[Samba] Group memberships on Linux AD Member (syncing randomly)

Sun Jul 2 09:55:11 UTC 2023

Hello,

look at your replication sync period: how often do your DCs replicate 
from another? If its the default of 15mins then it can tak<e up to 
15mins to replicate to the other DCs in your net! Or you could just make 
the change on the DC thats used by the domain member linux client.

Another thing: The infos (like group membership) on domain members will 
ONLY get updated if the users logs in successfully. Thats why we wait 
for a couple of mins (replication time + 5min) and then the users should 
try to login every 5 mins until it works. Not good but we found that it 
works. This means you have to fully disconnect before attempting to auth 
again (fully disconnect all shares and unmount them!).

Idk if the last part could be changed, that would be a huge time saver!

Hope this helps, Matthias.

Am 30.06.23 um 15:40 schrieb Matthias Leopold via samba:
> Hi,
>
> I'm running Samba Active Directory 4.16.9 with packages from Sernet.
> Domain members are Linux servers (Ubuntu 20.04, RHEL 8) with Sernet 
> Samba 4.16.x.
>
> I'm getting crazy with group memberships syncing from AD to Linux 
> members. It is completely random as when changes in AD group are 
> visible in Linux OS (or more precise: winbind), it might take minutes, 
> hours or days as when these changes will take place. I have tuned
>
> winbind cache time
> idmap cache time
> idmap negative cache time
>
> I tried to clear winbind cache as described here: 
> https://serverfault.com/questions/476086/samba-winbind-user-resolution
>
> None of this helps, the only thing that works is "net cache samlogon 
> delete $USER", but I can't do this for every user on every server 
> after I change his group memberships. I'm using idmap_rid and problem 
> is visible directly with wbinfo (so no Linux name service cache 
> involved).
>
> Can someone explain what is happening or where I need to tune?
>
> thank you
> Matthias
>
-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
Twitter: https://twitter.com/EllerholdGruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold

---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/