[Samba] Windows 7 caching credentials breaks with hibernation
gaiseric.vandal at gmail.com
Wed Jun 29 20:56:42 MDT 2011
I made some progress on this- I have fixed the problem with hibernation
(but not with offline folders.)
I actually had 3 domain controller configured. I had shutdown samba on one
of the DC's (lets call it BDC2) weeks ago, but had not deleted the machine
I had come across a post on google about offline authentication not working
after a samba domain named change. I had a look at the registry settings
showing the last ntuserlogon and last samuserlogon (those aren't exact keys)
and saw that the last SAM user was BDC2\username, not DOMAIN\username. NTFS
files (local and network) would show time show file permisson entries with
BDC2\username not DOMAIN\username (this would include
c:\users\username\ntuser.dat.) System properties would also show the each
domain user profile as owned by BDC2\username.
Domain Controllers all same the same machine SID (that of the domain sid) so
typically the wrong name domainname being displayed didn't really matter.
The file permissions actually get set for the user or group SID- so as long
as the user (or group) SID is correct, file permissions are ok.
I guess it displays the wrong domain name because it trys to resolve the
domain SID back to a domain name (maybe via a netbios lookup from WINS ?)
and locates the BDC2 (which alphabeterically came before the domain name or
HOwever, when you logon with cached credentials, and you login as
"DOMAIN\username" , the PC looks for that profile (and more specifically the
ntuser.dat file with the cached credentials.) So if it can't find the
profile, you are out of luck. Why this affected a user who had hibernated
the machine but not other users I don't know. If I hibernated the
machine, I could not unlock the computer offline as DOMAIN\myusername but I
could login as BDC2\myusername.
I deleted the BDC2 machine account from the domain, which fixed the offline
login + hibernation issue. Offline logons is stil broken- although I think
once the old bdc expires from the wins and browser databases.
After I took BDC2 offline, some Windows 2003 servers complained about not
being able to authenticate users in the BDC2 domain, until I rebooted those
XP machines did not have any problems.
From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
Sent: Tuesday, June 28, 2011 5:12 PM
Subject: Windows 7 caching credentials breaks with hibernation
I am running Samba 3.5.5 on Solaris 10. I have one machine as a PDC,
one as a BDC.
If I logon to the domain from a Windows 7 Pro (64-bit) laptop,
hibernate the machine, unplug the network cable and wake the machine, I
can not unlock the screen. I will get the message "There are currently
no logon servers available to service the logon request." Other users
have reported this.
I am able to switch users and login as another domain user (assuming
that that user had logged in at least once to the domain.)
If I reboot the laptop, I am still unable to log into the domain. This
suggests to me that the cached credentials are deleted when I log into
the network, cached again when I log out, but not cached on a hibernation.
I also have two Windows Active Directory domains which are separate from
the samba domain. If I join the Windows 7 pro to either domain, I do
not have a problem with hibernating and disconnecting. I know that the
client handles the caching, but I think with Samba it would be caching
NTLM passwords while with Active Directory it would be caching Kerberos
XP Pro laptops do not have a problem with hibernation and cached
credentials. I suspect that the cached credentials might get updated
but not actually deleted.
I also have a problem with using offline files in Windows 7 with a Samba
domain- if I enable offline files in the "sync center" I am unable to
log in offline. Not sure why, and offline files aren't actually that
important, but I suspect it is related.
More information about the samba