Can smbd serve files without contacting a DC

Uri Simchoni urisimchoni at
Tue May 5 12:06:02 MDT 2015

Reposting also to the list - Sorry, Scott.

On Tue, May 5, 2015 at 3:44 PM, Scott Lovenberg <scott.lovenberg at>

> On Tue, May 5, 2015 at 5:52 AM, Uri Simchoni <urisimchoni at>
> wrote:
> >
> > Hi,
> >
> > An appliance vendor I'm doing work for, which uses samba as its file
> > server, is sometimes encountering situations where the connection from
> the
> > appliance to the domain controller is flaky, and that creates issues with
> > smbd's ability to serve files. Long delays in initial connection from the
> <snip>
> > Thanks,
> > Uri.
> If I'm understanding the situation, I think you want to set your PAM
> winbind module to "cached_login = yes" and your smb.conf should have
> "winbind offline login = true".  Ref:

I thought PAM is about plaintext logins (as in someone accessing the UI of
the appliance), and has no relevance when it comes to SMB authentication.

> I'm not sure how cranky KRB will become if tickets expire when there
> are issues with the path between the appliance and the core AD
> servers.  Also, for what it's worth, the exact situation is pretty
> much what read-only domain controllers (RODC) were created for.
> Unfortunately, the wiki seems to indicate that Samba's RODC support
> isn't complete, but the wiki could also be out of date. Ref:

That's definitely the way to go in the future. I'm looking for a
non-revolutionary fix though. It would help if the DC could run alongside
the file server, although container technology probably solves this too.

> --
> Peace and Blessings,
> -Scott.

More information about the samba-technical mailing list