Bug 15437 - User may receive stale group membership data from samlogon cache during login
Summary: User may receive stale group membership data from samlogon cache during login
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.16.8
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-28 20:04 UTC by Micah Veilleux
Modified: 2023-07-28 20:04 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Micah Veilleux 2023-07-28 20:04:53 UTC
When a user logs into a host via SSH and a password to authenticate, the samlogon cache is populated or updated for that user, to contain fresh group membership data.  When he later logs on with SSH and Kerberos to authenticate, an existing samlogon cache entry for him is used but not updated, so stale group membership data may be taken.  As the samlogon cache does not expire, group membership data could be very old depending on user login behavior.

Other login mechanisms might produce the same behavior.