[Samba] winbind samlogon issue

Jason Keltz jas at eecs.yorku.ca
Thu Feb 18 00:19:29 UTC 2021


I wanted to ask for more information on "net cache samlogon" and its 
relation to "winbind cache time".

I assumed that samlogon is the winbind login cache.  I assume that when 
you login to the system, winbind gets the login information (including, 
for example, users groups) from the DC, and caches it locally.  I 
expected that after "winbind cache time" (300s by default) that winbind 
would clear the entry from samlogon cache so that when the user logs in 
the next time, a new samlogon entry is created. I believe that after 
joining a host to the domain, it appears to work like that.  However, at 
some point later, things break.  This isn't on one machine, but multiple 
machines.  A user will login, having been added to a group, and they 
won't appear in that group.  Wait hours, and they still won't appear in 
that group.  Do a "net cache samlogon list", get the users SID, delete 
the SID from samlogon cache, have the user log out and back in, and it 
magically works - the user is now in the required groups.  However, when 
the user logs back in, do a "net cache samlogon list" and there won't be 
an entry for the user anymore.  Just wondering if I could get some 
clarity on whether I'm wrong in the way this should work, or if there's 
maybe a bug?   IF that's the case, can I turn off the samlogon cache 
completely? I could write a small script that clears it at regular 
intervals, but I feel like winbind intends to do that itself and 
probably should.

Thanks for any help,


More information about the samba mailing list