[Samba] Expiry of entries in netsamlogon_cache.tdb

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Jun 12 09:24:12 MDT 2014

On Thu, Jun 12, 2014 at 03:14:32PM +0100, Orlando Richards wrote:
> Hmm - it *seems* to work okay for me to just issue an "id johndoe"
> command, and the correct user and group information is presented
> back at me - even if johndoe has never before been seen on my
> Linux/Samba server. This is querying the MS Active Directory.

Complex group memberships involving the whole bunch of AD
group types will probably give you problems eventually.

> What kind of failures would I see? As above - it *seems* to be
> working okay, but I may just be blind to the errors! I guess my fix
> of removing entries from the tdb (a more precise version of just
> deleting the tdb and restarting winbind - but the same presumably
> applies there) does rely on it being able to be repopulated
> afterwards (as prompted by my "id johndoe" example above).
> Similarly, the initial population from a clean install would be the
> same - unless a user actually authenticates directly against the
> server, should their group information be considered tainted? If so
> - in what ways?

Group membership information that winbind retrieves without
a user logging in should not be considered safe. There used
to be a quote by Keith Brown which I can't find right now,
saying that Windows group memberships are just ridiculously
complex these days and that you must rely on the login. The
case that will definitely fail is a user behind a one-way
trust. But even a user from your local domain can fail if AD
ACLs are locked down so that winbind's machine account is
not privileged to look up other user's membership
information. This can change with a single click in the AD
GPOs probably.

> I guess, other than pruning dead wood, there wouldn't be much
> advantage in doing that (from the point of view of my problem). If
> someone is added to or removed from a group, they'll want to see
> that take effect "soon". The difference between "a month later" and
> "never" is probably minimal.

The is no way that winbind can retrieve "johndoe"'s group
memberships without john doe logging in via Kerberos or
NTLM. There are just no APIs that Active Directory offers
reliably. In the past we tried S4U2self, but even that fails
in many scenarios. Sorry, there is not much Samba can do.
This is the Active Directory way of telling you "my way or
no way". If you have any insight from Microsoft that this
has changed in the last few years, we are more than happy to
listen, but so far we were dead in the water here. Believe
me, this is one of the biggest griefs we have, we really
tried many ways. But AD just does not allow you to do what
you request it to do.

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba mailing list