On Samba 4.10 with "winbind offline logon = yes" it is only possible to login using cached credentials until the device is restarted. During restart the cache seems to be cleared. Together with members of the samba mailing list I was able to track that down to gencache.tdb being stored within "lock directory" instead of "cache directory". Corresponding conversation: https://lists.samba.org/archive/samba/2019-April/222490.html I additionally was able to identify the commit where this was changed which should give more details on the "why" this was changed: https://gitlab.com/samba-team/samba/commit/1386200be5c583c680c3894a11688a0e0a3d2285 On Samba 4.9 this problem seems not to exist.
Hope you have tested this way as well. Case-1: AD Online # service winbind start; # wbinfo -K YOURDOM\\ad-user%password //Start winbindd, authenticate successfully at least once while winbind is online # ssh ad-user@localhost <working> Case-2: AD Offline # smbcontrol winbind offline //switch winbindd to offline mode by hand (for testing) with the smbcontrol command. # wbinfo -K YOURDOM\\ad-user%password user_flgs: NETLOGON_CACHED_ACCOUNT //Your system is now prepared to use pam_winbind while offline. -> Plug out AD so that RHEL cannot ping AD # ssh ad-user@localhost ad-user@localhost's password: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable <<<<<<<<Means winbind offline logon working ad-user$ -> We should not get login prompt with 4.10. - What error message we see in secure and samba-logs?
Created attachment 15113 [details] Case-1: AD Online
Created attachment 15114 [details] Case-2: AD Offline
Yes, as soon as I disconnect my device (without restarting) from AD network I see the message: "Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable" See screenshots of my tests attached. > -> We should not get login prompt with 4.10. > - What error message we see in secure and samba-logs? At which case would you like to see the output of "secure" and "samba-logs"? - After I have restarted and cannot longer login using cached credentials?
(In reply to Martin Krämer from comment #4) 1. We are sure, After reboot winbind is up ie not dead. 2. I hope you tried ssh DOM\\user@localhost to check winbind allows offline logon. If so let's collect winbind logs for failing case. 3. kerberos credential cache will get removed after reboot 4. On fedora gencache.tdb is present in /var/lib/samba and its not deleted or content erased after reboot. 5. gencache_stabilize() removed in 4.10 is used to open/traverse/operate. Also, Release notes of 4.10, https://www.samba.org/samba/history/samba-4.10.4.html does not mentions about gencache.tdb changes i need to check on 4.10.
The content of attachment 15114 [details] has been deleted
The content of attachment 15113 [details] has been deleted