[Samba] winbind samlogon issue

Ralph Boehme slow at samba.org
Thu Feb 18 15:45:02 UTC 2021

Am 2/18/21 um 4:39 PM schrieb Jason Keltz:
> On 2/18/2021 10:13 AM, Ralph Boehme wrote:
>> Am 2/18/21 um 3:44 PM schrieb Jason Keltz:
>>> On 2/18/2021 1:06 AM, Ralph Boehme wrote:
>>>> Am 2/18/21 um 2:03 AM schrieb Jason Keltz via samba:
>>>>> If I regularly clear the samlogon cache, I believe I get the 
>>>>> updated groups, so it's like the equivalent of expiring it.  I'd 
>>>>> rather if I didn't have to do it, but at least there is a way.  It 
>>>>> would be preferable, of course, if the samlogon cache expired on 
>>>>> its own using the winbind cache time.   With SSSD, I think setting 
>>>>> "entry_cache_timeout" would do the same thing as me manually 
>>>>> clearing the samlogon cache in winbind.  Lots of fun.
>>>> in case this wasn't clear: a login *always* updates the cache. 
>>> Hi Ralph,
>>> Thanks for your message and clarification.  Apparently, I 
>>> misunderstood. That's not the way it's working for me all the time.
>> fwiw, the cache is updated with an *SMB* login! Not on ssh login or 
>> similar.
>> Another variable in the mix could be nscd who might be caching group 
>> membership info. So while debugging, make sure to stop nscd.
>> If groups are not updated upon SMB login, something unexpected is 
>> going on. 
> Ok re: smb.    That won't help in this situation.  These are all unix 
> workstations.
> nscd isn't installed... (I meant to say that in my original message).
> I'm not really sure how to debug this issue.  My solution will be to 
> clear the samlogon cache regularly.  I just tried that on my "broken" 
> system, and now "groups", and "groups jas" are all normal with the most 
> recent changes I made.  I update a group in DC, log out, and back in 
> about a minute and a half later, and the group information is completely 
> perfect with the newly added group.  I repeat with another group, and 
> again, it's perfect. for unix logins and users using groups other than 
> just "domain users", samlogon cache is a bit of a headache, but I have a 
> workaround I guess.

hm, without doing a lot more debugging I have no idea what is causing 
this behaviour, sorry.


Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210218/5b48129a/OpenPGP_signature.sig>

More information about the samba mailing list