The Samba-Bugzilla – Bug 709
winbind uses outdated group membership info, doesn't reflect changes in ADS
Last modified: 2005-11-14 09:29:50 UTC
I have the weird situation that wbinfo and getent give me different results:
fileserver:/etc# wbinfo --user-groups=DOMAIN+user1
10081 <= old, deleted group
fileserver:/etc# getent group|grep 10081
fileserver:/etc# getent group|grep DOMAIN+user1
DOMAIN+group9:x:10084:DOMAIN+user1 <= new one
*) I restarted winbindd several times, no change
*) I changed the startup script to disable caching with -n, no change
smbd also exhibits the behaviour of wbinfo -g, thus not reflecting changes in
the group structure performed on the ADS domain controller. If I set permissions
for group DOMAIN+group9, DOMAIN+user1 has no chance to "inherit" these permissions.
This is causing us lots of pain...
How long are you observing the cache problem?
minutes, hours, days? Please send me a level 10
debug log from winbindd for both examples listed
in the original report. You mail them to me directly if you like.
ok. The problem is the netsamlogon_cache.tdb. When a user logs
to the Samba box, the net_samlogon() reply is saved in the cache tdb
indefinitely. The user group information is retreived from this cache.
So the behavior you are seeing is by design. The belief was that
since this cache is overwritten every time a user logs on, that not
expiring the cache entry would be ok and helped winbindd to work
around DC's with RestrictAnonymous == 1.
However, the netsamlogon_cache is not updated with a kerberos logon.
This is a bug, but would only affect servers that had an existing
netsamlogon_cache and were later joined to a AD domain (security = ads).
Does this match your setup somehow ? An immediate workaround is to
stop winbindd/smbd and remove the netsamlogon.tdb file.
no feedback in over a month. Workaround is in place.
Will come back later and fix the krb5/netsamlogon cache
Sorry for the long delay.
Yes, this seems to be the situation around here. I guess that by design, the
Debian package samba-3.0.0-final-1 does not include ADS membership by default.
So, samba is initially configured without ADS. I then joined ADS manually.
Talking about the workaround you mention: Will stopping smbd/winbindd in a
cronjob and removing netsamlogon_cache.tdb do any harm apart from being an evil
I noticed that after restarting samba/winbind, the file is created again. Is
this expected behaviour?
the tdb is created automatically but information is stored in it
only when you have configured 'security = domain' so there should
not be any need at the present to worry about it once you have
removed the the outdated cache information left over from the