[PATCHES] authenticating users during short disconnects from AD

Uri Simchoni uri at samba.org
Wed Dec 28 10:41:08 UTC 2016

On 12/28/2016 12:27 PM, Volker Lendecke wrote:
> Hi, Uri!
> Thanks for those patches! Going over them closely now. I would like to
> skip the Patches 1-4 for the moment because I'm in the process of
> reworking the getpwnam code completely. I think I'll be able to
> present something very soon. One of the main things is that the new
> code completely skips the getgrsid call, this is just not needed.
> Without that, I need to revisit the offline operation requirements.
> Ok?
> Volker

Sure. I don't know if there are formal requirements as such, I was only
thinking "if the client has a ticket, then we should be able to
authenticate it and serve files, even if the AD connection is down
(having obtained some initial info while it was up)".

BTW, the other patch set I submitted a while back, of pre-resolving
user/group names in share access lists, is already implemented in Samba
via another mechanism - nested groups. So you can define a local group,
nest whatever domain users / groups in it, and specify that group in the
share access list - no online lookup during tree-connect.


> On Tue, Dec 27, 2016 at 09:26:30PM +0200, Uri Simchoni wrote:
>> Hi,
>> The following patch set allows Samba, running as an AD member file
>> server, to authenticate new users using Kerberos without contacting AD.
>> This helps operating in sites with frequent short disconnects from AD,
>> e.g. if someone moves between rooms, the connection needs to be
>> re-established, and the client has a cached ticket to the server.
>> With Windows servers, it is possible for a file server to authenticate
>> using Kerberos and serve files without an AD connection - because all
>> the required info is in the PAC.
>> With Samba, there's the added step of converting the NT access token to
>> a POSIX process token - to a list of POSIX id's associated with the
>> session. This may or may not be possible without a connection to AD,
>> depending on the idmap backends involved.
>> The patch set enables offline operation using passdb and rid backends.
>> Other backends currently require to know the sid type, at least in the
>> cased where they allocate a new mapping.
>> Patches 1-4 - an assortment of barriers towards offline operation that
>> were removed - each one is independent
>> Patches 5-19 - while translating sid->unix ID, skip the sid lookup if
>> the idmap backend allows this. This includes adding a mechanism that
>> allows the winbindd parent process to query idmap backends whether they
>> require sid lookup prior to sid->unix id mapping. The final 5 patches
>> can probably be squashed together - it just seems easier to follow this way.
>> Review appreciated,
>> Uri.

More information about the samba-technical mailing list