2

Say I have a Windows laptop which has been connected to a domain. The domain has a Samba server as a PDC.

Now say that I move the laptop outside of the network (the network is completely inaccessible). Will I be able to logon into accounts I have accessed before on the laptop (through GINA)?

Update: Looking at the smb.comf documentation I noticed the setting winbind offline logon: This parameter is designed to control whether Winbind should allow to login with the pam_winbind module using Cached Credentials. If enabled, winbindd will store user credentials from successful logins encrypted in a local cache.. To me it looks like this solves the issue but can anyone else confirm it and/or point out if any additional values need to be set?

Aimé Barteaux
  • 73
  • 5
  • Well it's a random guess, maybe you check the configuration of samba authentication if by any chance doesnt have offline authentication enabled. Maybe you can either reconfigure it or enable in somewhere in the menu. Without support wont work for sure. – Andrew Smith Jun 30 '12 at 17:11

1 Answers1

5

If you have a Windows laptop which is a domain member, using winbind offline logon would not influence its ability for cached credential logons as Winbind is caching the credentials for your Samba installation, not its clients.

Cached Credentials is a domain client feature available in Windows 2000 and newer. It is working with Active Directory DCs as well as NT4-style DCs (Samba). From Microsoft KB 913485:

By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 172931 Cached domain logon information

Your clients would need to have HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\CachedLogonsCount (REG_SZ) unset or set to a value greater than zero to benefit from this feature.

Keep in mind though that caching credentials (actually Windows is not caching credentials but salted one-way hashes of the credentials) on machines where you do not have any means to guarantee physical security might represent a security risk - the hashes are offline crackable by brute force or dictionary attacks.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
  • Thanks for the answer! Is is true that the MD4 hash of the credentials is stored? If so, would you happen to know why Microsoft still uses this specific hash function instead of say, the SHA-2 family? – Aimé Barteaux Jun 30 '12 at 20:24
  • @AiméBarteaux Until Windows XP / Server 2003 it has been an MD4 hash of an MD4 hash of the username/password/salt combination. I believe the data has moved to the Windows Vault / Credential Manager adding another encryption layer starting with Windows 7, although I cannot find an authoritative reference for it aside from http://technet.microsoft.com/en-us/library/hh994565(v=ws.10) which is lacking detail. – the-wabbit Jul 01 '12 at 08:41