On 2/18/2021 1:06 AM, Ralph Boehme wrote:
> Am 2/18/21 um 2:03 AM schrieb Jason Keltz via samba:
>> If I regularly clear the samlogon cache, I believe I get the updated
>> groups, so it's like the equivalent of expiring it.? I'd rather
if I
>> didn't have to do it, but at least there is a way.? It would be
>> preferable, of course, if the samlogon cache expired on its own using
>> the winbind cache time. ? With SSSD, I think setting
>> "entry_cache_timeout" would do the same thing as me manually
clearing
>> the samlogon cache in winbind.? Lots of fun.
> in case this wasn't clear: a login *always* updates the cache.
Hi Ralph,
Thanks for your message and clarification.? Apparently, I misunderstood.
That's not the way it's working for me all the time.
All my test workstations are joined to the domain with exactly the same
configuration. On my own workstation, let's compare the output of
"groups", "groups jas", and samlogon cache groups...
"groups" command shows groups which do not include groups I added
yesterday, and does include groups I removed even though I've logged in
and out many times.
"groups jas": I thought this output would be identical to
"groups" since
I'm logged in as "jas".? Funny enough - the output is much closer
to
what it should be, but missing groups I added early today (even though
I've logged in and out many times).
Using wbinfo -s to resolve all the SIDs in the samlogon cache on my
host, I see that the groups being returned in the cache is the same as
"groups jas" and not just "groups".
I login to another host in the domain where this issue is not present
(yet), and "groups" shows up perfectly.? I add a user to a new group
on
the DC, log out and back in on the client, and "groups" and
"groups jas"
(while the same) do not include the group I just added.? However, a few
minutes later they do work. At some point it will stop working here too.
All the clients are the same configuration.
> passwd:???? files winbind
> shadow:???? files
> group:????? files winbind
(samba 4.13.4)
I know that if I delete the samlogon cache on my host, this will start
working again.? If I log out and back in, groups will then display
properly. ?? I can leave it for the day in case you want me to try
something.
I've looked at an strace from my system, and the working system, and I
just don't understand how both systems are successfully talking to
winbind pipe, and yet returning different groups (in exactly the order
as represented by the "groups" command).? If they are both talking to
the DC, how can they get different output?
Puzzled..
Jason.