Regarding netsamlogon_cache_get.

Hemanth Thummala hemanth.thummala at nutanix.com
Thu Aug 25 18:42:31 UTC 2016 

On 8/25/16, 11:05 AM, "Jeremy Allison" <jra at samba.org> wrote:

>On Thu, Aug 25, 2016 at 07:32:30AM +0200, Volker Lendecke wrote:
>> On Thu, Aug 25, 2016 at 03:25:39AM +0000, Hemanth Thummala wrote:
>> > Comments suggest that it is intentional and currently we are
>> > overwriting this cache on every successful login irrespective of
>> > expiry status.
>> > 
>> > We are actually using “wbinfo" group membership queries. If there
>> > are any group membership changes without the user getting logged in,
>> > we always get the stale information until unless user logs in again.
>> > In our use case, we can’t expect the users to be getting logged in
>> > after any membership changes.  I have enabled this code and tested.
>> > It works fine and solves our purpose.
>> > 
>> > This looks like a safe change. But I would like to know if there are
>> > any known issues if we enable this part. Please let me know.
>> 
>> The only piece is -- we don't have good support in winbind to
>> correctly calculate group memberships of a user without the sam logon.
>> It's not only that we're lazy or so: We just can't. Group membership
>> calculations are a nightmare and more importantly require permissions
>> on the domain controllers that normal members don't have, so we can
>> not query DCs for the required info. Also, this breaks down fully with
>> trusts: Usually we can't even access the DC that hosts a user, only
>> the DCs we are member of can. So, because we can get it right only in
>> extremely limited circumstances for very specific and fragile use
>> cases, we did not put much effort into that so far.
>
>As Volker says, the only way to correctly get group memberships of a user
>is with the SAM logon.
>
>If this works in your use-case, then great ! But I don't think
>it will work in all cases.

Thanks Volker and Jeremy! 
It currently works for us. But haven’t tested the trusted domain scenarios yet. 
Will do more testing before considering this cache invalidation solution. 

Thanks,
Hemanth.
>

More information about the samba-technical mailing list