[Samba] Winbind caching group membership issue

Miles, Noal noal.miles at tdstelecom.com
Tue Jan 16 16:47:30 GMT 2007

After additional newsgroup trolling it appears that the 

"require_membership_of=[SID or NAME]"

option to pam_winbind.so is the appropriate method for controlling ADS
login by group.  Unfortunately Red Hat's rpm man page for pam_winbind
stated "pam_winbind does not support any additional options" which is
obviously not correct.  This was probably correct for the initial 3.x

So....of a RHEL4_U4 box I did the following:
Created /etc/pam.d/auth-winbind with:
auth        sufficient    /lib/security/$ISA/pam_winbind.so
use_first_pass require_membership_of=NameOfGroup1
auth        sufficient    /lib/security/$ISA/pam_winbind.so
use_first_pass require_membership_of=NameOfGroup2

Edited /etc/pam.d/system-auth to include:
auth        sufficient    /lib/security/$ISA/pam_stack.so

After a user attempts to logon (pass or fail) their group info is
updated so "groups username" and "wbinfo -r username" show the correct
info....These 2 commands appear to only be updated after a logon
attempt.  Getent will display correct info after winbind cache time

So...logins are fast and accurate, problem solved.  It is clear
pam_listfile.so is not appropriate to use in the manner I had been
Hope this helps.

-----Original Message-----
From: samba-bounces+noal.miles=tdstelecom.com at lists.samba.org
[mailto:samba-bounces+noal.miles=tdstelecom.com at lists.samba.org] On
Behalf Of Miles, Noal
Sent: Friday, December 01, 2006 2:28 PM
To: samba at lists.samba.org
Subject: [Samba] Winbind caching group membership issue

Hi All,

I am using samba-common-3.0.10-1.4E.9 on a RHEL4_U4 x86 machine.  The
ADS server is WS03 sp1 running in Windows Server 2003 interim mode.  In
general thing are working well.  However, when winbind caching is
enabled (default), group membership does not appear to update, i.e.
"wbinfo -r bob" and "groups bob" don't reflect changes in ADS group
membership.  "getent group groupname" does show the correct info on the
second query.  Always takes 2 queries regardless of elapsed time.  With
winbind caching off, each command returns correctly the first time
(though slowly).

Using tcpdump with winbind caching enabled, I can "see" the ADS domain
controller being queried when winbind cache time expires when each
command is executed.  However, the "wbinfo" and "groups" results are not
updated no matter the amount of elapsed time.  It should be noted that
if I stop winbind and delete *.tdb then restart, updated info is
returned by "wbinfo" and "groups" but again, next changes will not  be

Why do I care?  I am trying to use pam_listfile.so to control what ADS
accounts can log on to the box (by group membership).  Pam_listfile is
not "seeing" updated group membership when winbind caching is enabled.
Somewhat ironically pam_winbind.so "sees" things correctly I suppose
because it never consults the cache.

What am I missing?  Thanks for the help,

Some potentially relevant settings from smb.conf include:
   idmap backend = idmap_rid:APP=17000000-40000000
   winbind enum users = yes
   winbind enum groups = yes
   idmap uid = 17000000-40000000
   idmap gid = 17000000-40000000
   winbind use default domain = yes
   winbind cache time = 30
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list