notebooks that I want to be domain members.
|
| If the notebook is in the wild I want the users to use their profiles
| (either local or roaming) stored on the notebooks.
|
| But once disconnected from the network the users can't login.
|
| I found a thread:
| http://lists.samba.org/archive/samba/2003-December/077300.html
|
| in which some state that cached credentials logins are impossible in
| samba while other say that it's client-side issue.
|
| I have tested both win2k and winXP with both local and roaming profiles
| with the same results: once disconnected the users can't login.
| I'm using samba 3.0.10 with LDAP.
|
| Am I doing something wrong or does samba really not support cached
| credentials local logins?
|
| Regards,
|

- --
Mit freundlichen Gruessen
Best Regards
Robert Schetterer

robert_at_schetterer.org
Munich / Bavaria / Germany
https://www.schetterer.org

\**********************************
\* gnupgp
\* public key:
\* https://www.schetterer.org/public.key
\**********************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCE7oB+Jw+56iSjEkRApLEAJ47EvCuEYb4CKvTMKSrAHyeGawIGwCgsWjT
kIQNWiWzUOG9FU/aACCrpfU=3c6H
-----END PGP SIGNATURE-----

On Wednesday 16 February 2005 12:02, Martin wrote:
> I have tested both win2k and winXP with both local and roaming profiles
> with the same results: once disconnected the users can't login.
> I'm using samba 3.0.10 with LDAP.
I'm presuming that you haven't applied a security policy that sets
cached
credentials to zero. (sorry I can't recall exactly where that entry is --
but
if you haven't imposed a mandatory security profile, you are probably 
allowing the 10 cached credentials default.)  

Do you, by any chance, have an smbusers file? (Mine is /etc/samba/smbusers, 
yours may be located elsewhere) This file maps windows users to unix users.   
If you use this file to map legacy windows usernames to accounts on your 
samba server, cached credentials will fail.

Say my smbusers file looks like this.

# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
ralph = rkaplan

Windows user "jsmith" is not in smbusers, his windows account name is
the same
as his unix account name.  His cached credentials will work.

Windows user "ralph" has no problem logging in when he is connected to
the
network, but he gets a "domain unavailable" message when he tries to
use
cached credentials.  There is one way that ralph can still log in when he is 
offline -- if he uses the unix username, "rkaplan".  He still uses his
ralph
password -- it's the same credentials and password.

It occurs to me that there is another way that cached credentials may break 
with samba. And this is entirely a theory, I don't have a machine I can test
right now. The user is logging in with a mixed-case username, but the
'real'
unix name is all lower case.  Something to test anyway.