[Samba] winbind samlogon issue

Jason Keltz jas at eecs.yorku.ca
Thu Feb 18 15:39:21 UTC 2021


On 2/18/2021 10:13 AM, Ralph Boehme wrote:

> Am 2/18/21 um 3:44 PM schrieb Jason Keltz:
>> On 2/18/2021 1:06 AM, Ralph Boehme wrote:
>>
>>> Am 2/18/21 um 2:03 AM schrieb Jason Keltz via samba:
>>>> If I regularly clear the samlogon cache, I believe I get the 
>>>> updated groups, so it's like the equivalent of expiring it.  I'd 
>>>> rather if I didn't have to do it, but at least there is a way.  It 
>>>> would be preferable, of course, if the samlogon cache expired on 
>>>> its own using the winbind cache time.   With SSSD, I think setting 
>>>> "entry_cache_timeout" would do the same thing as me manually 
>>>> clearing the samlogon cache in winbind.  Lots of fun.
>>> in case this wasn't clear: a login *always* updates the cache. 
>>
>> Hi Ralph,
>>
>> Thanks for your message and clarification.  Apparently, I 
>> misunderstood. That's not the way it's working for me all the time.
>
> fwiw, the cache is updated with an *SMB* login! Not on ssh login or 
> similar.
>
> Another variable in the mix could be nscd who might be caching group 
> membership info. So while debugging, make sure to stop nscd.
>
> If groups are not updated upon SMB login, something unexpected is 
> going on. 

Ok re: smb.    That won't help in this situation.  These are all unix 
workstations.

nscd isn't installed... (I meant to say that in my original message).

I'm not really sure how to debug this issue.  My solution will be to 
clear the samlogon cache regularly.  I just tried that on my "broken" 
system, and now "groups", and "groups jas" are all normal with the most 
recent changes I made.  I update a group in DC, log out, and back in 
about a minute and a half later, and the group information is completely 
perfect with the newly added group.  I repeat with another group, and 
again, it's perfect. for unix logins and users using groups other than 
just "domain users", samlogon cache is a bit of a headache, but I have a 
workaround I guess.

Jason.




More information about the samba mailing list