Regarding netsamlogon_cache_get.
Volker Lendecke
vl at samba.org
Thu Aug 25 05:32:30 UTC 2016
On Thu, Aug 25, 2016 at 03:25:39AM +0000, Hemanth Thummala wrote:
> Comments suggest that it is intentional and currently we are
> overwriting this cache on every successful login irrespective of
> expiry status.
>
> We are actually using “wbinfo" group membership queries. If there
> are any group membership changes without the user getting logged in,
> we always get the stale information until unless user logs in again.
> In our use case, we can’t expect the users to be getting logged in
> after any membership changes. I have enabled this code and tested.
> It works fine and solves our purpose.
>
> This looks like a safe change. But I would like to know if there are
> any known issues if we enable this part. Please let me know.
The only piece is -- we don't have good support in winbind to
correctly calculate group memberships of a user without the sam logon.
It's not only that we're lazy or so: We just can't. Group membership
calculations are a nightmare and more importantly require permissions
on the domain controllers that normal members don't have, so we can
not query DCs for the required info. Also, this breaks down fully with
trusts: Usually we can't even access the DC that hosts a user, only
the DCs we are member of can. So, because we can get it right only in
extremely limited circumstances for very specific and fragile use
cases, we did not put much effort into that so far.
Volker
More information about the samba-technical
mailing list