[Samba] Expiry of entries in netsamlogon_cache.tdb

Wed Jun 11 03:38:01 MDT 2014

I think we're suffering from bug 8641 at the moment:
   https://bugzilla.samba.org/show_bug.cgi?id=8641
where the netsamlogon_cache.tdb entries are not expiring.

We use AD groups for our (redhat) server auth, and also use server-side group 
auth for NFS (with the --manage-gids flag). So if a user is not in a group on 
the server, they're denied access to files as per group permissions. However, 
winbind is using netsamlogon_cache.tdb to cache group memberships for a SID - 
and this does not seem to get refreshed when users are accessing via NFS. I'm 
not clear on under what circumstances it *is* refreshed - but I guess that 
access via NFS is not one of them.

To work around the issue, I can edit the netsamlogon_cache.tdb manually with 
tdbtool, delete the entry for the user's SID, and it now refreshes. Obviously 
this is not optimal though!

On digging around, I found bug 3014 from back in samba 3.0 days, where 
netsamlogon_cache.tdb was completely removed:
  https://bugzilla.samba.org/show_bug.cgi?id=3014
but I guess it's come back in at some point.

The windbind cache time settings don't seem to affect the expiry of 
netsamlogon_cache.tdb entries - my settings are:

 	idmap cache time = 300
 	idmap negative cache time = 120
 	winbind cache time = 300

Is there a way of forcing an expiry on netsamlogon_cache.tdb cache entries, or 
flushing the database? More usefully - is there a setting somewhere which will 
set automatic expiry of entries as per the winbind/idmap cache timeouts?

-- 
             --
    Dr Orlando Richards
   Information Services
IT Infrastructure Division
        Unix Section
     Tel: 0131 650 4994
   skype: orlando.richards

The University of Edinburgh is a charitable body, registered in Scotland, with 
registration number SC005336.