[Samba] New group membership not taken into account on member servers

Hans-Kristian Bakke hkbakke at gmail.com
Sun Oct 5 11:30:41 MDT 2014

I am testing the AD-configured SSSD as a replacement for winbind with
the SSSD-version currently in Debian Jessie now, mainly because of
this issue which gets annoying when you have many groups to implement
finely grained resource access control mechanisms. Currently I have no
issues for my usage which is acting as domain members in a Windows
Server 2012 R2 based domain with kerberized SSO for SSH, sudo based on
domain groups and using domain groups for Samba4 and SSH access
control. Unless I notice some showstopper issues in my ongoing testing
I will switch from winbind to SSSD when I upgrade our systems to
jessie at work. The migration needs to be planned a bit though, as I
wan't to use the UID and GID native to SSSD instead of the RID-based
ones I needed for winbind, so some scripting will be needed.

For Debian Jessie I have some minimal documentation for setup here, if
you want to test it out:


On 5 October 2014 19:07, Sébastien Le Ray <sebastien-samba at orniz.org> wrote:
> Where can I send you beer?
> Is this some "known issue"? I'll try to see on #samba-technical if some
> samba dev is interested in it. It seems that the netsamlogon_cache gets in
> some state where it is not updated anymore. But maybe I'm missing something
> on my side.
> Is sssd more reliable since it relies on LDAP only and not AD internals?
> Regards
> Le 05/10/2014 16:56, Hans-Kristian Bakke a écrit :
>> When I get issues like that (membership correctly displayed with
>> getent group, but not in groups <user>), I usually have to delete the
>> netsamlogon_cache.tdb (I could just delete the user in question to
>> force refresh to avoid restarting winbind, but that is more of an
>> hassle)
>> service winbind stop
>> rm /var/cache/samba/netsamlogon_cache.tdb
>> service winbind start
>> It doesn't really help to login again to refresh the users group
>> membership. It seems to be stuck, even for days, until I do this.
>> Hans-Kristian

More information about the samba mailing list