[Samba] Group memberships on Linux AD Member (syncing randomly)

Matthias Leopold matthias.leopold at meduniwien.ac.at
Thu Jul 6 12:54:44 UTC 2023

"Authentication process" doesn't seem to include pam_winbind in this 
case, can that be? I could only login with SSH to domain member after I 
cleared SAM-logon cache and SSH allowed group was visible with "id" 
command. This is very annoying.


Am 03.07.23 um 11:43 schrieb Matthias Leopold via samba:
> Thanks for explaining, I wasn't aware of this. Maybe this should be 
> mentioned more prominently in the docs (I hope I didn't overlook anything).
> Matthias
> Am 30.06.23 um 16:23 schrieb Ralph Boehme via samba:
>> Hi Matthias,
>> On 6/30/23 15:40, Matthias Leopold via samba wrote:
>>> Can someone explain what is happening or where I need to tune?
>> this is by design. :)
>> The only reliable way (lacking S4U2SELF support) to get group 
>> membership for an AD user, is using the group list the DC passes along 
>> to us as part of the authentication process.
>> We're trying extra hard to store this data *persistently* in the 
>> SAM-logon cache and not in an easily user flushable cache.
>> -slow

Matthias Leopold
IT Systems & Communications
Medizinische Universität Wien
Spitalgasse 23 / BT 88 / Ebene 00
A-1090 Wien
Tel: +43 1 40160-21241
Fax: +43 1 40160-921200

More information about the samba mailing list