15437 – User may receive stale group membership data from samlogon cache during login

Bug 15437 - User may receive stale group membership data from samlogon cache during login

Summary: User may receive stale group membership data from samlogon cache during login

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.16.8
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-07-28 20:04 UTC by Micah Veilleux
Modified:	2023-07-28 20:04 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Micah Veilleux 2023-07-28 20:04:53 UTC

When a user logs into a host via SSH and a password to authenticate, the samlogon cache is populated or updated for that user, to contain fresh group membership data.  When he later logs on with SSH and Kerberos to authenticate, an existing samlogon cache entry for him is used but not updated, so stale group membership data may be taken.  As the samlogon cache does not expire, group membership data could be very old depending on user login behavior.

Other login mechanisms might produce the same behavior.