[Samba] Expiry of entries in netsamlogon_cache.tdb

[Orlando Richards]

On 12/06/14 15:24, Volker Lendecke wrote:
> On Thu, Jun 12, 2014 at 03:14:32PM +0100, Orlando Richards wrote:
>> Hmm - it *seems* to work okay for me to just issue an "id johndoe"
>> command, and the correct user and group information is presented
>> back at me - even if johndoe has never before been seen on my
>> Linux/Samba server. This is querying the MS Active Directory.
>
> Complex group memberships involving the whole bunch of AD
> group types will probably give you problems eventually.
>
>> What kind of failures would I see? As above - it *seems* to be
>> working okay, but I may just be blind to the errors! I guess my fix
>> of removing entries from the tdb (a more precise version of just
>> deleting the tdb and restarting winbind - but the same presumably
>> applies there) does rely on it being able to be repopulated
>> afterwards (as prompted by my "id johndoe" example above).
>> Similarly, the initial population from a clean install would be the
>> same - unless a user actually authenticates directly against the
>> server, should their group information be considered tainted? If so
>> - in what ways?
>
> Group membership information that winbind retrieves without
> a user logging in should not be considered safe. There used
> to be a quote by Keith Brown which I can't find right now,
> saying that Windows group memberships are just ridiculously
> complex these days and that you must rely on the login. The
> case that will definitely fail is a user behind a one-way
> trust. But even a user from your local domain can fail if AD
> ACLs are locked down so that winbind's machine account is
> not privileged to look up other user's membership
> information. This can change with a single click in the AD
> GPOs probably.

Ahh - I think I see. We've "got lucky" so far possibly because our group 
memberships/permissions/etc we've been looking at are "simple" enough to 
not immediately break, but we can have no confidence that this will 
always be the case. In my more bullish moods, I won't mind telling our 
users that they should stop using complicated / convoluted setups ;)


>> I guess, other than pruning dead wood, there wouldn't be much
>> advantage in doing that (from the point of view of my problem). If
>> someone is added to or removed from a group, they'll want to see
>> that take effect "soon". The difference between "a month later" and
>> "never" is probably minimal.
>
> The is no way that winbind can retrieve "johndoe"'s group
> memberships without john doe logging in via Kerberos or
> NTLM. There are just no APIs that Active Directory offers
> reliably.

But it *does* happen now for me. Is it just that my computer account in 
the AD is lucky enough to have sufficient privileges/permissions to look 
them up in our AD tree? To describe my case - we join our machine to the 
AD domain, i type in "id johndoe", and it returns a list of attributes 
about johndoe, including a (correct) bunch of group memberships, and uid 
(though this is from our own idmap processes). This is without johndoe 
ever having connected to my samba server.

> In the past we tried S4U2self, but even that fails
> in many scenarios. Sorry, there is not much Samba can do.
> This is the Active Directory way of telling you "my way or
> no way".

A familiar song in many environments I fear...

> If you have any insight from Microsoft that this
> has changed in the last few years, we are more than happy to
> listen,

No such luck I'm afraid! :)

> but so far we were dead in the water here. Believe
> me, this is one of the biggest griefs we have, we really
> tried many ways. But AD just does not allow you to do what
> you request it to do.

Perhaps I'm just fooling myself - but it *seems* to work (apart from the 
expiry issue that started me down this rabbit hole). If nothing else - 
you should celebrate that! And maybe market it as a feature ("Samba can 
make active directory to behave in a seemingly sane way!!") ;)

Thanks again Volker,

Orlando.







-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.