[Samba] winbind samlogon issue

Jason Keltz jas at eecs.yorku.ca
Thu Feb 18 14:44:19 UTC 2021 

On 2/18/2021 1:06 AM, Ralph Boehme wrote:

> Am 2/18/21 um 2:03 AM schrieb Jason Keltz via samba:
>> If I regularly clear the samlogon cache, I believe I get the updated 
>> groups, so it's like the equivalent of expiring it.  I'd rather if I 
>> didn't have to do it, but at least there is a way.  It would be 
>> preferable, of course, if the samlogon cache expired on its own using 
>> the winbind cache time.   With SSSD, I think setting 
>> "entry_cache_timeout" would do the same thing as me manually clearing 
>> the samlogon cache in winbind.  Lots of fun.
> in case this wasn't clear: a login *always* updates the cache. 

Hi Ralph,

Thanks for your message and clarification.  Apparently, I misunderstood. 
That's not the way it's working for me all the time.

All my test workstations are joined to the domain with exactly the same 
configuration. On my own workstation, let's compare the output of 
"groups", "groups jas", and samlogon cache groups...

"groups" command shows groups which do not include groups I added 
yesterday, and does include groups I removed even though I've logged in 
and out many times.

"groups jas": I thought this output would be identical to "groups" since 
I'm logged in as "jas".  Funny enough - the output is much closer to 
what it should be, but missing groups I added early today (even though 
I've logged in and out many times).

Using wbinfo -s to resolve all the SIDs in the samlogon cache on my 
host, I see that the groups being returned in the cache is the same as 
"groups jas" and not just "groups".

I login to another host in the domain where this issue is not present 
(yet), and "groups" shows up perfectly.  I add a user to a new group on 
the DC, log out and back in on the client, and "groups" and "groups jas" 
(while the same) do not include the group I just added.  However, a few 
minutes later they do work. At some point it will stop working here too.

All the clients are the same configuration.

> passwd:     files winbind
> shadow:     files
> group:      files winbind
(samba 4.13.4)

I know that if I delete the samlogon cache on my host, this will start 
working again.  If I log out and back in, groups will then display 
properly.    I can leave it for the day in case you want me to try 
something.

I've looked at an strace from my system, and the working system, and I 
just don't understand how both systems are successfully talking to 
winbind pipe, and yet returning different groups (in exactly the order 
as represented by the "groups" command).  If they are both talking to 
the DC, how can they get different output?

Puzzled..

Jason.

More information about the samba mailing list