[Samba] 10 minutes between primary group change and effect on Fedora 27

L.P.H. van Belle belle at bazuin.nl
Tue Mar 27 15:05:48 UTC 2018 

In addition. 

I remove my test group. 
Did run id username. 

Resulted in some left overs: 
uid=10002(username) gid=10000(domain users) groups=10000(domain users),10005(remote-webmail),10004(servers-ssh),10008(servers-www),10010 

You see the 10010 that was my test group. 
But more tomorrow, office is closing now.. And tomorrow is the new yesterday in too days..  :-) 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: dinsdag 27 maart 2018 17:03
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] 10 minutes between primary group 
> change and effect on Fedora 27
> 
> Hai, 
> 
> Checked and confirmed also on Debian stretch with samba 4.7.6.
> 
> Even restart winbind does not help. 
> A net cache flush, same did not work. 
> 
> A reboot, as test, did help here. 
> 
> I suggest increase the debug level and report bug?
> 
> 
> Greetz, 
> 
> Louis
> 
>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff 
> > Sadowski via samba
> > Verzonden: dinsdag 27 maart 2018 16:46
> > Aan: samba
> > Onderwerp: [Samba] 10 minutes between primary group change 
> > and effect on Fedora 27
> > 
> > My smb.conf looks like so.
> > 
> > [global]
> >    security = ads
> >    realm = MIND.UNM.EDU
> >    workgroup = MIND
> >    idmap config * : backend = tdb
> >    idmap config * : range = 2000-7999
> >    idmap config MIND:backend = ad
> >    idmap config MIND:schema_mode = rfc2307
> >    idmap config MIND:range = 8000-9999999
> >    idmap config MIND:unix_nss_info = yes
> >    winbind use default domain = yes
> >    restrict anonymous = 2
> > 
> > I have a user jefftest.
> > 
> > I found that to set the primary group that user needs to be 
> > in that group.
> > 
> > If I set the group of jefftest to a new group (both in the UNIX
> > attributes tab and in the Member Of tab) using Active 
> Directory Users
> > and Computers.
> > Then I test the user using ldapsearch against each domain controller
> > and they all have the new values according to ldapsearch in 
> gidNumber.
> > 
> > Then I login with jefftest on my joined fedora 27 machine using
> > winbind 4.7.6 as jefftest and run id.
> > It still shows the old group.
> > So I log out as jefftest and in as root and run
> > 
> > net cache flush
> > 
> > and try and login again as jefftest and it still shows the old gid
> > number when running id.
> > After about 10 minutes it seems to work but that is a bit of time.
> > 
> > Is there a way to speed this up?
> > 
> > I think my ldapsearch using the uri of each domain controller shows
> > that each domain controller has the new value is that an incorrect
> > assumption?
> > 
> > I'm using the following ldapsearch arguments
> > 
> > (to check dc1)
> > ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL \
> > -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no 
> > "(sAMAccountName=jefftest)" gidNumber
> > 
> > (to check dc2)
> > ldapsearch -H ldap://dc2.mind.unm.edu.:389 -U jsadowski -Q -LLL \
> > -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no 
> > "(sAMAccountName=jefftest)" gidNumber
> > 
> > "net cache flush" doesn't seem to be working.
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list