[Samba] 'dirty cache' on a DC?
Andrew Bartlett
abartlet at samba.org
Wed Feb 10 17:37:47 UTC 2021
On Wed, 2021-02-10 at 16:57 +0100, Marco Gaiarin via samba wrote:
> I needed to cleanup membership in a user, and i've used ADUC. To
> verify
> it i've done on the DC with FSMO roles:
>
> root at vdcsv1:~# id adonella
> uid=12105(LNFFVG\adonella) gid=10513(LNFFVG\domain users)
> gruppi=10513(LNFFVG\domain
> users),11037(LNFFVG\sv_piscina),11034(LNFFVG\sv_maestre),11085(LNFFVG
> \sv_materna),3000009(BUILTIN\users)
>
> The old membership. But on another dc or in a dm:
>
> root at vdcsv2:~# id adonella
> uid=12105(LNFFVG\adonella) gid=10513(LNFFVG\domain users)
> gruppi=10513(LNFFVG\domain
> users),11029(LNFFVG\sv_riabili_npm),3000009(BUILTIN\users)
> root at vdmpp1:~# id adonella
> uid=12105(adonella) gid=11029(sv_riabili_npm)
> gruppi=11029(sv_riabili_npm),10513(domain
> users),11032(sv_riabili),5001(BUILTIN\users)
>
> the data is correct. In LDAP, the data seems correct too, even for
> the
> DC with FSMO roles:
>
> root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb
> "(SamAccountName=adonella)" | egrep "(gidNumber|memberOf)"
> gidNumber: 11029
> memberOf:
> CN=sv_riabili_npm,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=
>
>
> What is happening?! Thanks.
>
>
> PS: i've just tried to do a 'net cache flush' on the DC.
It might be the so-called samlogon cache of the PAC/info3 from a
Kerberos or NTLM authentication via winbind. I wouldn't normally
expect those on a DC, but if you had used wbinfo -a you might have
filled that in.
On a domain member (and the winbindd on the DC is the same code) we use
the information from a successful authentication for the group
membership as it is the most reliable.
If another wbinfo -a fixes it, then we know that was the issue.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba
mailing list