[Samba] Expiry of entries in netsamlogon_cache.tdb

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Jun 11 14:21:58 MDT 2014

On Wed, Jun 11, 2014 at 10:38:01AM +0100, orlando.richards at ed.ac.uk wrote:
> I think we're suffering from bug 8641 at the moment:
>   https://bugzilla.samba.org/show_bug.cgi?id=8641
> where the netsamlogon_cache.tdb entries are not expiring.
> We use AD groups for our (redhat) server auth, and also use
> server-side group auth for NFS (with the --manage-gids flag). So if
> a user is not in a group on the server, they're denied access to
> files as per group permissions. However, winbind is using
> netsamlogon_cache.tdb to cache group memberships for a SID - and
> this does not seem to get refreshed when users are accessing via
> NFS. I'm not clear on under what circumstances it *is* refreshed -
> but I guess that access via NFS is not one of them.

You're right, we never delete stuff from the
netsamlogon_cache.tdb. We only update it with fresh
information, once we get hold of it via a successful login
of an AD-authenticated user. wbinfo -a and a kerberized SMB
login will do it.

> To work around the issue, I can edit the netsamlogon_cache.tdb
> manually with tdbtool, delete the entry for the user's SID, and it
> now refreshes. Obviously this is not optimal though!

The problem here is -- this refresh is unreliable at best.
In most trusted domain scenarios it does not work at all.
That's the reason why we never expire the netsamlogon_cache:
There is no way for us to refresh that information in any
other way than via a successful login by an AD user. Yes, in
some scenarios it does work, but in just as many scenarios
it will fail in subtle ways.

The only way to make this reliable is to kerberize the NFS
service and make the NFS clients member of AD, retrieving
tickets including a PAC. There are patches around somewhere
that do this for Ganesha. I haven't looked at the kernel NFS
services at all yet.

> Is there a way of forcing an expiry on netsamlogon_cache.tdb cache
> entries, or flushing the database? More usefully - is there a
> setting somewhere which will set automatic expiry of entries as per
> the winbind/idmap cache timeouts?

Well, tdbtool is certainly the interim tool. We could
provide a special net tool with some syntactic sugar, but
that would not do much else. I'm a bit reluctant to expire
this automatically, and if, then with a really long timeout
such as a month or so.

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba mailing list