[Samba] Group memberships on Linux AD Member (syncing randomly)
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Thu Jul 6 12:54:44 UTC 2023
"Authentication process" doesn't seem to include pam_winbind in this
case, can that be? I could only login with SSH to domain member after I
cleared SAM-logon cache and SSH allowed group was visible with "id"
command. This is very annoying.
Matthias
Am 03.07.23 um 11:43 schrieb Matthias Leopold via samba:
> Thanks for explaining, I wasn't aware of this. Maybe this should be
> mentioned more prominently in the docs (I hope I didn't overlook anything).
>
> Matthias
>
> Am 30.06.23 um 16:23 schrieb Ralph Boehme via samba:
>> Hi Matthias,
>>
>> On 6/30/23 15:40, Matthias Leopold via samba wrote:
>>> Can someone explain what is happening or where I need to tune?
>>
>> this is by design. :)
>>
>> The only reliable way (lacking S4U2SELF support) to get group
>> membership for an AD user, is using the group list the DC passes along
>> to us as part of the authentication process.
>>
>> We're trying extra hard to store this data *persistently* in the
>> SAM-logon cache and not in an easily user flushable cache.
>>
>> -slow
>>
>>
>
>
>
--
Matthias Leopold
IT Systems & Communications
Medizinische Universität Wien
Spitalgasse 23 / BT 88 / Ebene 00
A-1090 Wien
Tel: +43 1 40160-21241
Fax: +43 1 40160-921200
More information about the samba
mailing list