[Samba] Winbind & AD group membership caching

Kristoffer Knigga Kknigga at arrow-financial.com
Thu Sep 27 19:43:42 GMT 2007 

I've been playing with joining RHEL4 (CentOS) machines to a Win2k3
Active Directory.

I've got everything pretty well squared away, except that the linux box
never seems to see changes to users' group memberships.  For example, I
created a user, testuser, who initially just a member of Domain Users.
I logged into the linux box with testuser successfully and both 'id' and
'wbinfo' displayed correct information.  I then logged out and using AD
Users and Groups, I added testuser to a new global group, testgroup.

Logging back into the linux box as testuser, I checked both 'id' and
'wbinfo' and the new group membership is not reflected.  I understand
that by default winbind caches such things for 5 minutes, and since I
have not changed this value, I waited for at least 5 minutes and tried
again with the same results.  Just to be sure, I even let it sit over
night, but the new group membership still does not show up.

The reason this is important to me is because I've set up Domain Admins
in /etc/sudoers.  If a user is added to the Domain Admins group, or
removed for that matter, and this isn't reflected, that'd be bad.

Is there any way to even force the cache to clear?

smb.conf:
[global]
	workgroup = LINUXAUTHTEST
	realm = LINUXAUTHTEST.AD
	server string = Samba Server
	security = ADS
	password server = linuxauthtestdc.linuxauthtest.ad
	log file = /var/log/samba/%m.log
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	load printers = No
	printcap name = /etc/printcap
	preferred master = No
	local master = No
	domain master = No
	dns proxy = No
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	template shell = /bin/bash
	winbind use default domain = Yes
	cups options = raw

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = LINUXAUTHTEST.AD
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 LINUXAUTHTEST.AD = {
  kdc = linuxauthtestdc.linuxauthtest.ad:88
  admin_server = linuxauthtestdc.linuxauthtest.ad:749
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

uname -a
Linux LinuxTestVM 2.6.9-55.ELsmp #1 SMP Wed May 2 14:28:44 EDT 2007 i686
i686 i386 GNU/Linux

winbindd --version
Version 3.0.10-1.4E.12.2

Any insight would be appreciated.

Kris




___________________________________________
Kristoffer Knigga
Systems Administrator
Arrow Financial Services
kknigga at arrow-financial.com
847-324-7962

More information about the samba mailing list