[Samba] AD Group update lag / cache, firewall related?
A. James Lewis
james at fsck.co.uk
Fri Aug 25 13:54:21 UTC 2017
It's not offline.... and groups do usually filter through... sometimes immediately, sometimes never... but usually with a significant delay...
I originally put this down to the ancient version of Samba or Winbind that was shipped with the OS, but it seems I was wrong...
Winbind can see the group, and even the group membership... and the group is passed on to the OS, but not the group membership.
eg:-
wbinfo -g user | grep group <-- successful
getent group group <-- successful
however
groups user | grep group <-- fails
I was wondering if there's a limit on the number of groups, since the new machine using "groups", shows that the user has 128 groups, while a machine that's been around for a while shows 156 groups... and another machine that's local to the AD controller shows 174 groups.
James
August 25, 2017 1:47 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:
> On Fri, 25 Aug 2017 12:10:58 +0000
> "A. James Lewis via samba" <samba at lists.samba.org> wrote:
>
>> Hey again all,
>>
>> After the rather excellent assistance from a few of you on the list
>> over the last week... I wonder if you will be able to answer the
>> cause of another rather long standing issue I've had for a long while.
>>
>> We have a couple of Linux hosts using winbind for authentication, and
>> AD groups for access to various privileges... but for some reason or
>> another... possible firewalls blocking some of the communication...
>> when users groups are updated, they are not reflected on the Linux
>> box, sometimes for days, or even weeks.
>>
>> We've never been able to explain it, and I've never asked for advice
>> before since I always put it down to an /ancient/ version of
>> samba/winbind.
>>
>> I have however, now upgraded that version of Samba to 4.6.6, and
>> since the problem is still evident, I figure it's a perfect chance to
>> ask....
>>
>> Also, I guess it would be useful to know how to correctly flush
>> whatever caches samba/winbind is holding.
>
> You appear to have a serious problem, unless you have a 'winbind cache
> time' line in smb.conf, the winbind cache should be updated every 5
> minutes. This is unless you also have 'winbind offline logon' set to
> 'yes', which you should only need on a laptop or similar. If offline
> logon is set, then I 'think' it is still updated if it can be i.e.
> there is a network connection.
>
> You can flush the winbind with the aptly named 'net cache flush'
> command, though I wouldn't run it on a Unix domain member if offline
> logon is set, without finding out why there isn't a network connection
> to a DC, you may find you cannot logon anymore ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
More information about the samba
mailing list