I've been playing with joining RHEL4 (CentOS) machines to a Win2k3
Active Directory.
I've got everything pretty well squared away, except that the linux box
never seems to see changes to users' group memberships. For example, I
created a user, testuser, who initially just a member of Domain Users.
I logged into the linux box with testuser successfully and both 'id' and
'wbinfo' displayed correct information. I then logged out and using AD
Users and Groups, I added testuser to a new global group, testgroup.
Logging back into the linux box as testuser, I checked both 'id' and
'wbinfo' and the new group membership is not reflected. I understand
that by default winbind caches such things for 5 minutes, and since I
have not changed this value, I waited for at least 5 minutes and tried
again with the same results. Just to be sure, I even let it sit over
night, but the new group membership still does not show up.
The reason this is important to me is because I've set up Domain Admins
in /etc/sudoers. If a user is added to the Domain Admins group, or
removed for that matter, and this isn't reflected, that'd be bad.
Is there any way to even force the cache to clear?
smb.conf:
[global]
workgroup = LINUXAUTHTEST
realm = LINUXAUTHTEST.AD
server string = Samba Server
security = ADS
password server = linuxauthtestdc.linuxauthtest.ad
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
printcap name = /etc/printcap
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = Yes
cups options = raw
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LINUXAUTHTEST.AD
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
LINUXAUTHTEST.AD = {
kdc = linuxauthtestdc.linuxauthtest.ad:88
admin_server = linuxauthtestdc.linuxauthtest.ad:749
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
uname -a
Linux LinuxTestVM 2.6.9-55.ELsmp #1 SMP Wed May 2 14:28:44 EDT 2007 i686
i686 i386 GNU/Linux
winbindd --version
Version 3.0.10-1.4E.12.2
Any insight would be appreciated.
Kris
___________________________________________
Kristoffer Knigga
Systems Administrator
Arrow Financial Services
kknigga@arrow-financial.com
847-324-7962
