samba - Apr 2010 - Winbind 3.5.2 caching issues under SLES11???

Hi,

I don't know if this is a problem of SLES11 or winbind itself. I
recently installed the lastest samba winbind 3..5.2 on a SLES9 box and a
SLES11 box.

If I remove a user from a group in Active Directory the change is
visible immediately on the SLES9 box but not on the SLES11 box. Both are
running exactly the same version of winbind:

gedaiv64:~ # cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 0
gedaiv64:~ # smbd -V
Version 3.5.2

gedaiv67:~ # cat /etc/SuSE-release
SUSE LINUX Enterprise Server 9 (i586)
VERSION = 9
PATCHLEVEL = 4
gedaiv67:~ # smbd -V
Version 3.5.2

Smb.conf is identical:

[global]
        netbios name = gedaiv67
        realm = SOMEDOMAIN.NET
        workgroup = SOMEDOMAIN
        security = ADS
        encrypt passwords = yes
        idmap backend = ad
        idmap config VEGA : backend = ad
        idmap config VEGA : schema_mode = sfu
        idmap config VEGA : range = 0-99999999
        winbind nss info = sfu
        winbind enum users = yes
        winbind enum groups = yes
        winbind offline logon = yes
        preferred master = no
        winbind nested groups = Yes
        winbind use default domain = Yes
        max log size = 50
        log file = /var/log/samba/log.%m
        log level = 3
        dns proxy = no
        wins server = 172.20.200.18 172.18.200.20
        allow trusted domains = No
        client use spnego = Yes
        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab
        winbind refresh tickets = true
        idmap cache time = 300

Even after 10 minutes and more the change doesn't become effective on
the SLES11 box. NSCD is of course turned off on both machines.

Regards,

Oliver

On Fri, Apr 23, 2010 at 10:40 AM, Oliver Weinmann
<oliver.weinmann at vega.de> wrote:
> I don't know if this is a problem of SLES11 or winbind itself. I
> recently installed the lastest samba winbind 3..5.2 on a SLES9 box and a
> SLES11 box.
>
> If I remove a user from a group in Active Directory the change is
> visible immediately on the SLES9 box but not on the SLES11 box. Both are
> running exactly the same version of winbind:
Don't know if it's related but on 2 systems with 3.5.2 I could not get
the new idmap backend (moved from tdb to rid) to work without deleting
the gencache* tdb's in addition to the winbind ones.

Chris

Deleting the tdb files didn't solve the problem. It's really weird. For
example I have a AD user that is member of three groups:

Domain users (primary)

And two other project groups.

I removed him from the two project groups, the change is immediately
effective under SLES9 3.5.2 Winbind but on the SLES11 system, even after
a reboot the change is still not effective. I wonder where the hell this
is beeing cached? Because if the winbind daemon would query active
directory it should no longer list this user as a member of the two
project groups.

The Behaviour is the same throughout all of our SLES11 machines.

On Mon, Apr 26, 2010 at 10:48:19AM +0200, Oliver Weinmann
wrote:
> Ok, I have now deleted the netsamlogon_cache.tdb, restarted the samba
> service and logged in as the user. The groups are now no longer shown. I
> tried the same steps again with a different user and the problem is the
> same again. This time it was sufficient to restart the samba service. I
> wonder why on the SLES9 system the change is immediately effective but
> on the SLES11 box I need to restart the winbind service? The configs are
> exactly the same on both machines.
If you can reproduce that after wbinfo -a (or a similar
operation) you get wrong nss information (group memberships
etc), then we have a severe bug that needs fixing.

Please provide us detailed information how to reproduce this
problem.

Ah, please also make sure that you reproduce this without
nscd, that one could also cache things.

Thanks,

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20100426/3bb1d25b/attachment.pgp>

Ok, there is no bug. I looked through the smb.conf and added the
following parameters:

idmap cache time = 1
idmap negative cache time = 1
winbind cache time = 1

Now SLES11 acts as expected. Also I noticed that running a su -
"username" is not the same as wbinfo -a. :)

Thanks and Regards,
Oliver