All, I wonder if someone can give me an idea what the file "netsamlogon_cache.tdb" contains... as I have noticed that I can be added to a group, and access will not appear on the Unix side for a good deal of time... but if I stop Winbind, remove the file "netsamlogon_cache.tdb", and re-start everything, it will then work. Can anyone tell me what the purpose of this file is, and if there's any way to control the time data is cached for. -- A. James Lewis (james at fsck.co.uk (mailto:james at fsck.co.uk)) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
On Wed, Jan 31, 2018 at 10:43:18AM +0000, A. James Lewis via samba wrote:> I wonder if someone can give me an idea what the file > "netsamlogon_cache.tdb" contains... as I have noticed that I can be > added to a group, and access will not appear on the Unix side for a > good deal of time... but if I stop Winbind, remove the file > "netsamlogon_cache.tdb", and re-start everything, it will then work.Yes, that would be expected. The Samba 4.6 release notes have a short description of this behavior: https://www.samba.org/samba/history/samba-4.6.0.html |winbind contains code that tries to emulate the group membership calculation |that domain controllers do when a user logs in. This group membership calculation |is a very complex process, in particular for domain trust relationship |situations. Also, in many scenarios it is impossible for winbind to |correctly do this calculation due to access restrictions in the |domains: winbind using its machine account simply does not have the |rights to ask for an arbitrary user's group memberships. | |When a user logs in to a Samba server, the domain controller correctly |calculates the user's group memberships authoritatively and makes the |information available to the Samba server. This is the only reliable |way Samba can get informed about the groups a user is member of. | |Because of its flakiness, the fallback group membership code is unwished, |and our code pathes try hard to only use of the group memberships |calculated by the domain controller. | |However, a lot of admins rely on the fallback behavior in order to support |access for nfs access, ssh public key authentication and passwordless sudo. | |That's the reason for changing this back between 4.6.0rc4 and 4.6.0 |(See BUG 12612). | |The winbind change to simplify the calculation of supplementary groups to make |it more reliable and predictable has been deferred to 4.7 or later. | |This means that 'id <username>' without the user having logged in |previously works similar to 4.5.> Can anyone tell me what the purpose of this file is, and if there's any way > to control the time data is cached for.The netsamlogon_cache.tdb file is the place where the user information (including group memberships) is cached that is available from the logon. Samba 4.7 introduced a set of "net cache samlogon" commands to query this file and delete select entries. Christof
Thankyou so much, I will have to see what options I have for updating the version.... January 31, 2018 4:48 PM, "Christof Schmitt via samba" <samba at lists.samba.org> wrote:> On Wed, Jan 31, 2018 at 10:43:18AM +0000, A. James Lewis via samba wrote: > >> I wonder if someone can give me an idea what the file >> "netsamlogon_cache.tdb" contains... as I have noticed that I can be >> added to a group, and access will not appear on the Unix side for a >> good deal of time... but if I stop Winbind, remove the file >> "netsamlogon_cache.tdb", and re-start everything, it will then work. > > Yes, that would be expected. The Samba 4.6 release notes have a short > description of this behavior: > > https://www.samba.org/samba/history/samba-4.6.0.html > > |winbind contains code that tries to emulate the group membership calculation > |that domain controllers do when a user logs in. This group membership calculation > |is a very complex process, in particular for domain trust relationship > |situations. Also, in many scenarios it is impossible for winbind to > |correctly do this calculation due to access restrictions in the > |domains: winbind using its machine account simply does not have the > |rights to ask for an arbitrary user's group memberships. > | > |When a user logs in to a Samba server, the domain controller correctly > |calculates the user's group memberships authoritatively and makes the > |information available to the Samba server. This is the only reliable > |way Samba can get informed about the groups a user is member of. > | > |Because of its flakiness, the fallback group membership code is unwished, > |and our code pathes try hard to only use of the group memberships > |calculated by the domain controller. > | > |However, a lot of admins rely on the fallback behavior in order to support > |access for nfs access, ssh public key authentication and passwordless sudo. > | > |That's the reason for changing this back between 4.6.0rc4 and 4.6.0 > |(See BUG 12612). > | > |The winbind change to simplify the calculation of supplementary groups to make > |it more reliable and predictable has been deferred to 4.7 or later. > | > |This means that 'id <username>' without the user having logged in > |previously works similar to 4.5. > >> Can anyone tell me what the purpose of this file is, and if there's any way >> to control the time data is cached for. > > The netsamlogon_cache.tdb file is the place where the user information > (including group memberships) is cached that is available from the logon. > > Samba 4.7 introduced a set of "net cache samlogon" commands to query this file > and delete select entries. > > Christof > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
Christof, Can I clarify one point of the behaviour with you in this case... This is a domain run by a network of Windows machines run by a different team... and the users in question only log in to Linux via Winbind. Would I be correct in saying that AD may not calculate their new AD group membership when they log in via Winbind, rather than log in to a Windows machine joined to the domain. James January 31, 2018 4:48 PM, "Christof Schmitt via samba" <samba at lists.samba.org> wrote:> On Wed, Jan 31, 2018 at 10:43:18AM +0000, A. James Lewis via samba wrote: > >> I wonder if someone can give me an idea what the file >> "netsamlogon_cache.tdb" contains... as I have noticed that I can be >> added to a group, and access will not appear on the Unix side for a >> good deal of time... but if I stop Winbind, remove the file >> "netsamlogon_cache.tdb", and re-start everything, it will then work. > > Yes, that would be expected. The Samba 4.6 release notes have a short > description of this behavior: > > https://www.samba.org/samba/history/samba-4.6.0.html > > |winbind contains code that tries to emulate the group membership calculation > |that domain controllers do when a user logs in. This group membership calculation > |is a very complex process, in particular for domain trust relationship > |situations. Also, in many scenarios it is impossible for winbind to > |correctly do this calculation due to access restrictions in the > |domains: winbind using its machine account simply does not have the > |rights to ask for an arbitrary user's group memberships. > | > |When a user logs in to a Samba server, the domain controller correctly > |calculates the user's group memberships authoritatively and makes the > |information available to the Samba server. This is the only reliable > |way Samba can get informed about the groups a user is member of. > | > |Because of its flakiness, the fallback group membership code is unwished, > |and our code pathes try hard to only use of the group memberships > |calculated by the domain controller. > | > |However, a lot of admins rely on the fallback behavior in order to support > |access for nfs access, ssh public key authentication and passwordless sudo. > | > |That's the reason for changing this back between 4.6.0rc4 and 4.6.0 > |(See BUG 12612). > | > |The winbind change to simplify the calculation of supplementary groups to make > |it more reliable and predictable has been deferred to 4.7 or later. > | > |This means that 'id <username>' without the user having logged in > |previously works similar to 4.5. > >> Can anyone tell me what the purpose of this file is, and if there's any way >> to control the time data is cached for. > > The netsamlogon_cache.tdb file is the place where the user information > (including group memberships) is cached that is available from the logon. > > Samba 4.7 introduced a set of "net cache samlogon" commands to query this file > and delete select entries. > > Christof > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."