Hello, I have the weird situation that wbinfo and getent give me different results: fileserver:/etc# wbinfo --user-groups=DOMAIN+user1 10001 10081 <= old, deleted group 10003 10004 10034 10043 10074 10000 10038 10026 10006 10049 fileserver:/etc# getent group|grep 10081 fileserver:/etc# fileserver:/etc# getent group|grep DOMAIN+user1 DOMAIN+Domain:x:10001:DOMAIN+user1 DOMAIN+group1:x:10003:DOMAIN+user1 DOMAIN+group2:x:10026:DOMAIN+user1 DOMAIN+group3:x:10034:DOMAIN+user1 DOMAIN+group4:x:10038:DOMAIN+user1 DOMAIN+group5:x:10006:DOMAIN+user1 DOMAIN+group6:x:10043:DOMAIN+user1 DOMAIN+group7:x:10049:DOMAIN+user1 DOMAIN+group8:x:10074:DOMAIN+user1 DOMAIN+group9:x:10084:DOMAIN+user1 <= new one fileserver:/etc# *) I restarted winbindd several times, no change *) I changed the startup script to disable caching with -n, no change smbd also exhibits the behaviour of wbinfo -g, thus not reflecting changes in the group structure performed on the ADS domain controller. If I set permissions for group DOMAIN+group9, DOMAIN+user1 has no chance to "inherit" these permissions. This is causing us lots of pain... regards Alex
How long are you observing the cache problem? minutes, hours, days? Please send me a level 10 debug log from winbindd for both examples listed in the original report. You mail them to me directly if you like.
ok. The problem is the netsamlogon_cache.tdb. When a user logs to the Samba box, the net_samlogon() reply is saved in the cache tdb indefinitely. The user group information is retreived from this cache. So the behavior you are seeing is by design. The belief was that since this cache is overwritten every time a user logs on, that not expiring the cache entry would be ok and helped winbindd to work around DC's with RestrictAnonymous == 1. However, the netsamlogon_cache is not updated with a kerberos logon. This is a bug, but would only affect servers that had an existing netsamlogon_cache and were later joined to a AD domain (security = ads). Does this match your setup somehow ? An immediate workaround is to stop winbindd/smbd and remove the netsamlogon.tdb file.
no feedback in over a month. Workaround is in place. Will come back later and fix the krb5/netsamlogon cache interaction.
Sorry for the long delay. Yes, this seems to be the situation around here. I guess that by design, the Debian package samba-3.0.0-final-1 does not include ADS membership by default. So, samba is initially configured without ADS. I then joined ADS manually. Talking about the workaround you mention: Will stopping smbd/winbindd in a cronjob and removing netsamlogon_cache.tdb do any harm apart from being an evil hack? I noticed that after restarting samba/winbind, the file is created again. Is this expected behaviour?
the tdb is created automatically but information is stored in it only when you have configured 'security = domain' so there should not be any need at the present to worry about it once you have removed the the outdated cache information left over from the old configuration.
database cleanup