[Samba] ntlm_auth and offline operations

[Antoine Benkemoun]

Hello,

We currently have a NAC server set up to authenticate against a Samba4 AD using the ntlm_auth utility and would like to make it more tolerant to network outages.

Currently, when the NAC loses connectivity to the Samba4 AD, every login attempt fails. This situation used to be acceptable but has become more problematic now that our network topology has changed.

I have added "winbind offline logon = true" in the smb.conf of the NAC and of the Samba4 AD.

In order to test offline authentication, I added two iptables rules that drop all traffic to the Samba4AD. 

When I try to authenticate using winbind, it works as expected :

16:52:11-root at hq-networkserv@-
/var/log/samba: wbinfo -K COMPANY\\super-user%superpassword
plaintext kerberos password authentication for [COMPANY\super-user%superpassword] succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0

On the other hand, if I try with ntlm_auth using the following options, it fails :

16:52:35-root at hq-networkserv@-
/var/log/samba: ntlm_auth --use-cached-creds  --username=super-user --password=superpassword --domain= COMPANY
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)

The NAC server is joined to the Samba4 domain and everything works just fine as long as connectivity is maintained. I understand that this proposed solution would only allow authentication of previously authenticated clients but that would already be a great improvement.

Is there any way I can get ntlm_auth to authenticate successfully during a period where it is unable to connect to the AD as winbind is able to do ?

Thank you in advance for your help,

Antoine Benkemoun