[Samba] 10 minutes between primary group change and effect on Fedora 27

Jeff Sadowski jeff.sadowski at gmail.com
Tue Mar 27 15:06:05 UTC 2018 

On Tue, Mar 27, 2018 at 9:02 AM, L.P.H. van Belle via samba
<samba at lists.samba.org> wrote:
> Hai,
>
> Checked and confirmed also on Debian stretch with samba 4.7.6.
>
> Even restart winbind does not help.
> A net cache flush, same did not work.
>
> A reboot, as test, did help here.
>
> I suggest increase the debug level and report bug?
Where can I set the debug levels?
Would that be in the smb.conf file?
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff
>> Sadowski via samba
>> Verzonden: dinsdag 27 maart 2018 16:46
>> Aan: samba
>> Onderwerp: [Samba] 10 minutes between primary group change
>> and effect on Fedora 27
>>
>> My smb.conf looks like so.
>>
>> [global]
>>    security = ads
>>    realm = MIND.UNM.EDU
>>    workgroup = MIND
>>    idmap config * : backend = tdb
>>    idmap config * : range = 2000-7999
>>    idmap config MIND:backend = ad
>>    idmap config MIND:schema_mode = rfc2307
>>    idmap config MIND:range = 8000-9999999
>>    idmap config MIND:unix_nss_info = yes
>>    winbind use default domain = yes
>>    restrict anonymous = 2
>>
>> I have a user jefftest.
>>
>> I found that to set the primary group that user needs to be
>> in that group.
>>
>> If I set the group of jefftest to a new group (both in the UNIX
>> attributes tab and in the Member Of tab) using Active Directory Users
>> and Computers.
>> Then I test the user using ldapsearch against each domain controller
>> and they all have the new values according to ldapsearch in gidNumber.
>>
>> Then I login with jefftest on my joined fedora 27 machine using
>> winbind 4.7.6 as jefftest and run id.
>> It still shows the old group.
>> So I log out as jefftest and in as root and run
>>
>> net cache flush
>>
>> and try and login again as jefftest and it still shows the old gid
>> number when running id.
>> After about 10 minutes it seems to work but that is a bit of time.
>>
>> Is there a way to speed this up?
>>
>> I think my ldapsearch using the uri of each domain controller shows
>> that each domain controller has the new value is that an incorrect
>> assumption?
>>
>> I'm using the following ldapsearch arguments
>>
>> (to check dc1)
>> ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL \
>> -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no
>> "(sAMAccountName=jefftest)" gidNumber
>>
>> (to check dc2)
>> ldapsearch -H ldap://dc2.mind.unm.edu.:389 -U jsadowski -Q -LLL \
>> -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no
>> "(sAMAccountName=jefftest)" gidNumber
>>
>> "net cache flush" doesn't seem to be working.
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list