[Samba] Cache auth credentials on Samba domain member

Jeremy Allison jra at samba.org
Tue Sep 8 22:56:32 UTC 2015


On Tue, Sep 08, 2015 at 03:32:07PM +0200, Gionatan Danti wrote:
> Hi all,
> I have the following setup:
> 
> DOMAIN CONTROLLER (Win2003) <-> VPN TUNNEL <-> REMOTE SAMBA SERVER
> <-> REMOTE CLIENTS
> 
> The remote samba server is a CentOS 6.6 x86_64 server, with Samba
> version 3.6.23. It acts as a domain member, configured with security
> = ads; it uses winbind to enumerate Windows users and to grant share
> access.
> 
> Such setup works quite well, but I wonder how to cope with VPN
> connection losses. At the moment, if the VPN connection goes down
> the Samba server is (obviously) unable to authenticate users against
> the domain controller, and the remote office's users can not work.
> 
> My question is: it is possible to cache the credentials or the
> authentication status such as a connectivity loss does not impair
> the remote client? I tried configuring "winbind cache time" and
> "winbind offline logon", but without success.

Actually, this should work out of the box - including authentication -
if the remote DC is unavailable, given the info in a valid krb5 ticket
+ PAC from the client.

Unfortunately due to some bugs (which are slowly being worked on)
this doesn't work the way it should.



More information about the samba mailing list