samba - Jul 2006 - Samba ads not refreshing domain controller group modifications

Helo  
 
I have a big problem with samba and windows 2003 ads. 
I have a DC in win 2003 and centos4.3 with samba ADS.
Registration of samba in ads has gone well , kinit gives no error and also 
net ads join worked well
I can access shares based on the user in my DC, I am not using ACL, only 
the permission in the system and DC.
My problem can be described in the following way. 
-         getent group and getent passwd work well , when I add or delete 
a user from one group the modification is displayed with getent 
-         I chown user:group over a file in samba the user from that group 
can access it 
-         BUT when I delete the user from the group in my DC ,he/she can 
still acces the share even after 24hours until I restart samba and winbind
-         after restart he/she is denied according to group to access the 
share 
 
Someone says that it could be from my DC but I installed a new DC and a 
new CentOS 4.3 connected over a crossover cable without any policy and the 
same problem.
Last year I had DC with 2000 server and it worked, any modification in 2-3 
minutes was refreshed in samba.
 
Can anyone give me a tip ?
 
Thanks in advance for any answer

Helo  
 
I have a big problem with samba 3.0.10 (checked also with 3.0.22)  and 
windows 2003 ads. 
I have a DC in win 2003 and centos4.3 with samba ADS.
Registration of samba in ads has gone well , kinit gives no error and also 
net ads join worked well
I can access shares based on the user in my DC, I am not using ACL, only 
the permission in the system and DC.
My problem can be described in the following way. 
-         getent group and getent passwd work well , when I add or delete 
a user from one group the modification is displayed with getent 
-         I chown user:group over a file in samba the user from that group 
can access it 
-         BUT when I delete the user from the group in my DC ,he/she can 
still acces the share even after 24hours until I restart samba and winbind
-         after restart he/she is denied according to group to access the 
share 
 
Someone says that it could be from my DC but I installed a new DC and a 
new CentOS 4.3 connected over a crossover cable without any policy and the 
same problem.
Last year I had DC with 2000 server and it worked, any modification in 2-3 
minutes was refreshed in samba.
 
Can anyone give me a tip ?
 
Thanks in advance for any answer

> Helo  
Hi
> My problem can be described in the following way. 
> -         getent group and getent passwd work well , when I add or delete 
> a user from one group the modification is displayed with getent 
> -         I chown user:group over a file in samba the user from that group 
> can access it 
> -         BUT when I delete the user from the group in my DC ,he/she can 
> still acces the share even after 24hours until I restart samba and winbind
> -         after restart he/she is denied according to group to access the 
> share 
>  
> Can anyone give me a tip ?
>  
> Thanks in advance for any answer
I think it's winbind cache problem.
Try to set 
winbind cache time = 10
on your global conf and restart.
winbind cache reply from ad server for only 10 seconds.
If your ad is a forest with multidomain the situation is different, the gc cache
reply from other domains and i don't know how to solve this. Is my problem.
Bye.


___________________________________________________________________
Vuoi sapere cosa realmente succede a casa o ufficio quando non ci sei ? Ora puoi
farlo ...e senza spendere un capitale!
http://click.libero.it/dmail2

It's my problem too.
I tryed many configuration with samba and gc, but nothing.
It took about 12 hours to refresh group membership.
A workaround is to create local domain group in forest GC, and nest group from
domain children.
But it's not what i want ...
> thanks for the answer
> 
> you are right  .. it is a domain controller in 2003 with a forest and 5 
> domains in it ... i set up the winbind cache to 1  earlier (i tought that 
> would be the problem) but the same result .. not refreshing domain 
> controller group modifications 


___________________________________________________________________
Vuoi sapere cosa realmente succede a casa o ufficio quando non ci sei ? Ora puoi
farlo ...e senza spendere un capitale!
http://click.libero.it/dmail2

thanks for the answer

you are right  .. it is a domain controller in 2003 with a forest and 5 
domains in it ... i set up the winbind cache to 1  earlier (i tought that 
would be the problem) but the same result .. not refreshing domain 
controller group modifications 

_____________________________________________
Bogdan Fiscutean - Network Administrator
Contor Zenner  S.A.
Calea Bodrogului  2-4
2900 Arad, Romania
Office Phone: +40 257 208521
Company Fax: +40 257 208555
Mobile: +40 728105043
mailto:fiscutean.b@contorgroup.ro
http://www.contorgroup.ro
_____________________________________________