orlando.richards at ed.ac.uk
2014-Jun-11 09:38 UTC
[Samba] Expiry of entries in netsamlogon_cache.tdb
I think we're suffering from bug 8641 at the moment: https://bugzilla.samba.org/show_bug.cgi?id=8641 where the netsamlogon_cache.tdb entries are not expiring. We use AD groups for our (redhat) server auth, and also use server-side group auth for NFS (with the --manage-gids flag). So if a user is not in a group on the server, they're denied access to files as per group permissions. However, winbind is using netsamlogon_cache.tdb to cache group memberships for a SID - and this does not seem to get refreshed when users are accessing via NFS. I'm not clear on under what circumstances it *is* refreshed - but I guess that access via NFS is not one of them. To work around the issue, I can edit the netsamlogon_cache.tdb manually with tdbtool, delete the entry for the user's SID, and it now refreshes. Obviously this is not optimal though! On digging around, I found bug 3014 from back in samba 3.0 days, where netsamlogon_cache.tdb was completely removed: https://bugzilla.samba.org/show_bug.cgi?id=3014 but I guess it's come back in at some point. The windbind cache time settings don't seem to affect the expiry of netsamlogon_cache.tdb entries - my settings are: idmap cache time = 300 idmap negative cache time = 120 winbind cache time = 300 Is there a way of forcing an expiry on netsamlogon_cache.tdb cache entries, or flushing the database? More usefully - is there a setting somewhere which will set automatic expiry of entries as per the winbind/idmap cache timeouts? -- -- Dr Orlando Richards Information Services IT Infrastructure Division Unix Section Tel: 0131 650 4994 skype: orlando.richards The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
On Wed, Jun 11, 2014 at 10:38:01AM +0100, orlando.richards at ed.ac.uk wrote:> I think we're suffering from bug 8641 at the moment: > https://bugzilla.samba.org/show_bug.cgi?id=8641 > where the netsamlogon_cache.tdb entries are not expiring. > > We use AD groups for our (redhat) server auth, and also use > server-side group auth for NFS (with the --manage-gids flag). So if > a user is not in a group on the server, they're denied access to > files as per group permissions. However, winbind is using > netsamlogon_cache.tdb to cache group memberships for a SID - and > this does not seem to get refreshed when users are accessing via > NFS. I'm not clear on under what circumstances it *is* refreshed - > but I guess that access via NFS is not one of them.You're right, we never delete stuff from the netsamlogon_cache.tdb. We only update it with fresh information, once we get hold of it via a successful login of an AD-authenticated user. wbinfo -a and a kerberized SMB login will do it.> To work around the issue, I can edit the netsamlogon_cache.tdb > manually with tdbtool, delete the entry for the user's SID, and it > now refreshes. Obviously this is not optimal though!The problem here is -- this refresh is unreliable at best. In most trusted domain scenarios it does not work at all. That's the reason why we never expire the netsamlogon_cache: There is no way for us to refresh that information in any other way than via a successful login by an AD user. Yes, in some scenarios it does work, but in just as many scenarios it will fail in subtle ways. The only way to make this reliable is to kerberize the NFS service and make the NFS clients member of AD, retrieving tickets including a PAC. There are patches around somewhere that do this for Ganesha. I haven't looked at the kernel NFS services at all yet.> Is there a way of forcing an expiry on netsamlogon_cache.tdb cache > entries, or flushing the database? More usefully - is there a > setting somewhere which will set automatic expiry of entries as per > the winbind/idmap cache timeouts?Well, tdbtool is certainly the interim tool. We could provide a special net tool with some syntactic sugar, but that would not do much else. I'm a bit reluctant to expire this automatically, and if, then with a really long timeout such as a month or so. With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de