Regarding retrieving user group membership using wbinfo.

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Jun 5 08:14:33 MDT 2014

On Thu, Jun 05, 2014 at 06:43:59AM -0700, Richard Sharpe wrote:
> On Thu, Jun 5, 2014 at 3:41 AM, Hemanth Thummala
> <hemanth.thummala at> wrote:
> > Hi,
> >
> > We are experiencing a strange problem with one of our customer setups
> > relating to user group memberships. Customer has multi-site AD setup in
> > which our boxes are deployed in multiple sites.
> > In one particular site, we are seeing a difference in group membership
> > details with a user(wbinfo -r <user>). Able to retrieve only few groups
> > than expected. Whereas other sites we are able to get the correct results.
> A vital piece of info is that this is Samba 3.6.12+ you are talking
> about. The same problem might not exist in the latest sources.
> > Initially we thought its AD replication problem, but even after
> > forcing(blocked the traffic with site-local DC) our boxes to contact PDC
> > did not help.
> >
> > Then I have removed the cache entries for this user from both
> > winbindd_cache.tdb and netsamlogon_cache.tdb. Then it started showing the
> > correct entries. But after 5 to 6 hours this problem reappears. After
> > cleaning up cache entries in both tdb files, problem will go away.
> >
> > From the code walk-through and debug level logs this is what I understood.
> > 1. Winbindd receives request GETGROUPS from the client.
> > 2. Initially it will lookup winbindd_cache.tdb and see if there is a
> > "UG/sid" entry for the user. it will return the information in cache if
> > entry is not expired (I think expiry time is 5 mins).
> > 3. If the entry in winbindd_cache.tdb is expired, then lookup_usergroups()
> > request will be made.
> > 4. Before contacting the DC to fetch the groups, will search for the user
> > SID in netsamlogon_cache.tdb. If the entry is found, that information will
> > be returned.
> > 5. If the entry is not found in netsamlogon_cache.tdb, then DCE-RPC request
> > will be made using cached kerberos credentials.
> >
> > I came to know that there is no expiry time for the cached entries in
> > netsamlogon_cache.tdb. I have seen the expiry time calculation is commented
> > out in netsamlogon_cache_get().
> >
> > But I am not really sure why the cache entry in netsamlogon_cache.tdb() is
> > updated with wrong data due to which the problem is reappearing.

If all goes well then the netsamlogon_cache is only written
after a successful login. This can happen when a client
authenticates via netlogon or presents a valid kerberos
ticket with a PAC. In the bad case, can you find out where
the bad information comes from? Is it really the netsamlogon
cache that is faulty?

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list