[Samba] AD Group update lag / cache, firewall related?

[Rowland Penny]

On Fri, 25 Aug 2017 12:10:58 +0000
"A. James Lewis via samba" <samba at lists.samba.org> wrote:

> Hey again all,
> 
> After the rather excellent assistance from a few of you on the list
> over the last week... I wonder if you will be able to answer the
> cause of another rather long standing issue I've had for a long while.
> 
> We have a couple of Linux hosts using winbind for authentication, and
> AD groups for access to various privileges... but for some reason or
> another... possible firewalls blocking some of the communication...
> when users groups are updated, they are not reflected on the Linux
> box, sometimes for days, or even weeks.
> 
> We've never been able to explain it, and I've never asked for advice
> before since I always put it down to an /ancient/ version of
> samba/winbind.
> 
> I have however, now upgraded that version of Samba to 4.6.6, and
> since the problem is still evident, I figure it's a perfect chance to
> ask.... 
> 
> Also, I guess it would be useful to know how to correctly flush
> whatever caches samba/winbind is holding.
> 

You appear to have a serious problem, unless you have a 'winbind cache
time' line in smb.conf, the winbind cache should be updated every 5
minutes. This is unless you also have 'winbind offline logon' set to
'yes', which you should only need on a laptop or similar. If offline
logon is set, then I 'think' it is still updated if it can be i.e.
there is a network connection.

You can flush the winbind with the aptly named 'net cache flush'
command, though I wouldn't run it on a Unix domain member if offline
logon is set, without finding out why there isn't a network connection
to a DC, you may find you cannot logon anymore ;-)

Rowland