[Samba] 'dirty cache' on a DC?

L.P.H. van Belle belle at bazuin.nl
Thu Feb 11 09:42:52 UTC 2021 

Hai Andrew, 


wbinfo -a reports back.. 
Invalid option

:-( 
what are we missing here? 

Version 4.13.2-Debian


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Andrew Bartlett
> via samba
> Verzonden: woensdag 10 februari 2021 18:38
> Aan: Marco Gaiarin; samba at lists.samba.org
> Onderwerp: Re: [Samba] 'dirty cache' on a DC?
> 
> On Wed, 2021-02-10 at 16:57 +0100, Marco Gaiarin via samba wrote:
> > I needed to cleanup membership in a user, and i've used ADUC. To
> > verify
> > it i've done on the DC with FSMO roles:
> >
> > 	root at vdcsv1:~# id adonella
> > 	uid=12105(LNFFVG\adonella) gid=10513(LNFFVG\domain users)
> > gruppi=10513(LNFFVG\domain
> > users),11037(LNFFVG\sv_piscina),11034(LNFFVG\sv_maestre),11085(LNFFVG
> > \sv_materna),3000009(BUILTIN\users)
> >
> > The old membership. But on another dc or in a dm:
> >
> > 	root at vdcsv2:~# id adonella
> > 	uid=12105(LNFFVG\adonella) gid=10513(LNFFVG\domain users)
> > gruppi=10513(LNFFVG\domain
> > users),11029(LNFFVG\sv_riabili_npm),3000009(BUILTIN\users)
> > 	root at vdmpp1:~# id adonella
> > 	uid=12105(adonella) gid=11029(sv_riabili_npm)
> > gruppi=11029(sv_riabili_npm),10513(domain
> > users),11032(sv_riabili),5001(BUILTIN\users)
> >
> > the data is correct. In LDAP, the data seems correct too, even for
> > the
> > DC with FSMO roles:
> >
> > 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb
> > "(SamAccountName=adonella)" | egrep "(gidNumber|memberOf)"
> > 	gidNumber: 11029
> > 	memberOf:
> > CN=sv_riabili_npm,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=
> >
> >
> > What is happening?! Thanks.
> >
> >
> > PS: i've just tried to do a 'net cache flush' on the DC.
> 
> It might be the so-called samlogon cache of the PAC/info3 from a
> Kerberos or NTLM authentication via winbind.  I wouldn't normally
> expect those on a DC, but if you had used wbinfo -a you might have
> filled that in.
> 
> On a domain member (and the winbindd on the DC is the same code) we use
> the information from a successful authentication for the group
> membership as it is the most reliable.
> 
> If another wbinfo -a fixes it, then we know that was the issue.
> 
> Andrew Bartlett
> 
> --
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list