Gionatan Danti
2017-Jun-01 05:55 UTC
[Samba] Cache auth credentials on Samba domain member
Il 18-09-2015 01:50 Jeremy Allison ha scritto:> > Currently a Samba member server must contact the DC > for authentication even if a krb5-PAC is presented. > > This is a bug, and one I'm working on fixing (it > is a regression from earlier behavior).Hi all, sorry for resurrecting this very old thread, but I would like to know if the situation improved over time. In short, can a remote samba+winbind server cache authentication when connectivity with the main domain controller goes down? In past replies the list told me that, due to a bug, this was not working on winbind 3.6.x. As a note, being an enterprise distribution (CentOS 6), I have no out-of-the-box access to samba/windbind 4.x release. Thanks. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8
Data Control Systems - Mike Elkevizth
2017-Jun-01 12:45 UTC
[Samba] Cache auth credentials on Samba domain member
I've had issues with cached credentials with the Ubuntu packages that are currently at version 4.3.11. They are a little old, but I haven't seen any change logs for the newer versions specifically regarding this issue. Maybe I've missed it, but it's the main reason I continue using sssd. Mike E. On Thu, Jun 1, 2017, 2:08 AM Gionatan Danti via samba <samba at lists.samba.org> wrote:> Il 18-09-2015 01:50 Jeremy Allison ha scritto: > > > > Currently a Samba member server must contact the DC > > for authentication even if a krb5-PAC is presented. > > > > This is a bug, and one I'm working on fixing (it > > is a regression from earlier behavior). > > Hi all, > sorry for resurrecting this very old thread, but I would like to know if > the situation improved over time. > > In short, can a remote samba+winbind server cache authentication when > connectivity with the main domain controller goes down? > > In past replies the list told me that, due to a bug, this was not > working on winbind 3.6.x. > As a note, being an enterprise distribution (CentOS 6), I have no > out-of-the-box access to samba/windbind 4.x release. > > Thanks. > > -- > Danti Gionatan > Supporto Tecnico > Assyoma S.r.l. - www.assyoma.it > email: g.danti at assyoma.it - info at assyoma.it > GPG public key ID: FF5F32A8 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Gionatan Danti
2017-Jun-01 13:11 UTC
[Samba] Cache auth credentials on Samba domain member
Il 01-06-2017 14:45 Data Control Systems - Mike Elkevizth ha scritto:> I've had issues with cached credentials with the Ubuntu packages that > are currently at version 4.3.11. They are a little old, but I haven't > seen any change logs for the newer versions specifically regarding > this issue. Maybe I've missed it, but it's the main reason I continue > using sssd. > > Mike E. > > On Thu, Jun 1, 2017, 2:08 AM Gionatan Danti via samba > <samba at lists.samba.org> wrote: >I tried with sssd also, but with the same result: if connection to the main (remote) AD server is down, samba does not authenticate users. To recap my setup: DOMAIN CONTROLLER (Win2003) <-> VPN TUNNEL <-> REMOTE SAMBA SERVER <-> REMOTE CLIENTS If the VPN tunnel goes down, the remote samba server stop authenticating users. It does not seem a winbind or sssd problem, after all: severing the VPN connection, user authentication *outside samba shares* work correctly (I confirmed it by logging in via SSH using domain credential). However, *no* user authentication is possible on samba shares when the VPN tunnel is down? Do you have any suggestions? Regards. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8