592055 – winbind offline logon cached credentials are not persistent

Bug 592055 - winbind offline logon cached credentials are not persistent

Summary: winbind offline logon cached credentials are not persistent

Status:	CLOSED DUPLICATE of bug 618201
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	samba
Sub Component:
Version:	13
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Simo Sorce
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-05-13 18:39 UTC by Oded Arbel
Modified:	2010-08-18 13:52 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit)
Clone Of:
Environment:	(edit)
Last Closed:	2010-08-18 13:52:09 UTC
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Oded Arbel 2010-05-13 18:39:18 UTC

Description of problem:
The primary use of the "allow offline login" configuration option in authconfig (as described in bug #232955) is to let users log in using Windows domain credentials when they are disconnected from the domain. For example - a laptop user that carries her laptop outside the office.

When authconfig sets "winbind offline logon" in the smb.conf file, this works well - but only as long as the winbind service keeps running. If the winbind service crashes, or is restarted due to a power failure, then cached credentials are forgotten and the user will be locked out of her computer with no chance of getting back in until she is back at the office (which may be a long while, if she's on a business trip, for example).

Version-Release number of selected component (if applicable):
3.5.2-60

How reproducible:
always

Steps to Reproduce:
1. Configure winbind authentication and select "allow offline login" in authconfig.
2. Log in to the computer.
3. Disconnect from the network
4. restart the winbind service
5. try to log in again

Actual results:
The log in will be rejected

Expected results:
The log in should succeed

Additional info:
I'm not sure, but perhaps nscd or SSSD can be used to workaround the winbind issue, instead of implementing persistent credentials cache for winbind (which is probably a security issue that has already been solved elsewhere), but I was not able to setup SSSD properly in Fedora 13, and nscd by default caches credentials for 10 minutes, which is kind of useless for business trips...

Comment 1 Daniele 2010-07-19 15:00:11 UTC

I have the same problem.

I seems Samba generate a corrupted winbindd_cache.tdb.

Every time winbind is restarted it generates a new file logging this lines:

Jul 19 16:57:46 lnx winbindd[5248]: [2010/07/19 16:57:46.441866,  0] winbindd/winbindd_cache.c:4094(winbindd_cache_validate_and_initialize)
Jul 19 16:57:46 lnx winbindd[5248]:   winbindd cache tdb corrupt and no backup could be restored.
Jul 19 16:57:46 lnx winbindd[5248]: [2010/07/19 16:57:46.442111,  0] winbindd/winbindd_cache.c:3076(initialize_winbindd_cache)

Greets.

Comment 2 Guenther Deschner 2010-08-18 13:52:09 UTC


*** This bug has been marked as a duplicate of bug 618201 ***

Note You need to log in before you can comment on or make changes to this bug.