|Summary:||winbind offline logon cached credentials are not persistent|
|Product:||[Fedora] Fedora||Reporter:||Oded Arbel <oded>|
|Component:||samba||Assignee:||Simo Sorce <ssorce>|
|Status:||CLOSED DUPLICATE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||13||CC:||daniele.paolucci, gdeschner, jlayton, ssorce|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-08-18 13:52:09 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Oded Arbel 2010-05-13 18:39:18 UTC
Description of problem: The primary use of the "allow offline login" configuration option in authconfig (as described in bug #232955) is to let users log in using Windows domain credentials when they are disconnected from the domain. For example - a laptop user that carries her laptop outside the office. When authconfig sets "winbind offline logon" in the smb.conf file, this works well - but only as long as the winbind service keeps running. If the winbind service crashes, or is restarted due to a power failure, then cached credentials are forgotten and the user will be locked out of her computer with no chance of getting back in until she is back at the office (which may be a long while, if she's on a business trip, for example). Version-Release number of selected component (if applicable): 3.5.2-60 How reproducible: always Steps to Reproduce: 1. Configure winbind authentication and select "allow offline login" in authconfig. 2. Log in to the computer. 3. Disconnect from the network 4. restart the winbind service 5. try to log in again Actual results: The log in will be rejected Expected results: The log in should succeed Additional info: I'm not sure, but perhaps nscd or SSSD can be used to workaround the winbind issue, instead of implementing persistent credentials cache for winbind (which is probably a security issue that has already been solved elsewhere), but I was not able to setup SSSD properly in Fedora 13, and nscd by default caches credentials for 10 minutes, which is kind of useless for business trips...
Comment 1 Daniele 2010-07-19 15:00:11 UTC
I have the same problem. I seems Samba generate a corrupted winbindd_cache.tdb. Every time winbind is restarted it generates a new file logging this lines: Jul 19 16:57:46 lnx winbindd: [2010/07/19 16:57:46.441866, 0] winbindd/winbindd_cache.c:4094(winbindd_cache_validate_and_initialize) Jul 19 16:57:46 lnx winbindd: winbindd cache tdb corrupt and no backup could be restored. Jul 19 16:57:46 lnx winbindd: [2010/07/19 16:57:46.442111, 0] winbindd/winbindd_cache.c:3076(initialize_winbindd_cache) Greets.