[Samba] New group membership not taken into account on member servers

Michael Adam obnox at samba.org
Thu Oct 9 02:11:17 MDT 2014


On 2014-10-05 at 19:07 +0200, Sébastien Le Ray wrote:
> Where can I send you beer?
> Is this some "known issue"? I'll try to see on #samba-technical if
> some samba dev is interested in it. It seems that the
> netsamlogon_cache gets in some state where it is not updated
> anymore. But maybe I'm missing something on my side.
> Is sssd more reliable since it relies on LDAP only and not AD internals?
> Regards
> Le 05/10/2014 16:56, Hans-Kristian Bakke a écrit :
> >When I get issues like that (membership correctly displayed with
> >getent group, but not in groups <user>), I usually have to delete the
> >netsamlogon_cache.tdb (I could just delete the user in question to
> >force refresh to avoid restarting winbind, but that is more of an
> >hassle)
> >
> >service winbind stop
> >rm /var/cache/samba/netsamlogon_cache.tdb
> >service winbind start
> >
> >It doesn't really help to login again to refresh the users group
> >membership. It seems to be stuck, even for days, until I do this.

This is basically the hint that Volker gave a few mails above:

The login should refresh the cache entry in the netsamlogon-cache.tdb.

If it does not do so, this is a bug, and we need
to fix it.

In order to futher analyze, we need to have:

- smb.conf
- nsswitch.conf
- description of the domain setup
  single domain? number of dcs? are there trusts?
- does the problem only occur with users from trusted domain
  or also from primary?
- is this readily reproducible, e.g. by changing
  group membership in the domain and then logging in
  again to the samba server.
- we need a level10 log of samba (all log files) of
  the login process that fails to update netsamlogon-cache.tdb.

I guess the best thing would be to add a bug report
for this to collect the relevant data.

Cheers - Michael

> >
> >Hans-Kristian
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20141009/f4590758/attachment.pgp>

More information about the samba mailing list