[Samba] Re: XP fails to cache Domain Credentials --SOLVED

Matthew Easton info at sublunar.com
Thu Dec 9 06:11:26 GMT 2004

On Saturday 04 December 2004 11:04, Matthew Easton wrote:
> My win2000 laptop caches the domain credentials so I can log into the
> computer when disconnected from the network.  However, Windows XP SP2
> laptops cannot. I get a "domain unavailable error" even though the local
> security profile on the laptop is set to allow domain credential caching.

People seem to think this is a windows issue, but I call it a samba issue or a 
windows/samba interoperability issue because authenticating to a microsoft 
windows server will never behave this way. I note the "solution" here to 
spare some one else this particular head ache.

This issue is apparent in Windows XP up to and including Service Pack 2.  It 
may also be present in other versions of windows. My assertion that it does 
not occur in windows 2000 above, is probably a red herring.  The problem 
looks like domain cacheing has failed. In fact, it is a feature of the 
mechanism which maps unix users to windows user names.  

The scenario: You log into your laptop with local admin privileges and join 
the domain.  Your unix root user is mapped to "administrator" in your domain 
using the "username map = /some/file" directive.  You succeed in joining the 
domain, so you reboot and log back in as the domain administrative user.  So 
far so good.  But...

If you disconnect from the network or use a dodgy wireless connection, and log 
in with the windows domain administrator user ----or any windows username 
that is mapped to a unix name---- the login fails to use the cached 
credentials because it doesn't actually have credentials for the windows user 
name.  In the case of the windows administrator account --- the windows 
workstation has cached credentials for MYDOMAIN\root and you just tried to 
login as MYDOMAIN\administrator.  You can demonstrate this by performing a 
disconnected login with username root and MYDOMAIN\administrator's password.

After you reconnect to the network, the domain is available and windows will 
successfully refer the login request of unknown user MYDOMAIN\administrator 
back to MYDOMAIN and samba will map "administrator" to unix user "root".

Moral of the story:  avoid mapping windows user names to unix user names if 
you want to use cached credentials...


More information about the samba mailing list