Hello,
We currently have a NAC server set up to authenticate against a Samba4 AD using
the ntlm_auth utility and would like to make it more tolerant to network
outages.
Currently, when the NAC loses connectivity to the Samba4 AD, every login attempt
fails. This situation used to be acceptable but has become more problematic now
that our network topology has changed.
I have added "winbind offline logon = true" in the smb.conf of the NAC
and of the Samba4 AD.
In order to test offline authentication, I added two iptables rules that drop
all traffic to the Samba4AD.
When I try to authenticate using winbind, it works as expected :
16:52:11-root at hq-networkserv@-
/var/log/samba: wbinfo -K COMPANY\\super-user%superpassword
plaintext kerberos password authentication for
[COMPANY\super-user%superpassword] succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0
On the other hand, if I try with ntlm_auth using the following options, it fails
:
16:52:35-root at hq-networkserv@-
/var/log/samba: ntlm_auth --use-cached-creds --username=super-user
--password=superpassword --domain= COMPANY
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
The NAC server is joined to the Samba4 domain and everything works just fine as
long as connectivity is maintained. I understand that this proposed solution
would only allow authentication of previously authenticated clients but that
would already be a great improvement.
Is there any way I can get ntlm_auth to authenticate successfully during a
period where it is unable to connect to the AD as winbind is able to do ?
Thank you in advance for your help,
Antoine Benkemoun
