[Samba] Windows 7 caching credentials breaks with hibernation

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jun 29 20:56:42 MDT 2011


I made some progress on this-  I have fixed the problem with hibernation
(but not with offline folders.)


I actually had 3 domain controller configured.  I had shutdown samba on one
of the DC's (lets call it BDC2)  weeks ago, but had not deleted the machine
account.  

I had come across a post on google about offline authentication not working
after a samba domain named change.   I had a look at the registry settings
showing the last ntuserlogon and last samuserlogon (those aren't exact keys)
and saw that the last SAM user was BDC2\username, not DOMAIN\username.  NTFS
files (local and network) would show time show file permisson entries with
BDC2\username not DOMAIN\username (this would include
c:\users\username\ntuser.dat.)  System properties would also show the each
domain user profile  as owned by BDC2\username.

Domain Controllers all same the same machine SID (that of the domain sid) so
typically the wrong name domainname being displayed didn't really matter.
The file permissions actually get set for the user or group SID-  so as long
as the user (or group) SID is correct, file permissions are ok.  

I guess it displays the wrong domain name because it trys to resolve the
domain SID back to a domain name (maybe via a netbios lookup from WINS ?)
and locates the BDC2 (which alphabeterically came before the domain name or
ther DC's>0 

HOwever, when you logon with cached credentials, and you login as
"DOMAIN\username" , the PC looks for that profile (and more specifically the
ntuser.dat file with the cached credentials.)     So if it can't find the
profile, you are out of luck.    Why this affected a user who had hibernated
the machine but not other users I don't know.    If I hibernated the
machine, I could not unlock the computer offline as DOMAIN\myusername but I
could login as BDC2\myusername.

I deleted the BDC2 machine account from the domain, which fixed the offline
login + hibernation issue.  Offline logons is stil broken-  although I think
once the old bdc expires from the wins and browser databases.

After I took BDC2 offline, some Windows 2003 servers complained about not
being able to authenticate users in the BDC2 domain, until I rebooted those
servers.  

XP machines did not have any problems.





-----Original Message-----
From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com] 
Sent: Tuesday, June 28, 2011 5:12 PM
To: Samba
Subject: Windows 7 caching credentials breaks with hibernation

I am running Samba 3.5.5 on Solaris 10.  I have one machine as a PDC, 
one as a BDC.

If I logon to the domain from a Windows 7 Pro (64-bit)  laptop,  
hibernate the machine, unplug the network cable and wake the machine, I 
can not unlock the screen.   I will get the message "There are currently 
no logon servers available to service the logon request."  Other users 
have reported this.

I am able to switch users and login as another domain user (assuming 
that that user had logged in at least once to the domain.)

If I reboot the laptop, I am still unable to log into the domain.   This 
suggests to me that the cached credentials are deleted when I log into 
the network, cached again when I log out, but not cached on a hibernation.


I also have two Windows Active Directory domains which are separate from 
the samba domain.  If I join the Windows 7 pro  to either domain, I do 
not have a problem with hibernating and disconnecting.   I know that the 
client handles the caching, but I think with Samba it would be caching 
NTLM passwords while with Active Directory it would be caching Kerberos 
passwords.


XP Pro laptops do not have a problem with hibernation and cached 
credentials.   I suspect that the cached credentials might get updated 
but not actually deleted.

I also have a problem with using offline files in Windows 7 with a Samba 
domain-   if I enable offline files in the "sync center" I am unable to 
log in offline.   Not sure why, and offline files aren't actually that 
important, but I suspect it is related.

Any advice?

Thanks





More information about the samba mailing list