Hi, I was wondering if there was a possibility for remote sites to avoid having a "local" domain controller (Samba 4 AD DC) and still provide share access while WAN link is down. Something like the Windows credential cache on workstation. Regards
I'm pretty sure if the "local share device/server" was also member of the domain it would work. This is something I would like to test, I know this works with a NAS, but the NAS is part of a workgroup with the same domain name, But i would be interested to learn other people's experience with this too BR On 11 May 2016 at 14:06, Sébastien Le Ray <sebastien-samba at orniz.org> wrote:> Hi, > > I was wondering if there was a possibility for remote sites to avoid > having a "local" domain controller (Samba 4 AD DC) and still provide share > access while WAN link is down. Something like the Windows credential cache > on workstation. > > Regards > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Last time I tested, no connection to domain controller meant winbind failing to authenticate users… Regards Le 11/05/2016 à 19:08, D Grealish a écrit :> I'm pretty sure if the "local share device/server" was also member of > the domain it would work. This is something I would like to test, I > know this works with a NAS, but the NAS is part of a workgroup with > the same domain name, > > But i would be interested to learn other people's experience with this > too > > BR > > On 11 May 2016 at 14:06, Sébastien Le Ray <sebastien-samba at orniz.org > <mailto:sebastien-samba at orniz.org>> wrote: > > Hi, > > I was wondering if there was a possibility for remote sites to > avoid having a "local" domain controller (Samba 4 AD DC) and still > provide share access while WAN link is down. Something like the > Windows credential cache on workstation. > > Regards > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Wed, 2016-05-11 at 14:06 +0200, Sébastien Le Ray wrote:> Hi, > > I was wondering if there was a possibility for remote sites to avoid > having a "local" domain controller (Samba 4 AD DC) and still provide > share access while WAN link is down. Something like the Windows > credential cache on workstation.If the link is only down for moments, than a valid kerberos ticket should be able to get to a share. But the share needs to be running on a very current version of Samba, and Kerberos must be in use. (Even then, this may not work, but I've seen efforts made to try and fix it). Otherwise, I can only suggest an RODC, if you don't want a full AD DC. This mode in Samba is less well used and tested than the rest, but it is there, and may be what you need here. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Le 14/05/2016 à 12:03, Andrew Bartlett a écrit :> On Wed, 2016-05-11 at 14:06 +0200, Sébastien Le Ray wrote: >> Hi, >> >> I was wondering if there was a possibility for remote sites to avoid >> having a "local" domain controller (Samba 4 AD DC) and still provide >> share access while WAN link is down. Something like the Windows >> credential cache on workstation. > If the link is only down for moments, than a valid kerberos ticket > should be able to get to a share. But the share needs to be running on > a very current version of Samba, and Kerberos must be in use. (Even > then, this may not work, but I've seen efforts made to try and fix it).« Very current » and « debian package » are quite incompatible :) (even 4.2 is slow as Hell with our XP and some 7 boxes, got no time to sort this out)> > Otherwise, I can only suggest an RODC, if you don't want a full AD DC. > This mode in Samba is less well used and tested than the rest, but it > is there, and may be what you need here.Yes that's what I was thinking but wiki documentation on RODC is not very verbose… Regards