[Samba] Cache auth credentials on Samba domain member

Jeremy Allison jra at samba.org
Thu Sep 17 23:50:24 UTC 2015

On Sun, Sep 13, 2015 at 12:29:28AM +0200, Gionatan Danti wrote:
> Il 09-09-2015 10:21 Gionatan Danti ha scritto:
> >>
> >>Actually, this should work out of the box - including authentication -
> >>if the remote DC is unavailable, given the info in a valid krb5 ticket
> >>+ PAC from the client.
> >>
> >>Unfortunately due to some bugs (which are slowly being worked on)
> >>this doesn't work the way it should.
> >>
> >
> >Oh, I see.
> >Do it means that it *sometime* works, or I should not expect even
> >partial success?
> >
> >To simulate VPN loss / DC unavailability, I put a iptables rules (on
> >the remote side) dropping all traffic to the DC. It is a valid
> >scenario or I should test differently?
> >
> >Thank you all.
> Hi all,
> anyone with some more informations/suggestions? It is currently
> impossible to configure Samba for credential caching, or it is
> "simply" unreliable?

Currently a Samba member server must contact the DC
for authentication even if a krb5-PAC is presented.

This is a bug, and one I'm working on fixing (it
is a regression from earlier behavior).

More information about the samba mailing list