[Samba] AD Group update lag / cache, firewall related?

A. James Lewis james at fsck.co.uk
Fri Aug 25 17:03:11 UTC 2017 

# wbinfo -n working-group | awk '{print $1}' | awk -F '-' '{print $8}'
69153

# wbinfo -n problem-group | awk '{print $1}' | awk -F '-' '{print $8}'
136399

The OS can use that group:-

# chgrp problem-group test.txt 
# ls -asl test.txt 
0 -rw-r--r-- 1 root problem-group 0 Aug 25 17:55 test.txt
#

It's not a case that the group is unavailable... it is that the users group membership is incomplete:-

server02:/tmp # for i in `wbinfo -r joeuser`; do getent group $i; done | wc -l
119

server01:/tmp # for i in `wbinfo -r joeuser`; do getent group $i; done | wc -l
155

I must admit that I expected that upgrading from Samba 3.6 to 4.6 would resolve this, but it did not!... and since a similarly configured server which is on the same LAN as the AD controller does not have this issue... while these servers are firewalled from the AD controller... I'm lead to believe that some of the needed chatter between the AD controller and the server is blocked... but I'm slightly at a loss to find out what.

James



August 25, 2017 5:26 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:

> On Fri, 25 Aug 2017 16:00:28 +0000
> "A. James Lewis via samba" <samba at lists.samba.org> wrote:
> 
>> That seems to count out the kernel ... I guess the 128 number could
>> be a co-incidence...
>> 
>> Actually I made a mistake below...
>> 
>> I used "wbinfo -g user", where I should have used "wbinfo -r
>> user".....
>> 
>> In fact wbinfo fails to show the group membership I expect... where I
>> said before that it succeeded.
>> 
>> wbinfo shows that the group exists, but not that the user is a member
>> of it....
>> 
>> for i in `wbinfo -r fred`; do getent group $i | grep $i; done | grep
>> problem-group
>> 
>> Other groups are visible using that command.
> 
> What does:
> 
> wbinfo -n problem-group | awk '{print $1}' | awk -F '-' '{print $8}'
> 
> Produce ?
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the samba mailing list