I am testing a Ubuntu 16.04.01 64-bit Samba server with Centrify Express for Windows AD integration.
Here are my package versions:
Centrify Express - 5.3.1
Adbindproxy - 5.3.0
Samba - 4.3.11-Ubuntu
I have Centrify configured to work with SSH, Sudo, and Samba. I have tested caching with SSH and Sudo by disconnecting the main network from my testing switch and they are working as expected. However, I cannot connect to the Samba server shares from my laptop using the UNC path to server (\\xxx.xxx.xxx.xxx) after disconnecting the test switch from the main network. Windows explorer will attempt to connect to the server for ~3 minutes and then return that the server is unavailable.
Is this working as designed? I was under the impression that I should be able to authenticate to the Samba shares using the cached credentials.
Below is my smb.config file:
#
# This file was generated by Centrify ADBindProxy Utility
#
[global]
security = ADS
realm = MY.FDQN
workgroup = MY
netbios name = bly1
auth methods = guest, sam, winbind, ntdomain
machine password timeout = 0
passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
#
# Samba versions 3.4.0 and newer have replaced "use kerberos keytab"
# with "kerberos method". The directive "kerberos method = secrets and keytab"
# enables Samba to honor service tickets that are still valid but were
# created before the Samba server's password was changed.
#
kerberos method = secrets and keytab
#
# Setting "client use spnego principal" to true instructs SMB client to
# trust the service principal name returned by the SMB server. Otherwise,
# client cannot be authenticated via Kerberos by the server in a different
# domain even though the two domains are mutually trusted.
#
# client use spnego principal = true
#
# Setting send spnego principal to yes .
# Otherwise, it will not send this principal between Samba and Windows 2008
#
# send spnego principal = Yes
# If your Samba server only serves to Windows systems, try server signing = mandatory.
server signing = mandatory
client ntlmv2 auth = yes
client use spnego = yes
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes
idmap cache time = 0
# ignore syssetgroups error = No
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000
idmap config * : base_tdb = 0
enable core files = false
# Disable Logging to syslog, and only write log to Samba standard log files.
#syslog = 0
[homes]
comment = Home directories
read only = No
browseable = No
[data]
create mode = 770
valid users = @my_windows_user_group
directory mode = 770
force directory mode = 770
force create mode = 770
writeable = yes
write list = @my_windows_user_group
path = /home/data
Any help is appreciated.