smbd operation with no link to domain controller

Uri Simchoni uri_simchoni at
Thu Nov 3 07:48:54 MDT 2011

I tested a NAS device in an environment in which the connection to the domain controller goes on and off. Theoretically, clients with cached Kerberos tickets should be able to work, because the Kerberos PAC includes all the information about the user, and the id-mapping is based on rids - no communication is required.
However in practice, I noticed that in some cases it doesn't work. I discovered that smbd verifies for each group SID in the PAC that it is, in fact, a group SID. This verification involves a possible query of the domain controller, which leads to failure. More often than not, the sid lookup succeeds using cached data, but sometimes the query is required.
Is there a technical reason to perform this extra-verification, rather than trusting the PAC?
Thanks,Uri Simchoni

More information about the samba-technical mailing list