Regarding netsamlogon_cache_get.
Hemanth Thummala
hemanth.thummala at nutanix.com
Thu Aug 25 03:25:39 UTC 2016
Hi All,
I see that the followed code has been ifdef’ed from day one in netsamlogon_cache_get().
#if 0 /* The netsamlogon cache needs to hang around. Something about
this feels wrong, but it is the only way we can get all of the
groups. The old universal groups cache didn't expire either.
--jerry */
{
time_t now = time(NULL);
uint32_t time_diff;
/* is the entry expired? */
time_diff = now - t;
if ( (time_diff < 0 ) || (time_diff > lp_winbind_cache_time()) ) {
DEBUG(10,("netsamlogon_cache_get: cache entry expired \n"));
tdb_delete( netsamlogon_tdb, key );
TALLOC_FREE( user );
}
}
#endif
Comments suggest that it is intentional and currently we are overwriting this cache on every successful login irrespective of expiry status.
We are actually using “wbinfo" group membership queries. If there are any group membership changes without the user getting logged in, we always get the stale information until unless user logs in again.
In our use case, we can’t expect the users to be getting logged in after any membership changes. I have enabled this code and tested. It works fine and solves our purpose.
This looks like a safe change. But I would like to know if there are any known issues if we enable this part. Please let me know.
Thanks,
Hemanth.
More information about the samba-technical
mailing list