[Samba] winbind samlogon issue

Andrew Bartlett abartlet at samba.org
Thu Feb 18 00:50:01 UTC 2021

On Wed, 2021-02-17 at 19:37 -0500, Jason Keltz wrote:
> On 2/17/2021 7:32 PM, Andrew Bartlett via samba wrote:
> > On Wed, 2021-02-17 at 19:19 -0500, Jason Keltz via samba wrote:
> > > I wanted to ask for more information on "net cache samlogon" and
> > > its
> > > 
> > > relation to "winbind cache time".
> > None.  This information is sticky until the next login, forever.
> > 
> > We would like to eventually refresh this information via a ticket
> > obtained with S4U2Self, but we can't right now.
> > 
> > At one point we were thinking to totally remove the ability to find
> > out
> > much about users who hadn't ever logged in, because the
> > alternatives
> > are unreliable, but this never proceeded.
> > 
> > I hope this helps,
> > 
> Hi Andrew,
> So if I need to refresh the users groups on each login, would I then 
> need to clear these samlogon entries on my own?   Can I tell winbind
> not 
> to store them in the first place?

Not currently.

> Why does it appear that without doing this, the users groups get
> updated 
> sometimes and not other times?

This is the argument for removing the other ways of obtaining group
info.  If there isn't a samlogon cache, then we make as best as we can,
subject to the cache time.  But it isn't as reliable (mostly in cross-
realm interdomain trust situations) and as you found it means it isn't

> And then what is the "winbind cache time" ?

For other things that we were not able to work out from the samlogon

I know this sucks,

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list