[Samba] Winbind group cache

Ian Coetzee samba at iancoetzee.za.net
Thu Jul 16 07:43:16 UTC 2020 

On Thu, 16 Jul 2020 at 09:34, Rowland penny via samba <samba at lists.samba.org>
wrote:

> On 16/07/2020 08:06, Ian Coetzee via samba wrote:
> > On Wed, 15 Jul 2020 at 15:29, Rowland penny via samba <
> samba at lists.samba.org>
> > wrote:
> >
> >> On 15/07/2020 13:59, Ian Coetzee via samba wrote:
> >>> Hi All,
> >>>
> >>> I have hit a snag with winbind's group caching on AD on one of our
> >> client's
> >>> infrastructure.
> >>>
> >>> We have a client that is using AD groups to control ssh access to
> >> servers.
> >>> The client is running a lot of different bugfix and build versions in
> the
> >>> 3.6 branch all running on RHEL using rpm's.
> >>>
> >>> I have seen this issue cropping up in the ML from time to time and most
> >> of
> >>> the solutions are to rm /var/lib/samba/netsamlogon_cache.tdb.
> >>>
> >>> Is there perhaps another way to tell winbind to invalidate the cache
> (or
> >>> ignore it all together)?
> >>>
> >>> I would prefer to not rm this file from a nightly cron (which is the
> >>> current solution in place)
> >>>
> >>> I have petitioned the client to update the samba version to samba 4,
> but
> >> it
> >>> does not look like they want to bite.
> >>>
> >>> Kind regards
> >>> Ian Coetzee
> >>>
> >> Just tell them that RHEL/Centos 6 goes EOL in November ;-)
> >>
> >> They really should upgrade, there have been numerous CVE's that have not
> >> been backported to 3.6.x because it is EOL.
> >>
> >> There have also been numerous bugfixes that haven't been backported.
> >>
> >> Rowland
> >>
> > Hi Roland,
> >
> > Thank you for the reply, I will see about getting them to upgrade, but so
> > far there has been no luck - they can't afford to be offline, so they
> don't
> > want updates -
> >
> > Will an update to samba 4.x fix the caching issue?
> >
> > Kind regards
> > Ian Coetzee
>
> Very probably, but if it doesn't, at least you stand a chance of getting
> it fixed, you have no chance at the moment.
>

This is very true


>
> As for the cost, well, what is going to cost if the network collapses ?
>

We have tried this argument as well, clients eh....


>
> Rowland
>

Thank you. I will see what I can get done.

Kind regards
Ian Coetzeee

More information about the samba mailing list