Sorry for the delayed response on this post and thank you very much for providing the information.
As far as Centrify goes, you should be able to authenticate to the server with cached credentials (this has been verified by your testing).
Now let's discuss the Samba use case. It's very important to understand that since retiring Centrify-enhanced Samba, the integration that we provide is for the Identity Mapper (adbindproxy) which provides stock Samba UNIX identity resolution for AD users and groups.
This means that Samba can make any NSS call (e.g. getuserbyname, getuserbyuid, etc) and adbindproxy will respond with the appropriate information depending on the Centrify mode of operation (workstation/express = auto zone mode or standard/enterprise = zone mode). Auto zone mode generates the UNIX identity at the agent level, vs. Zone mode stores the information in AD using different schemes based on the design (Centrify Standard, MS SFU, RFC 2307, etc).
In case of Active Directory connectivity failure, samba can rely on adbindproxy to return UNIX identity from the cache.
I hope that explains the extent of the caching capabilities that we provide. Caching of network shares depends on the type of failure and session.
- If there's no AD connectivity and you want to estabish a new session to a share, you can't get a service ticket. That is just how Kerberos works.
- If there's no AD connectivity and you already had a service ticket, you should be able to access the share in case of a failure during the duration of the service ticket defined on the Kerberos policy in AD.
I hope this helps clarify.
R.P