On Wed, 2021-02-17 at 19:37 -0500, Jason Keltz wrote:> On 2/17/2021 7:32 PM, Andrew Bartlett via samba wrote:
> > On Wed, 2021-02-17 at 19:19 -0500, Jason Keltz via samba wrote:
> > > I wanted to ask for more information on "net cache
samlogon" and
> > > its
> > >
> > > relation to "winbind cache time".
> > None. This information is sticky until the next login, forever.
> >
> > We would like to eventually refresh this information via a ticket
> > obtained with S4U2Self, but we can't right now.
> >
> > At one point we were thinking to totally remove the ability to find
> > out
> > much about users who hadn't ever logged in, because the
> > alternatives
> > are unreliable, but this never proceeded.
> >
> > I hope this helps,
> >
> Hi Andrew,
>
> So if I need to refresh the users groups on each login, would I then
> need to clear these samlogon entries on my own? Can I tell winbind
> not
> to store them in the first place?
Not currently.
> Why does it appear that without doing this, the users groups get
> updated
> sometimes and not other times?
This is the argument for removing the other ways of obtaining group
info. If there isn't a samlogon cache, then we make as best as we can,
subject to the cache time. But it isn't as reliable (mostly in cross-
realm interdomain trust situations) and as you found it means it isn't
consistent.
> And then what is the "winbind cache time" ?
For other things that we were not able to work out from the samlogon
cache.
I know this sucks,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions