Anian Wurzenberger
2008-Aug-18 12:13 UTC
[Samba] samba + ads / user and group update-probem
Hello subscribers,
we have a problem with keeping our group memberships up to date. If we e.g.
remove a group membership from a user, we don?t see any change when trying
"wbinfo -r j.doe" or "groups j.doe". Even after hours there
ist no update. We also tried restarting smb, nmb, winbindd.
Anyone has an idea?
Some additional info:
|samba/winbind-version: 3.2.0-17.fc9
|Here our smb.conf
|
|[global]
|winbind cache time = 1m
|workgroup = xy-gmbh
|netbios name = smbtestfc9
|realm = TRANSACT-GMBH.DE
|idmap uid = 10000-15000
|idmap gid = 10000-15000
|winbind separator = /
|winbind use default domain = Yes
|security = ADS
|encrypt passwords = yes
|#Optional. Use only if Samba cannot determine the Kerberos server
automatically.
|#password server = 192.168.2.50
|client use spnego = yes
|log level = 3
|winbind enum users = yes
|winbind enum groups = yes
|
|[test]
| comment = test
| path = /tmp
| browseable = yes
| read only = no
| guest ok = no
| valid users = XY-GMBH/a.someone, XY-GMBH/j.someoneelse,
XY-GMBH/m.anotherguy
| create mask = 0770
| directory mask = 0770
|and our krb5.conf
|
|[logging]
| default = FILE:/var/log/krb5libs.log
| kdc = FILE:/var/log/krb5kdc.log
| admin_server = FILE:/var/log/kadmind.log
|
|[libdefaults]
| default_realm = XY-GMBH.DE
| dns_lookup_realm = false
| dns_lookup_kdc = false
| ticket_lifetime = 24h
| forwardable = yes
|
|[realms]
| XY-GMBH.DE = {
| kdc = 192.168.1.11:88
| default_domain = xy-gmbh.de
| }
|
|[domain_realm]
| .transact-gmbh.de = XY-GMBH.DE
| transact-gmbh.de = XY-GMBH.DE
|
|[appdefaults]
| pam = {
| debug = false
| ticket_lifetime = 36000
| renew_lifetime = 36000
| forwardable = true
| krb4_convert = false
| }
|# wbinfo -p
|Ping to winbindd succeeded
|# net ads testjoin
|Join is OK
|# klist
|Ticket cache: FILE:/tmp/krb5cc_0
|Default principal: Administrator@XYZ-GMBH.DE
|
|Valid starting Expires Service principal
|08/14/08 15:37:03 08/15/08 01:37:05 krbtgt/XYZ-GMBH.DE@TRANSACT-GMBH.DE
| renew until 08/15/08 15:37:03
|
|
|Kerberos 4 ticket cache: /tmp/tkt0
|klist: You have no tickets cached
On Mon, Aug 18, 2008 at 02:13:10PM +0200, Anian Wurzenberger wrote:> we have a problem with keeping our group memberships up to > date. If we e.g. remove a group membership from a user, we > don?t see any change when trying "wbinfo -r j.doe" or > "groups j.doe". Even after hours there ist no update. We > also tried restarting smb, nmb, winbindd. > > Anyone has an idea?Does it still fail if j.doe logs in? If that one fixes it, then you see effects of the netsamlogon_cache.tdb. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080818/17a4cfc9/attachment.bin
Anian Wurzenberger
2008-Aug-18 13:42 UTC
[Samba] samba + ads / user and group update-probem
Thank you for your answer. Where should the user log in? Into a share? Into an AD-connected Computer? Anian -----Original Message----- From: Volker Lendecke [mailto:Volker.Lendecke@SerNet.DE] Does it still fail if j.doe logs in? If that one fixes it, then you see effects of the netsamlogon_cache.tdb.
On Mon, Aug 18, 2008 at 03:41:50PM +0200, Anian Wurzenberger wrote:> Thank you for your answer. Where should the user log in? > Into a share? Into an AD-connected Computer?For example into a share. Anthing that makes Samba authenticate against the DC. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080818/d9ccf8e0/attachment.bin
Anian Wurzenberger
2008-Aug-21 09:53 UTC
[Samba] samba + ads / user and group update-probem
Hi Volker, now that we?re running winbindd with -n that seems to help. I thought that wbinfo would access AD to authenticate when winbindd is running without caching, but apparently it doesn?t. Thank you for your help. Anian -----Original Message----- From: Volker Lendecke [mailto:Volker.Lendecke@SerNet.DE] Sent: Montag, 18. August 2008 22:34 To: Anian Wurzenberger Cc: samba@lists.samba.org Subject: Re: [Samba] samba + ads / user and group update-probem On Mon, Aug 18, 2008 at 03:41:50PM +0200, Anian Wurzenberger wrote:> Thank you for your answer. Where should the user log in? > Into a share? Into an AD-connected Computer?For example into a share. Anthing that makes Samba authenticate against the DC. Volker