jra at samba.org
Thu Aug 25 18:05:37 UTC 2016
On Thu, Aug 25, 2016 at 07:32:30AM +0200, Volker Lendecke wrote:
> On Thu, Aug 25, 2016 at 03:25:39AM +0000, Hemanth Thummala wrote:
> > Comments suggest that it is intentional and currently we are
> > overwriting this cache on every successful login irrespective of
> > expiry status.
> > We are actually using “wbinfo" group membership queries. If there
> > are any group membership changes without the user getting logged in,
> > we always get the stale information until unless user logs in again.
> > In our use case, we can’t expect the users to be getting logged in
> > after any membership changes. I have enabled this code and tested.
> > It works fine and solves our purpose.
> > This looks like a safe change. But I would like to know if there are
> > any known issues if we enable this part. Please let me know.
> The only piece is -- we don't have good support in winbind to
> correctly calculate group memberships of a user without the sam logon.
> It's not only that we're lazy or so: We just can't. Group membership
> calculations are a nightmare and more importantly require permissions
> on the domain controllers that normal members don't have, so we can
> not query DCs for the required info. Also, this breaks down fully with
> trusts: Usually we can't even access the DC that hosts a user, only
> the DCs we are member of can. So, because we can get it right only in
> extremely limited circumstances for very specific and fragile use
> cases, we did not put much effort into that so far.
As Volker says, the only way to correctly get group memberships of a user
is with the SAM logon.
If this works in your use-case, then great ! But I don't think
it will work in all cases.
More information about the samba-technical