[Samba] Expiry of entries in netsamlogon_cache.tdb
orlando.richards at ed.ac.uk
orlando.richards at ed.ac.uk
Wed Jun 11 03:38:01 MDT 2014
I think we're suffering from bug 8641 at the moment:
https://bugzilla.samba.org/show_bug.cgi?id=8641
where the netsamlogon_cache.tdb entries are not expiring.
We use AD groups for our (redhat) server auth, and also use server-side group
auth for NFS (with the --manage-gids flag). So if a user is not in a group on
the server, they're denied access to files as per group permissions. However,
winbind is using netsamlogon_cache.tdb to cache group memberships for a SID -
and this does not seem to get refreshed when users are accessing via NFS. I'm
not clear on under what circumstances it *is* refreshed - but I guess that
access via NFS is not one of them.
To work around the issue, I can edit the netsamlogon_cache.tdb manually with
tdbtool, delete the entry for the user's SID, and it now refreshes. Obviously
this is not optimal though!
On digging around, I found bug 3014 from back in samba 3.0 days, where
netsamlogon_cache.tdb was completely removed:
https://bugzilla.samba.org/show_bug.cgi?id=3014
but I guess it's come back in at some point.
The windbind cache time settings don't seem to affect the expiry of
netsamlogon_cache.tdb entries - my settings are:
idmap cache time = 300
idmap negative cache time = 120
winbind cache time = 300
Is there a way of forcing an expiry on netsamlogon_cache.tdb cache entries, or
flushing the database? More usefully - is there a setting somewhere which will
set automatic expiry of entries as per the winbind/idmap cache timeouts?
--
--
Dr Orlando Richards
Information Services
IT Infrastructure Division
Unix Section
Tel: 0131 650 4994
skype: orlando.richards
The University of Edinburgh is a charitable body, registered in Scotland, with
registration number SC005336.
More information about the samba
mailing list