[Samba] Winbind caching group membership issue
Miles, Noal
noal.miles at tdstelecom.com
Mon Jan 15 20:43:40 GMT 2007
Hi All,
I am using samba-common-3.0.10-1.4E.9 on a RHEL4_U4 x86 machine. The
ADS server is WS03 sp1 running in Windows Server 2003 interim mode. In
general thing are working well. However, when winbind caching is
enabled (default), group membership does not appear to update, i.e.
"wbinfo -r bob" and "groups bob" don't reflect changes in ADS group
membership. "getent group groupname" does show the correct info on the
second query. Always takes 2 queries regardless of elapsed time. With
winbind caching off, each command returns correctly the first time
(though slowly).
Using tcpdump with winbind caching enabled, I can "see" the ADS domain
controller being queried when winbind cache time expires when each
command is executed. However, the "wbinfo" and "groups" results are not
updated no matter the amount of elapsed time. It should be noted that
if I stop winbind and delete *.tdb then restart, updated info is
returned by "wbinfo" and "groups" but again, next changes will not be
reflected.
Why do I care? I am trying to use pam_listfile.so to control what ADS
accounts can log on to the box (by group membership). Pam_listfile is
not "seeing" updated group membership when winbind caching is enabled.
Somewhat ironically pam_winbind.so "sees" things correctly I suppose
because it never consults the cache.
What am I missing? Thanks for the help,
Noal
Some potentially relevant settings from smb.conf include:
idmap backend = idmap_rid:APP=17000000-40000000
winbind enum users = yes
winbind enum groups = yes
idmap uid = 17000000-40000000
idmap gid = 17000000-40000000
winbind use default domain = yes
winbind cache time = 30
More information about the samba
mailing list