tita.boba at libero.it tita.boba at libero.it
Fri Jul 28 16:09:40 GMT 2006

Hi all!
I'm trying to setup a linux samba server as a domain member of a SINGLE FOREST MULTI DOMAINS.
The forest is a 2 servers acting as a global catalog.
Other domains are child domain with implicit trust with forest. I setup a linux server with samba as a domain member to work with squid, authenticating users and verify user's groups membership. I need to allow access to squid only to some users on different group.
So i setup samba with winbind, ads and kerberos support.
Configuing /etc/krb5.conf correctly to permit samba to join and query the gc with net ads join. Configured samba and winbind correclty, all ok.
Now i need to use wbinfo_group.pl to verify user's groups.
But before that i tested the configuration with wbinfo -r DOMAIN\\user. If i search a user on GC domain, the domain samba joined directly, i can see all group belonging to a user correclty. If i add and remove users form AD, i need to wait 5 second (i setup winbind cache = 5 second) to see the change witn wbinfo -r.
Now the problem. If i search group to a children domain, winbind show me correclty. If i add or remove a group, winbind show does not show me the change for many hours!
I tried to restart samba and winbind, but nothing.
I disjoined and rejoined but nothing. Tracing the connections, i see that winbind contact global catalog and domain for whom the query is, but i think there is a strange cache tha does not permit me to see the changes with winbind. I tried many configuration, i tried to disable GC on windows forest, i tried to join a single domain, i tried to do an explicit trust two way, but nothing!!! Please, someone can give me help about identifying the problem and resolve this? It's important to understand that i have no problem authenticating users everywhere the are, the problem was only this strange cache that GC give to WINBIND. No universal group cache are enabled on forest! Many thanks to all!

More information about the samba mailing list