[Samba] Re: XP fails to cache Domain Credentials --SOLVED
info at sublunar.com
Thu Dec 9 06:11:26 GMT 2004
On Saturday 04 December 2004 11:04, Matthew Easton wrote:
> My win2000 laptop caches the domain credentials so I can log into the
> computer when disconnected from the network. However, Windows XP SP2
> laptops cannot. I get a "domain unavailable error" even though the local
> security profile on the laptop is set to allow domain credential caching.
People seem to think this is a windows issue, but I call it a samba issue or a
windows/samba interoperability issue because authenticating to a microsoft
windows server will never behave this way. I note the "solution" here to
spare some one else this particular head ache.
This issue is apparent in Windows XP up to and including Service Pack 2. It
may also be present in other versions of windows. My assertion that it does
not occur in windows 2000 above, is probably a red herring. The problem
looks like domain cacheing has failed. In fact, it is a feature of the
mechanism which maps unix users to windows user names.
The scenario: You log into your laptop with local admin privileges and join
the domain. Your unix root user is mapped to "administrator" in your domain
using the "username map = /some/file" directive. You succeed in joining the
domain, so you reboot and log back in as the domain administrative user. So
far so good. But...
If you disconnect from the network or use a dodgy wireless connection, and log
in with the windows domain administrator user ----or any windows username
that is mapped to a unix name---- the login fails to use the cached
credentials because it doesn't actually have credentials for the windows user
name. In the case of the windows administrator account --- the windows
workstation has cached credentials for MYDOMAIN\root and you just tried to
login as MYDOMAIN\administrator. You can demonstrate this by performing a
disconnected login with username root and MYDOMAIN\administrator's password.
After you reconnect to the network, the domain is available and windows will
successfully refer the login request of unknown user MYDOMAIN\administrator
back to MYDOMAIN and samba will map "administrator" to unix user "root".
Moral of the story: avoid mapping windows user names to unix user names if
you want to use cached credentials...
More information about the samba