samba - Aug 2017 - AD Group update lag / cache, firewall related?

Hey again all,

After the rather excellent assistance from a few of you on the list over the
last week... I wonder if you will be able to answer the cause of another rather
long standing issue I've had for a long while.

We have a couple of Linux hosts using winbind for authentication, and AD groups
for access to various privileges... but for some reason or another... possible
firewalls blocking some of the communication... when users groups are updated,
they are not reflected on the Linux box, sometimes for days, or even weeks.

We've never been able to explain it, and I've never asked for advice
before since I always put it down to an /ancient/ version of samba/winbind.

I have however, now upgraded that version of Samba to 4.6.6, and since the
problem is still evident, I figure it's a perfect chance to ask....

Also, I guess it would be useful to know how to correctly flush whatever caches
samba/winbind is holding.

--
A. James Lewis (james at fsck.co.uk (mailto:james at fsck.co.uk))
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

On Fri, 25 Aug 2017 12:10:58 +0000
"A. James Lewis via samba" <samba at lists.samba.org> wrote:
> Hey again all,
> 
> After the rather excellent assistance from a few of you on the list
> over the last week... I wonder if you will be able to answer the
> cause of another rather long standing issue I've had for a long while.
> 
> We have a couple of Linux hosts using winbind for authentication, and
> AD groups for access to various privileges... but for some reason or
> another... possible firewalls blocking some of the communication...
> when users groups are updated, they are not reflected on the Linux
> box, sometimes for days, or even weeks.
> 
> We've never been able to explain it, and I've never asked for
advice
> before since I always put it down to an /ancient/ version of
> samba/winbind.
> 
> I have however, now upgraded that version of Samba to 4.6.6, and
> since the problem is still evident, I figure it's a perfect chance to
> ask.... 
> 
> Also, I guess it would be useful to know how to correctly flush
> whatever caches samba/winbind is holding.
> 
You appear to have a serious problem, unless you have a 'winbind cache
time' line in smb.conf, the winbind cache should be updated every 5
minutes. This is unless you also have 'winbind offline logon' set to
'yes', which you should only need on a laptop or similar. If offline
logon is set, then I 'think' it is still updated if it can be i.e.
there is a network connection.

You can flush the winbind with the aptly named 'net cache flush'
command, though I wouldn't run it on a Unix domain member if offline
logon is set, without finding out why there isn't a network connection
to a DC, you may find you cannot logon anymore ;-)

Rowland

It's not offline.... and groups do usually filter through... sometimes
immediately, sometimes never... but usually with a significant delay...

I originally put this down to the ancient version of Samba or Winbind that was
shipped with the OS, but it seems I was wrong...

Winbind can see the group, and even the group membership... and the group is
passed on to the OS, but not the group membership.

eg:-

wbinfo -g user | grep group  <-- successful

getent group group  <-- successful

however

groups user | grep group <-- fails

I was wondering if there's a limit on the number of groups, since the new
machine using "groups", shows that the user has 128 groups, while a
machine that's been around for a while shows 156 groups... and another
machine that's local to the AD controller shows 174 groups.

James


August 25, 2017 1:47 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Fri, 25 Aug 2017 12:10:58 +0000
> "A. James Lewis via samba" <samba at lists.samba.org>
wrote:
> 
>> Hey again all,
>> 
>> After the rather excellent assistance from a few of you on the list
>> over the last week... I wonder if you will be able to answer the
>> cause of another rather long standing issue I've had for a long
while.
>> 
>> We have a couple of Linux hosts using winbind for authentication, and
>> AD groups for access to various privileges... but for some reason or
>> another... possible firewalls blocking some of the communication...
>> when users groups are updated, they are not reflected on the Linux
>> box, sometimes for days, or even weeks.
>> 
>> We've never been able to explain it, and I've never asked for
advice
>> before since I always put it down to an /ancient/ version of
>> samba/winbind.
>> 
>> I have however, now upgraded that version of Samba to 4.6.6, and
>> since the problem is still evident, I figure it's a perfect chance
to
>> ask....
>> 
>> Also, I guess it would be useful to know how to correctly flush
>> whatever caches samba/winbind is holding.
> 
> You appear to have a serious problem, unless you have a 'winbind cache
> time' line in smb.conf, the winbind cache should be updated every 5
> minutes. This is unless you also have 'winbind offline logon' set
to
> 'yes', which you should only need on a laptop or similar. If
offline
> logon is set, then I 'think' it is still updated if it can be i.e.
> there is a network connection.
> 
> You can flush the winbind with the aptly named 'net cache flush'
> command, though I wouldn't run it on a Unix domain member if offline
> logon is set, without finding out why there isn't a network connection
> to a DC, you may find you cannot logon anymore ;-)
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

On Fri, 25 Aug 2017 13:54:21 +0000
"A. James Lewis" <james at fsck.co.uk> wrote:
> It's not offline.... and groups do usually filter through...
> sometimes immediately, sometimes never... but usually with a
> significant delay... 
> 
> I originally put this down to the ancient version of Samba or Winbind
> that was shipped with the OS, but it seems I was wrong... 
> 
> Winbind can see the group, and even the group membership... and the
> group is passed on to the OS, but not the group membership.
> 
> eg:-
> 
> wbinfo -g user | grep group  <-- successful
> 
> getent group group  <-- successful
> 
> however
> 
> groups user | grep group <-- fails
> 
> I was wondering if there's a limit on the number of groups, since the
> new machine using "groups", shows that the user has 128 groups,
while
> a machine that's been around for a while shows 156 groups... and
> another machine that's local to the AD controller shows 174 groups.
> 
Hmm, try reading this:

https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed

Under 'Samba 4.6.0' --> winbind changes

Does 'groups user' show any groups ?

Rowland

August 25, 2017 3:12 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Fri, 25 Aug 2017 13:54:21 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
> 
>> It's not offline.... and groups do usually filter through...
>> sometimes immediately, sometimes never... but usually with a
>> significant delay...
>> 
>> I originally put this down to the ancient version of Samba or Winbind
>> that was shipped with the OS, but it seems I was wrong...
>> 
>> Winbind can see the group, and even the group membership... and the
>> group is passed on to the OS, but not the group membership.
>> 
>> eg:-
>> 
>> wbinfo -g user | grep group <-- successful
>> 
>> getent group group <-- successful
>> 
>> however
>> 
>> groups user | grep group <-- fails
>> 
>> I was wondering if there's a limit on the number of groups, since
the
>> new machine using "groups", shows that the user has 128
groups, while
>> a machine that's been around for a while shows 156 groups... and
>> another machine that's local to the AD controller shows 174 groups.
> 
> Hmm, try reading this:
> 
> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed
> 
> Under 'Samba 4.6.0' --> winbind changes
> 
> Does 'groups user' show any groups ?
> 
Yes, however I have 4 servers and they each show a different number of groups,
128, 154, 169 and 174...

# for i in `groups user`; do echo $i; done | wc -l

The Samba 4.6 box shows 128, which makes me think perhaps there is a limit to
the number of groups that are processed somewhere... 128 being a suspicious
number!..... but that's a pure guess!.
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."