[Samba] 10 minutes between primary group change and effect on Fedora 27

L.P.H. van Belle belle at bazuin.nl
Tue Mar 27 15:02:47 UTC 2018 

Hai, 

Checked and confirmed also on Debian stretch with samba 4.7.6.

Even restart winbind does not help. 
A net cache flush, same did not work. 

A reboot, as test, did help here. 

I suggest increase the debug level and report bug?


Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff 
> Sadowski via samba
> Verzonden: dinsdag 27 maart 2018 16:46
> Aan: samba
> Onderwerp: [Samba] 10 minutes between primary group change 
> and effect on Fedora 27
> 
> My smb.conf looks like so.
> 
> [global]
>    security = ads
>    realm = MIND.UNM.EDU
>    workgroup = MIND
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-7999
>    idmap config MIND:backend = ad
>    idmap config MIND:schema_mode = rfc2307
>    idmap config MIND:range = 8000-9999999
>    idmap config MIND:unix_nss_info = yes
>    winbind use default domain = yes
>    restrict anonymous = 2
> 
> I have a user jefftest.
> 
> I found that to set the primary group that user needs to be 
> in that group.
> 
> If I set the group of jefftest to a new group (both in the UNIX
> attributes tab and in the Member Of tab) using Active Directory Users
> and Computers.
> Then I test the user using ldapsearch against each domain controller
> and they all have the new values according to ldapsearch in gidNumber.
> 
> Then I login with jefftest on my joined fedora 27 machine using
> winbind 4.7.6 as jefftest and run id.
> It still shows the old group.
> So I log out as jefftest and in as root and run
> 
> net cache flush
> 
> and try and login again as jefftest and it still shows the old gid
> number when running id.
> After about 10 minutes it seems to work but that is a bit of time.
> 
> Is there a way to speed this up?
> 
> I think my ldapsearch using the uri of each domain controller shows
> that each domain controller has the new value is that an incorrect
> assumption?
> 
> I'm using the following ldapsearch arguments
> 
> (to check dc1)
> ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL \
> -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no 
> "(sAMAccountName=jefftest)" gidNumber
> 
> (to check dc2)
> ldapsearch -H ldap://dc2.mind.unm.edu.:389 -U jsadowski -Q -LLL \
> -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no 
> "(sAMAccountName=jefftest)" gidNumber
> 
> "net cache flush" doesn't seem to be working.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list