[Samba] Group membership not updating on one DC only
Rowland penny
rpenny at samba.org
Wed Feb 24 09:53:42 UTC 2021
On 24/02/2021 09:36, Matthias Kühne | Ellerhold AG via samba wrote:
> Hello,
>
> I just asked the user to ssh into DC1. And lo and behold after that he
> has the correct groups.
>
> I let him connect to a fileserver via SMB and it updated the groups
> correctly too. Yay
Yes, you can only rely on a users groups being correct after the user
has logged in.
>
>
> So it seems like the cache (on a Domain Member and on a DC) only gets
> updated if the user connects to it. net cache flush doesnt seem to do
> anything here.
'net cache flush' empties the winbind cache, so this wouldn't fix the
problem you were having.
> Winbind Offline Logon is enabled. Is this the / a problem?
No, offline logon relies on the winbind cache being somewhere that
survives a reboot (which on Debian it doesn't), so you need the users
data in the cache to begin with and this means the user has logged in at
least once.
>
> Is there any command I could run to update the groups without asking the
> user to login to the machine?
>
You could run 'wbinfo -a username', but this will mean that you must
know the users password.
Why do you need to know what groups a user is a member of ?
If it is a case of of 'is fred a member of groupA' then you could see if
'fred' has a 'memberOf' attribute containing the DN for 'groupA'
Rowland
More information about the samba
mailing list