[Samba] Winbind group cache

[Rowland penny]

On 16/07/2020 08:06, Ian Coetzee via samba wrote:
> On Wed, 15 Jul 2020 at 15:29, Rowland penny via samba <samba at lists.samba.org>
> wrote:
>
>> On 15/07/2020 13:59, Ian Coetzee via samba wrote:
>>> Hi All,
>>>
>>> I have hit a snag with winbind's group caching on AD on one of our
>> client's
>>> infrastructure.
>>>
>>> We have a client that is using AD groups to control ssh access to
>> servers.
>>> The client is running a lot of different bugfix and build versions in the
>>> 3.6 branch all running on RHEL using rpm's.
>>>
>>> I have seen this issue cropping up in the ML from time to time and most
>> of
>>> the solutions are to rm /var/lib/samba/netsamlogon_cache.tdb.
>>>
>>> Is there perhaps another way to tell winbind to invalidate the cache (or
>>> ignore it all together)?
>>>
>>> I would prefer to not rm this file from a nightly cron (which is the
>>> current solution in place)
>>>
>>> I have petitioned the client to update the samba version to samba 4, but
>> it
>>> does not look like they want to bite.
>>>
>>> Kind regards
>>> Ian Coetzee
>>>
>> Just tell them that RHEL/Centos 6 goes EOL in November ;-)
>>
>> They really should upgrade, there have been numerous CVE's that have not
>> been backported to 3.6.x because it is EOL.
>>
>> There have also been numerous bugfixes that haven't been backported.
>>
>> Rowland
>>
> Hi Roland,
>
> Thank you for the reply, I will see about getting them to upgrade, but so
> far there has been no luck - they can't afford to be offline, so they don't
> want updates -
>
> Will an update to samba 4.x fix the caching issue?
>
> Kind regards
> Ian Coetzee

Very probably, but if it doesn't, at least you stand a chance of getting 
it fixed, you have no chance at the moment.

As for the cost, well, what is going to cost if the network collapses ?

Rowland