Bug 592055 – winbind offline logon cached credentials are not persistent

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 592055 - winbind offline logon cached credentials are not persistent

Summary:	winbind offline logon cached credentials are not persistent

Status:	CLOSED DUPLICATE of bug 618201

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	samba (Show other bugs)
Sub Component:
Version:	13
Hardware:	All Linux

Priority	low Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Simo Sorce
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2010-05-13 14:39 EDT by Oded Arbel
Modified:	2010-08-18 09:52 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-08-18 09:52:09 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Oded Arbel 2010-05-13 14:39:18 EDT

Description of problem:
The primary use of the "allow offline login" configuration option in authconfig (as described in bug #232955) is to let users log in using Windows domain credentials when they are disconnected from the domain. For example - a laptop user that carries her laptop outside the office.

When authconfig sets "winbind offline logon" in the smb.conf file, this works well - but only as long as the winbind service keeps running. If the winbind service crashes, or is restarted due to a power failure, then cached credentials are forgotten and the user will be locked out of her computer with no chance of getting back in until she is back at the office (which may be a long while, if she's on a business trip, for example).

Version-Release number of selected component (if applicable):
3.5.2-60

How reproducible:
always

Steps to Reproduce:
1. Configure winbind authentication and select "allow offline login" in authconfig.
2. Log in to the computer.
3. Disconnect from the network
4. restart the winbind service
5. try to log in again

Actual results:
The log in will be rejected

Expected results:
The log in should succeed

Additional info:
I'm not sure, but perhaps nscd or SSSD can be used to workaround the winbind issue, instead of implementing persistent credentials cache for winbind (which is probably a security issue that has already been solved elsewhere), but I was not able to setup SSSD properly in Fedora 13, and nscd by default caches credentials for 10 minutes, which is kind of useless for business trips...

Comment 1 Daniele 2010-07-19 11:00:11 EDT

I have the same problem.

I seems Samba generate a corrupted winbindd_cache.tdb.

Every time winbind is restarted it generates a new file logging this lines:

Jul 19 16:57:46 lnx winbindd[5248]: [2010/07/19 16:57:46.441866,  0] winbindd/winbindd_cache.c:4094(winbindd_cache_validate_and_initialize)
Jul 19 16:57:46 lnx winbindd[5248]:   winbindd cache tdb corrupt and no backup could be restored.
Jul 19 16:57:46 lnx winbindd[5248]: [2010/07/19 16:57:46.442111,  0] winbindd/winbindd_cache.c:3076(initialize_winbindd_cache)

Greets.

Comment 2 Guenther Deschner 2010-08-18 09:52:09 EDT


*** This bug has been marked as a duplicate of bug 618201 ***

Note You need to log in before you can comment on or make changes to this bug.