Bug 592055

Summary: winbind offline logon cached credentials are not persistent
Product: [Fedora] Fedora Reporter: Oded Arbel <oded>
Component: sambaAssignee: Simo Sorce <ssorce>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: daniele.paolucci, gdeschner, jlayton, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-18 13:52:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Oded Arbel 2010-05-13 18:39:18 UTC 
Description of problem:
The primary use of the "allow offline login" configuration option in authconfig (as described in bug #232955) is to let users log in using Windows domain credentials when they are disconnected from the domain. For example - a laptop user that carries her laptop outside the office.

When authconfig sets "winbind offline logon" in the smb.conf file, this works well - but only as long as the winbind service keeps running. If the winbind service crashes, or is restarted due to a power failure, then cached credentials are forgotten and the user will be locked out of her computer with no chance of getting back in until she is back at the office (which may be a long while, if she's on a business trip, for example).

Version-Release number of selected component (if applicable):
3.5.2-60

How reproducible:
always

Steps to Reproduce:
1. Configure winbind authentication and select "allow offline login" in authconfig.
2. Log in to the computer.
3. Disconnect from the network
4. restart the winbind service
5. try to log in again
  
Actual results:
The log in will be rejected

Expected results:
The log in should succeed

Additional info:
I'm not sure, but perhaps nscd or SSSD can be used to workaround the winbind issue, instead of implementing persistent credentials cache for winbind (which is probably a security issue that has already been solved elsewhere), but I was not able to setup SSSD properly in Fedora 13, and nscd by default caches credentials for 10 minutes, which is kind of useless for business trips...
Comment 1 Daniele 2010-07-19 15:00:11 UTC 
I have the same problem.

I seems Samba generate a corrupted winbindd_cache.tdb.

Every time winbind is restarted it generates a new file logging this lines:

Jul 19 16:57:46 lnx winbindd[5248]: [2010/07/19 16:57:46.441866,  0] winbindd/winbindd_cache.c:4094(winbindd_cache_validate_and_initialize)
Jul 19 16:57:46 lnx winbindd[5248]:   winbindd cache tdb corrupt and no backup could be restored.
Jul 19 16:57:46 lnx winbindd[5248]: [2010/07/19 16:57:46.442111,  0] winbindd/winbindd_cache.c:3076(initialize_winbindd_cache)

Greets.
Comment 2 Guenther Deschner 2010-08-18 13:52:09 UTC 

*** This bug has been marked as a duplicate of bug 618201 ***