[Samba] netsamlogon_cache.tdb & winbind.
Christof Schmitt
cs at samba.org
Wed Jan 31 16:47:31 UTC 2018
On Wed, Jan 31, 2018 at 10:43:18AM +0000, A. James Lewis via samba wrote:
> I wonder if someone can give me an idea what the file
> "netsamlogon_cache.tdb" contains... as I have noticed that I can be
> added to a group, and access will not appear on the Unix side for a
> good deal of time... but if I stop Winbind, remove the file
> "netsamlogon_cache.tdb", and re-start everything, it will then work.
Yes, that would be expected. The Samba 4.6 release notes have a short
description of this behavior:
https://www.samba.org/samba/history/samba-4.6.0.html
|winbind contains code that tries to emulate the group membership calculation
|that domain controllers do when a user logs in. This group membership calculation
|is a very complex process, in particular for domain trust relationship
|situations. Also, in many scenarios it is impossible for winbind to
|correctly do this calculation due to access restrictions in the
|domains: winbind using its machine account simply does not have the
|rights to ask for an arbitrary user's group memberships.
|
|When a user logs in to a Samba server, the domain controller correctly
|calculates the user's group memberships authoritatively and makes the
|information available to the Samba server. This is the only reliable
|way Samba can get informed about the groups a user is member of.
|
|Because of its flakiness, the fallback group membership code is unwished,
|and our code pathes try hard to only use of the group memberships
|calculated by the domain controller.
|
|However, a lot of admins rely on the fallback behavior in order to support
|access for nfs access, ssh public key authentication and passwordless sudo.
|
|That's the reason for changing this back between 4.6.0rc4 and 4.6.0
|(See BUG 12612).
|
|The winbind change to simplify the calculation of supplementary groups to make
|it more reliable and predictable has been deferred to 4.7 or later.
|
|This means that 'id <username>' without the user having logged in
|previously works similar to 4.5.
> Can anyone tell me what the purpose of this file is, and if there's any way
> to control the time data is cached for.
The netsamlogon_cache.tdb file is the place where the user information
(including group memberships) is cached that is available from the logon.
Samba 4.7 introduced a set of "net cache samlogon" commands to query this file
and delete select entries.
Christof
More information about the samba
mailing list