[Samba] winbind samlogon issue
jas at eecs.yorku.ca
Thu Feb 18 01:03:51 UTC 2021
On 2/17/2021 7:50 PM, Andrew Bartlett via samba wrote:
> On Wed, 2021-02-17 at 19:37 -0500, Jason Keltz wrote:
>> On 2/17/2021 7:32 PM, Andrew Bartlett via samba wrote:
>>> On Wed, 2021-02-17 at 19:19 -0500, Jason Keltz via samba wrote:
>>>> I wanted to ask for more information on "net cache samlogon" and
>>>> relation to "winbind cache time".
>>> None. This information is sticky until the next login, forever.
>>> We would like to eventually refresh this information via a ticket
>>> obtained with S4U2Self, but we can't right now.
>>> At one point we were thinking to totally remove the ability to find
>>> much about users who hadn't ever logged in, because the
>>> are unreliable, but this never proceeded.
>>> I hope this helps,
>> Hi Andrew,
>> So if I need to refresh the users groups on each login, would I then
>> need to clear these samlogon entries on my own? Can I tell winbind
>> to store them in the first place?
> Not currently.
>> Why does it appear that without doing this, the users groups get
>> sometimes and not other times?
> This is the argument for removing the other ways of obtaining group
> info. If there isn't a samlogon cache, then we make as best as we can,
> subject to the cache time. But it isn't as reliable (mostly in cross-
> realm interdomain trust situations) and as you found it means it isn't
>> And then what is the "winbind cache time" ?
> For other things that we were not able to work out from the samlogon
> I know this sucks,
If I regularly clear the samlogon cache, I believe I get the updated
groups, so it's like the equivalent of expiring it. I'd rather if I
didn't have to do it, but at least there is a way. It would be
preferable, of course, if the samlogon cache expired on its own using
the winbind cache time. With SSSD, I think setting
"entry_cache_timeout" would do the same thing as me manually clearing
the samlogon cache in winbind. Lots of fun.
More information about the samba