[Samba] User's groups issue

Gerald (Jerry) Carter jerry at samba.org
Tue Aug 26 18:41:31 GMT 2008

Hash: SHA1

Ephi Dror wrote:
> Hello again,
> I looked at the code and found out that really the 
> only way to have accurate group membership info is
> if one of the following functions are called:
> In winbindd_pam.c:
> 1. winbindd_dual_pam_auth()
> 2. winbindd_dual_pam_auth_crap()
> I would recommend to think about ways to call 
> netsamlogon_clear_cached_user() in other places to allow
> none authentication pam functions such as "id" to work well.

The samlogon reply or PAC information is the only completely
accurate view of the user group membership.  Querying AD
is not always guaranteed to work.  So the samlogon cache
takes precendence.  As to an experiation time on the cache
entry, we have never agreed on how this to do this without
potentially deleting information during a valid user session
since applications are not required to call pm_close_session().

Also, the concept of an SMBsession become more difficult to
track in this case.

cheers, jerry
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list