[Samba] netsamlogon_cache.tdb & winbind.
A. James Lewis
james at fsck.co.uk
Thu Feb 1 12:06:29 UTC 2018
Can I clarify one point of the behaviour with you in this case...
This is a domain run by a network of Windows machines run by a different team... and the users in question only log in to Linux via Winbind.
Would I be correct in saying that AD may not calculate their new AD group membership when they log in via Winbind, rather than log in to a Windows machine joined to the domain.
January 31, 2018 4:48 PM, "Christof Schmitt via samba" <samba at lists.samba.org> wrote:
> On Wed, Jan 31, 2018 at 10:43:18AM +0000, A. James Lewis via samba wrote:
>> I wonder if someone can give me an idea what the file
>> "netsamlogon_cache.tdb" contains... as I have noticed that I can be
>> added to a group, and access will not appear on the Unix side for a
>> good deal of time... but if I stop Winbind, remove the file
>> "netsamlogon_cache.tdb", and re-start everything, it will then work.
> Yes, that would be expected. The Samba 4.6 release notes have a short
> description of this behavior:
> |winbind contains code that tries to emulate the group membership calculation
> |that domain controllers do when a user logs in. This group membership calculation
> |is a very complex process, in particular for domain trust relationship
> |situations. Also, in many scenarios it is impossible for winbind to
> |correctly do this calculation due to access restrictions in the
> |domains: winbind using its machine account simply does not have the
> |rights to ask for an arbitrary user's group memberships.
> |When a user logs in to a Samba server, the domain controller correctly
> |calculates the user's group memberships authoritatively and makes the
> |information available to the Samba server. This is the only reliable
> |way Samba can get informed about the groups a user is member of.
> |Because of its flakiness, the fallback group membership code is unwished,
> |and our code pathes try hard to only use of the group memberships
> |calculated by the domain controller.
> |However, a lot of admins rely on the fallback behavior in order to support
> |access for nfs access, ssh public key authentication and passwordless sudo.
> |That's the reason for changing this back between 4.6.0rc4 and 4.6.0
> |(See BUG 12612).
> |The winbind change to simplify the calculation of supplementary groups to make
> |it more reliable and predictable has been deferred to 4.7 or later.
> |This means that 'id <username>' without the user having logged in
> |previously works similar to 4.5.
>> Can anyone tell me what the purpose of this file is, and if there's any way
>> to control the time data is cached for.
> The netsamlogon_cache.tdb file is the place where the user information
> (including group memberships) is cached that is available from the logon.
> Samba 4.7 introduced a set of "net cache samlogon" commands to query this file
> and delete select entries.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
More information about the samba