samba - Oct 2018 - Persistent Winbind gid cache

Hello Samba team !

I'm network administrator in a french high school where I store my
user/group ID using rfc2307. My client stations use Winbind to query
rfc2307 attributes.

Each new years, as all my students move to another class, almost all
my user's gid are updated in AD.

This gid is very important in my network because pam_mount mount only
the share corresponding the to user's gid.

I don't know why,  but sometimes the old gid ( from the previous year
) is attributed by pam_mount to the user so the wrong share are
mounted. So I suspect some persistent Winbind cache.
>From the documentation :
-> idmap cache time default to one week
-> winbind cache time default to 5 minutes

But after nearly two months I still experience some bad group attribution.

All my servers and clients are Debian Stretch with Samba-4.5.12.

Is there some case (ex : slow server response) where Winbind use a
cached uid/gid even if the cache time is over ?

Is there someone that can't give me some tips to investigate the problem ?

Regards,

Baptiste.

On Mon, 8 Oct 2018 15:26:28 +0200
Prunk Dump via samba <samba at lists.samba.org> wrote:
> Hello Samba team !
> 
> I'm network administrator in a french high school where I store my
> user/group ID using rfc2307. My client stations use Winbind to query
> rfc2307 attributes.
> 
> Each new years, as all my students move to another class, almost all
> my user's gid are updated in AD.
> 
> This gid is very important in my network because pam_mount mount only
> the share corresponding the to user's gid.
> 
> I don't know why,  but sometimes the old gid ( from the previous year
> ) is attributed by pam_mount to the user so the wrong share are
> mounted. So I suspect some persistent Winbind cache.
> 
> From the documentation :
> -> idmap cache time default to one week
> -> winbind cache time default to 5 minutes
> 
> But after nearly two months I still experience some bad group
> attribution.
> 
> All my servers and clients are Debian Stretch with Samba-4.5.12.
> Is there some case (ex : slow server response) where Winbind use a
> cached uid/gid even if the cache time is over ?
> 
As always, posting the smb.conf would be a big help. 

You seem to be talking about a users gidNumber, but, until Samba 4.6.0,
every users effective primary group was Domain Users.

The only cache used has a time default and the DC is contacted after
this time, unless 'winbind offline logon = yes' is set and a DC cannot
be contacted.

So, more info please.

Rowland

Le lun. 8 oct. 2018 à 15:57, Rowland Penny via samba
<samba at lists.samba.org> a écrit :
>
> On Mon, 8 Oct 2018 15:26:28 +0200
> Prunk Dump via samba <samba at lists.samba.org> wrote:
>
> > Hello Samba team !
> >
> > I'm network administrator in a french high school where I store my
> > user/group ID using rfc2307. My client stations use Winbind to query
> > rfc2307 attributes.
> >
> > Each new years, as all my students move to another class, almost all
> > my user's gid are updated in AD.
> >
> > This gid is very important in my network because pam_mount mount only
> > the share corresponding the to user's gid.
> >
> > I don't know why,  but sometimes the old gid ( from the previous
year
> > ) is attributed by pam_mount to the user so the wrong share are
> > mounted. So I suspect some persistent Winbind cache.
> >
> > From the documentation :
> > -> idmap cache time default to one week
> > -> winbind cache time default to 5 minutes
> >
> > But after nearly two months I still experience some bad group
> > attribution.
> >
> > All my servers and clients are Debian Stretch with Samba-4.5.12.
>
> > Is there some case (ex : slow server response) where Winbind use a
> > cached uid/gid even if the cache time is over ?
> >
>
> As always, posting the smb.conf would be a big help.
>
> You seem to be talking about a users gidNumber, but, until Samba 4.6.0,
> every users effective primary group was Domain Users.
>
> The only cache used has a time default and the DC is contacted after
> this time, unless 'winbind offline logon = yes' is set and a DC
cannot
> be contacted.
>
> So, more info please.
>
> Rowland
Hi !

Thanks for the help !

I use Samba 4.5 ( Debian stable ) and to get the primary group I want,
I change the user's primaryGroupID in AD.

I know this is usually a bad idea ( as said in the samba
documentation). But in my case there is some arguments in favor of
this method :
-> My users are still member of the "Domain Users" group but not as
primary group.
-> My network is 90% Linux and 10% Windows ( around 450 Linux and 40
Windows clients).
-> I never seen any problems with the "Domain Users" group on
theWindows clients with this setup.
-> As my Linux clients mount shares with NFSv4. My users absolutely
need to have a right gid to create some shared files.
-> It's difficult for my to move to samba 4.6 or newer because I lost
Debian security updates. Security and stability is very important with
450 stations.

Here my smb.conf (on clients) :

[global]
   workgroup = FICHLAN
   security = ADS
   realm = LAN.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = Yes

   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = no
   winbind enum groups = no
   winbind expand groups = 1

   idmap config *:backend = tdb
   idmap config *:range = 2000-9999
   idmap config FICHLAN:backend = ad
   idmap config FICHLAN:schema_mode = rfc2307
   idmap config FICHLAN:range = 3000000-9999999
   winbind nss info = rfc2307

The strange thing is that my user seems to have the right gid once the
login is done. I can't find files in my user home folder with a bad
gid. The problem seems to appear only at the pam_mount stage.

Thanks James for the tips ! I will try to understand what contain the
netsamlogon_cache.tdb file.

Regards,

Baptiste.

On Mon, 8 Oct 2018 18:11:39 +0200
Prunk Dump <prunkdump at gmail.com> wrote:
> Hi !
> 
> I use samba 4.5 ( Debian stable ) and to get the primary group I want,
> I change the user's primaryGroupID in AD.
Bad idea
> 
> I know this is usually a bad idea ( as said in the samba documentation
> ). But in my case there is some arguments in favor of this method :
There are no arguments in favour of changing the primaryGroupID
attribute, try asking the guy who couldn't add another DC because he
had done this.
  
> -> My users are still member of the "Domain Users" group but
not as
> primary group.
Yes, but not in the correct way.
> -> My network is 90% Linux and 10% Windows ( around 450 Linux and 40
> Windows clients).
You are still using Microsoft technology, you need to fit in with that,
not the other way around.
> -> I never seen any problems with the "Domain Users" group on
the
> Windows clients with this setup.
This doesn't mean it is the correct thing to do.
> -> As my Linux clients mount shares with NFSv4. My users absolutely
> need to have a right gid to create some shared files.
Possibly, but you do not need to change the primaryGroupID to do this.
> -> It's difficult for my to move to samba 4.6 or newer because I
lost
> Debian security updates. Security and stability is very important with
> 450 stations.
How can you lose 'security updates' ?
> Here my smb.conf (on clients) :
> 
> [global]
>    workgroup = FICHLAN
>    security = ADS
>    realm = LAN.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> 
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    winbind refresh tickets = Yes
> 
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = no
>    winbind enum groups = no
>    winbind expand groups = 1
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-9999
>    idmap config FICHLAN:backend = ad
>    idmap config FICHLAN:schema_mode = rfc2307
>    idmap config FICHLAN:range = 3000000-9999999
>    winbind nss info = rfc2307
Don't tell me, you got the '3000000' numbers from the DC, you
didn't
have to use them, they are xidNumber's
> 
> The strange thing is that my user seems to have the right gid once the
> login is done. 
They would still have been allowed access to the shares even if you
hadn't changed the primaryGroupID and the group membership is only
correct once the user has logged in.
>I can't find files in my user home folder with a bad
> gid. The problem seems to appear only at the pam_mount stage.
Strange, pam mount works for me and I do not change the primaryGroupID
 
> Thanks James for the tips ! I will try to understand what contain the
> netsamlogon_cache.tdb file.
 
I doubt that it is your problem. (whoever James is ?)

Rowland

Thank you very much for your help Rowland ! And sorry for my English,
I'm french.

Le lun. 8 oct. 2018 à 18:38, Rowland Penny via samba
<samba at lists.samba.org> a écrit :
>
> On Mon, 8 Oct 2018 18:11:39 +0200
> Prunk Dump <prunkdump at gmail.com> wrote:
>
> > Hi !
> >
> > I use samba 4.5 ( Debian stable ) and to get the primary group I want,
> > I change the user's primaryGroupID in AD.
>
> Bad idea
>
>
> > -> It's difficult for my to move to samba 4.6 or newer because
I lost
> > Debian security updates. Security and stability is very important with
> > 450 stations.
>
> How can you lose 'security updates' ?
The Debian security Team work only on Debian stable. So it does not
always publish security updates for backports or sid samba version.
Moreover is difficult for me to use third party repositories as they
change the samba version very often. I need to be as "stable" as
possible to don't disturb my users.

So I prefer a workaround over switch to a Samba version other that the
"Stable" version. But you're right, maybe this is not the right
workaround. But actually I can't find another. I need to assign a
correct gid to my users.
> > Here my smb.conf (on clients) :
> >
> > [global]
> >    workgroup = FICHLAN
> >    security = ADS
> >    realm = LAN.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> >
> >    dedicated keytab file = /etc/krb5.keytab
> >    kerberos method = secrets and keytab
> >    winbind refresh tickets = Yes
> >
> >    winbind trusted domains only = no
> >    winbind use default domain = yes
> >    winbind enum users  = no
> >    winbind enum groups = no
> >    winbind expand groups = 1
> >
> >    idmap config *:backend = tdb
> >    idmap config *:range = 2000-9999
> >    idmap config FICHLAN:backend = ad
> >    idmap config FICHLAN:schema_mode = rfc2307
> >    idmap config FICHLAN:range = 3000000-9999999
> >    winbind nss info = rfc2307
>
> Don't tell me, you got the '3000000' numbers from the DC, you
didn't
> have to use them, they are xidNumber's
>
My uids and gids are generated from my Samba DC. One year before I
used the xidNumber assigned to a user/group as ID number. Is was
copied in AD using some scripts. Now I use "msSFU30MaxUidNumber" and
"msSFU30MaxGidNumber". But I have keep the same range.
> >
> > The strange thing is that my user seems to have the right gid once the
> > login is done.
>
> They would still have been allowed access to the shares even if you
> hadn't changed the primaryGroupID and the group membership is only
> correct once the user has logged in.
>
> >I can't find files in my user home folder with a bad
> > gid. The problem seems to appear only at the pam_mount stage.
>
> Strange, pam mount works for me and I do not change the primaryGroupID
>
> > Thanks James for the tips ! I will try to understand what contain the
> > netsamlogon_cache.tdb file.
>
> I doubt that it is your problem. (whoever James is ?)
>
James give me some advice in private. He say that he have the same
problem and deleting the netsamlogon_cache.tdb solve it. But it don't
give me his Samba version and if it change the primaryGroupID.

Thanks again.