[Samba] 'dirty cache' on a DC?
L.P.H. van Belle
belle at bazuin.nl
Thu Feb 11 09:42:52 UTC 2021
Hai Andrew,
wbinfo -a reports back..
Invalid option
:-(
what are we missing here?
Version 4.13.2-Debian
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Andrew Bartlett
> via samba
> Verzonden: woensdag 10 februari 2021 18:38
> Aan: Marco Gaiarin; samba at lists.samba.org
> Onderwerp: Re: [Samba] 'dirty cache' on a DC?
>
> On Wed, 2021-02-10 at 16:57 +0100, Marco Gaiarin via samba wrote:
> > I needed to cleanup membership in a user, and i've used ADUC. To
> > verify
> > it i've done on the DC with FSMO roles:
> >
> > root at vdcsv1:~# id adonella
> > uid=12105(LNFFVG\adonella) gid=10513(LNFFVG\domain users)
> > gruppi=10513(LNFFVG\domain
> > users),11037(LNFFVG\sv_piscina),11034(LNFFVG\sv_maestre),11085(LNFFVG
> > \sv_materna),3000009(BUILTIN\users)
> >
> > The old membership. But on another dc or in a dm:
> >
> > root at vdcsv2:~# id adonella
> > uid=12105(LNFFVG\adonella) gid=10513(LNFFVG\domain users)
> > gruppi=10513(LNFFVG\domain
> > users),11029(LNFFVG\sv_riabili_npm),3000009(BUILTIN\users)
> > root at vdmpp1:~# id adonella
> > uid=12105(adonella) gid=11029(sv_riabili_npm)
> > gruppi=11029(sv_riabili_npm),10513(domain
> > users),11032(sv_riabili),5001(BUILTIN\users)
> >
> > the data is correct. In LDAP, the data seems correct too, even for
> > the
> > DC with FSMO roles:
> >
> > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb
> > "(SamAccountName=adonella)" | egrep "(gidNumber|memberOf)"
> > gidNumber: 11029
> > memberOf:
> > CN=sv_riabili_npm,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=
> >
> >
> > What is happening?! Thanks.
> >
> >
> > PS: i've just tried to do a 'net cache flush' on the DC.
>
> It might be the so-called samlogon cache of the PAC/info3 from a
> Kerberos or NTLM authentication via winbind. I wouldn't normally
> expect those on a DC, but if you had used wbinfo -a you might have
> filled that in.
>
> On a domain member (and the winbindd on the DC is the same code) we use
> the information from a successful authentication for the group
> membership as it is the most reliable.
>
> If another wbinfo -a fixes it, then we know that was the issue.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list