[Samba] Persistent Winbind gid cache

Rowland Penny rpenny at samba.org
Mon Oct 8 13:56:27 UTC 2018


On Mon, 8 Oct 2018 15:26:28 +0200
Prunk Dump via samba <samba at lists.samba.org> wrote:

> Hello Samba team !
> 
> I'm network administrator in a french high school where I store my
> user/group ID using rfc2307. My client stations use Winbind to query
> rfc2307 attributes.
> 
> Each new years, as all my students move to another class, almost all
> my user's gid are updated in AD.
> 
> This gid is very important in my network because pam_mount mount only
> the share corresponding the to user's gid.
> 
> I don't know why,  but sometimes the old gid ( from the previous year
> ) is attributed by pam_mount to the user so the wrong share are
> mounted. So I suspect some persistent Winbind cache.
> 
> From the documentation :
> -> idmap cache time default to one week
> -> winbind cache time default to 5 minutes
> 
> But after nearly two months I still experience some bad group
> attribution.
> 
> All my servers and clients are Debian Stretch with Samba-4.5.12.

> Is there some case (ex : slow server response) where Winbind use a
> cached uid/gid even if the cache time is over ?
> 

As always, posting the smb.conf would be a big help. 

You seem to be talking about a users gidNumber, but, until Samba 4.6.0,
every users effective primary group was Domain Users.

The only cache used has a time default and the DC is contacted after
this time, unless 'winbind offline logon = yes' is set and a DC cannot
be contacted.

So, more info please.

Rowland





More information about the samba mailing list