[Samba] winbind samlogon issue
Ralph Boehme
slow at samba.org
Thu Feb 18 15:45:02 UTC 2021
Am 2/18/21 um 4:39 PM schrieb Jason Keltz:
> On 2/18/2021 10:13 AM, Ralph Boehme wrote:
>
>> Am 2/18/21 um 3:44 PM schrieb Jason Keltz:
>>> On 2/18/2021 1:06 AM, Ralph Boehme wrote:
>>>
>>>> Am 2/18/21 um 2:03 AM schrieb Jason Keltz via samba:
>>>>> If I regularly clear the samlogon cache, I believe I get the
>>>>> updated groups, so it's like the equivalent of expiring it. I'd
>>>>> rather if I didn't have to do it, but at least there is a way. It
>>>>> would be preferable, of course, if the samlogon cache expired on
>>>>> its own using the winbind cache time. With SSSD, I think setting
>>>>> "entry_cache_timeout" would do the same thing as me manually
>>>>> clearing the samlogon cache in winbind. Lots of fun.
>>>> in case this wasn't clear: a login *always* updates the cache.
>>>
>>> Hi Ralph,
>>>
>>> Thanks for your message and clarification. Apparently, I
>>> misunderstood. That's not the way it's working for me all the time.
>>
>> fwiw, the cache is updated with an *SMB* login! Not on ssh login or
>> similar.
>>
>> Another variable in the mix could be nscd who might be caching group
>> membership info. So while debugging, make sure to stop nscd.
>>
>> If groups are not updated upon SMB login, something unexpected is
>> going on.
>
> Ok re: smb. That won't help in this situation. These are all unix
> workstations.
>
> nscd isn't installed... (I meant to say that in my original message).
>
> I'm not really sure how to debug this issue. My solution will be to
> clear the samlogon cache regularly. I just tried that on my "broken"
> system, and now "groups", and "groups jas" are all normal with the most
> recent changes I made. I update a group in DC, log out, and back in
> about a minute and a half later, and the group information is completely
> perfect with the newly added group. I repeat with another group, and
> again, it's perfect. for unix logins and users using groups other than
> just "domain users", samlogon cache is a bit of a headache, but I have a
> workaround I guess.
hm, without doing a lot more debugging I have no idea what is causing
this behaviour, sorry.
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210218/5b48129a/OpenPGP_signature.sig>
More information about the samba
mailing list