Bug 709 - winbind uses outdated group membership info, doesn't reflect changes in ADS
winbind uses outdated group membership info, doesn't reflect changes in ADS
Status: RESOLVED LATER
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.0
All Linux
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on: 297
Blocks: 807
  Show dependency treegraph
 
Reported: 2003-11-03 07:19 UTC by Alexander List
Modified: 2005-11-14 09:29 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander List 2003-11-03 07:19:50 UTC
Hello,

I have the weird situation that wbinfo and getent give me different results:

fileserver:/etc# wbinfo --user-groups=DOMAIN+user1
10001
10081 <= old, deleted group
10003
10004
10034
10043
10074
10000
10038
10026
10006
10049

fileserver:/etc# getent group|grep 10081
fileserver:/etc#
fileserver:/etc# getent group|grep DOMAIN+user1
DOMAIN+Domain:x:10001:DOMAIN+user1
DOMAIN+group1:x:10003:DOMAIN+user1
DOMAIN+group2:x:10026:DOMAIN+user1
DOMAIN+group3:x:10034:DOMAIN+user1
DOMAIN+group4:x:10038:DOMAIN+user1
DOMAIN+group5:x:10006:DOMAIN+user1
DOMAIN+group6:x:10043:DOMAIN+user1
DOMAIN+group7:x:10049:DOMAIN+user1
DOMAIN+group8:x:10074:DOMAIN+user1
DOMAIN+group9:x:10084:DOMAIN+user1  <= new one
fileserver:/etc#

*) I restarted winbindd several times, no change
*) I changed the startup script to disable caching with -n, no change

smbd also exhibits the behaviour of wbinfo -g, thus not reflecting changes in
the group structure performed on the ADS domain controller. If I set permissions
for group DOMAIN+group9, DOMAIN+user1 has no chance to "inherit" these permissions.

This is causing us lots of pain...

regards

Alex
Comment 1 Gerald (Jerry) Carter 2003-11-03 09:26:18 UTC
How long are you observing the cache problem?  
minutes, hours, days?  Please send me a level 10 
debug log from winbindd for both examples listed 
in the original report.  You mail them to me directly if you like.


Comment 2 Gerald (Jerry) Carter 2003-11-29 19:52:17 UTC
ok.  The problem is the netsamlogon_cache.tdb.  When a user logs
to the Samba box, the net_samlogon() reply is saved in the cache tdb
indefinitely.  The user group information is retreived from this cache.
So the behavior you are seeing is by design.  The belief was that
since this cache is overwritten every time a user logs on, that not 
expiring the cache entry would be ok and helped winbindd to work 
around DC's with RestrictAnonymous == 1.

However, the netsamlogon_cache is not updated with a kerberos logon.
This is a bug, but would only affect servers that had an existing 
netsamlogon_cache and were later joined to a AD domain (security = ads).

Does this match your setup somehow ?  An immediate workaround is to
stop winbindd/smbd and remove the netsamlogon.tdb file.
Comment 3 Gerald (Jerry) Carter 2004-01-05 07:59:05 UTC
no feedback in over a month.  Workaround is in place.
Will come back later and fix the krb5/netsamlogon cache 
interaction.
Comment 4 Alexander List 2004-01-10 10:50:12 UTC
Sorry for the long delay.

Yes, this seems to be the situation around here. I guess that by design, the
Debian package samba-3.0.0-final-1 does not include ADS membership by default.
So, samba is initially configured without ADS. I then joined ADS manually.

Talking about the workaround you mention: Will stopping smbd/winbindd in a
cronjob and removing netsamlogon_cache.tdb do any harm apart from being an evil
hack?

I noticed that after restarting samba/winbind, the file is created again. Is
this expected behaviour?
Comment 5 Gerald (Jerry) Carter 2004-01-11 06:03:57 UTC
the tdb is created automatically but information is stored in it 
only when you have configured 'security = domain' so there should 
not be any need at the present to worry about it once you have 
removed the the outdated cache information left over from the 
old configuration.
Comment 6 Gerald (Jerry) Carter 2005-11-14 09:29:50 UTC
database cleanup