[Samba] winbind samlogon issue
Jason Keltz
jas at eecs.yorku.ca
Thu Feb 18 00:19:29 UTC 2021
Hi..
I wanted to ask for more information on "net cache samlogon" and its
relation to "winbind cache time".
I assumed that samlogon is the winbind login cache. I assume that when
you login to the system, winbind gets the login information (including,
for example, users groups) from the DC, and caches it locally. I
expected that after "winbind cache time" (300s by default) that winbind
would clear the entry from samlogon cache so that when the user logs in
the next time, a new samlogon entry is created. I believe that after
joining a host to the domain, it appears to work like that. However, at
some point later, things break. This isn't on one machine, but multiple
machines. A user will login, having been added to a group, and they
won't appear in that group. Wait hours, and they still won't appear in
that group. Do a "net cache samlogon list", get the users SID, delete
the SID from samlogon cache, have the user log out and back in, and it
magically works - the user is now in the required groups. However, when
the user logs back in, do a "net cache samlogon list" and there won't be
an entry for the user anymore. Just wondering if I could get some
clarity on whether I'm wrong in the way this should work, or if there's
maybe a bug? IF that's the case, can I turn off the samlogon cache
completely? I could write a small script that clears it at regular
intervals, but I feel like winbind intends to do that itself and
probably should.
Thanks for any help,
Jason.
More information about the samba
mailing list