Hi All, I have hit a snag with winbind's group caching on AD on one of our client's infrastructure. We have a client that is using AD groups to control ssh access to servers. The client is running a lot of different bugfix and build versions in the 3.6 branch all running on RHEL using rpm's. I have seen this issue cropping up in the ML from time to time and most of the solutions are to rm /var/lib/samba/netsamlogon_cache.tdb. Is there perhaps another way to tell winbind to invalidate the cache (or ignore it all together)? I would prefer to not rm this file from a nightly cron (which is the current solution in place) I have petitioned the client to update the samba version to samba 4, but it does not look like they want to bite. Kind regards Ian Coetzee -- *I am a node of server* * born of flesh and blood* * but enhanced by the power of its web* * I have no use for pain or fear* * My scripts are a focus of my will* * My strength is my knowledge* * My weapons are my skills* * Information is the blood of my body* * I am part of the greater network* * I am host to the vast data of server* * My flesh is weak* * but my connection is eternal* * and therefore, I am a god *
On 15/07/2020 13:59, Ian Coetzee via samba wrote:> Hi All, > > I have hit a snag with winbind's group caching on AD on one of our client's > infrastructure. > > We have a client that is using AD groups to control ssh access to servers. > > The client is running a lot of different bugfix and build versions in the > 3.6 branch all running on RHEL using rpm's. > > I have seen this issue cropping up in the ML from time to time and most of > the solutions are to rm /var/lib/samba/netsamlogon_cache.tdb. > > Is there perhaps another way to tell winbind to invalidate the cache (or > ignore it all together)? > > I would prefer to not rm this file from a nightly cron (which is the > current solution in place) > > I have petitioned the client to update the samba version to samba 4, but it > does not look like they want to bite. > > Kind regards > Ian Coetzee >Just tell them that RHEL/Centos 6 goes EOL in November ;-) They really should upgrade, there have been numerous CVE's that have not been backported to 3.6.x because it is EOL. There have also been numerous bugfixes that haven't been backported. Rowland
On Wed, 15 Jul 2020 at 15:29, Rowland penny via samba <samba at lists.samba.org> wrote:> On 15/07/2020 13:59, Ian Coetzee via samba wrote: > > Hi All, > > > > I have hit a snag with winbind's group caching on AD on one of our > client's > > infrastructure. > > > > We have a client that is using AD groups to control ssh access to > servers. > > > > The client is running a lot of different bugfix and build versions in the > > 3.6 branch all running on RHEL using rpm's. > > > > I have seen this issue cropping up in the ML from time to time and most > of > > the solutions are to rm /var/lib/samba/netsamlogon_cache.tdb. > > > > Is there perhaps another way to tell winbind to invalidate the cache (or > > ignore it all together)? > > > > I would prefer to not rm this file from a nightly cron (which is the > > current solution in place) > > > > I have petitioned the client to update the samba version to samba 4, but > it > > does not look like they want to bite. > > > > Kind regards > > Ian Coetzee > > > Just tell them that RHEL/Centos 6 goes EOL in November ;-) > > They really should upgrade, there have been numerous CVE's that have not > been backported to 3.6.x because it is EOL. > > There have also been numerous bugfixes that haven't been backported. > > Rowland >Hi Roland, Thank you for the reply, I will see about getting them to upgrade, but so far there has been no luck - they can't afford to be offline, so they don't want updates - Will an update to samba 4.x fix the caching issue? Kind regards Ian Coetzee