[Samba] 10 minutes between primary group change and effect on Fedora 27
Jeff Sadowski
jeff.sadowski at gmail.com
Tue Mar 27 14:46:00 UTC 2018
My smb.conf looks like so.
[global]
security = ads
realm = MIND.UNM.EDU
workgroup = MIND
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config MIND:backend = ad
idmap config MIND:schema_mode = rfc2307
idmap config MIND:range = 8000-9999999
idmap config MIND:unix_nss_info = yes
winbind use default domain = yes
restrict anonymous = 2
I have a user jefftest.
I found that to set the primary group that user needs to be in that group.
If I set the group of jefftest to a new group (both in the UNIX
attributes tab and in the Member Of tab) using Active Directory Users
and Computers.
Then I test the user using ldapsearch against each domain controller
and they all have the new values according to ldapsearch in gidNumber.
Then I login with jefftest on my joined fedora 27 machine using
winbind 4.7.6 as jefftest and run id.
It still shows the old group.
So I log out as jefftest and in as root and run
net cache flush
and try and login again as jefftest and it still shows the old gid
number when running id.
After about 10 minutes it seems to work but that is a bit of time.
Is there a way to speed this up?
I think my ldapsearch using the uri of each domain controller shows
that each domain controller has the new value is that an incorrect
assumption?
I'm using the following ldapsearch arguments
(to check dc1)
ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL \
-b dc=mind,dc=unm,dc=edu -o ldif-wrap=no "(sAMAccountName=jefftest)" gidNumber
(to check dc2)
ldapsearch -H ldap://dc2.mind.unm.edu.:389 -U jsadowski -Q -LLL \
-b dc=mind,dc=unm,dc=edu -o ldif-wrap=no "(sAMAccountName=jefftest)" gidNumber
"net cache flush" doesn't seem to be working.
More information about the samba
mailing list