On Wed, 15 Jul 2020 at 15:29, Rowland penny via samba <samba at lists.samba.org> wrote:> On 15/07/2020 13:59, Ian Coetzee via samba wrote: > > Hi All, > > > > I have hit a snag with winbind's group caching on AD on one of our > client's > > infrastructure. > > > > We have a client that is using AD groups to control ssh access to > servers. > > > > The client is running a lot of different bugfix and build versions in the > > 3.6 branch all running on RHEL using rpm's. > > > > I have seen this issue cropping up in the ML from time to time and most > of > > the solutions are to rm /var/lib/samba/netsamlogon_cache.tdb. > > > > Is there perhaps another way to tell winbind to invalidate the cache (or > > ignore it all together)? > > > > I would prefer to not rm this file from a nightly cron (which is the > > current solution in place) > > > > I have petitioned the client to update the samba version to samba 4, but > it > > does not look like they want to bite. > > > > Kind regards > > Ian Coetzee > > > Just tell them that RHEL/Centos 6 goes EOL in November ;-) > > They really should upgrade, there have been numerous CVE's that have not > been backported to 3.6.x because it is EOL. > > There have also been numerous bugfixes that haven't been backported. > > Rowland >Hi Roland, Thank you for the reply, I will see about getting them to upgrade, but so far there has been no luck - they can't afford to be offline, so they don't want updates - Will an update to samba 4.x fix the caching issue? Kind regards Ian Coetzee
On 16/07/2020 08:06, Ian Coetzee via samba wrote:> On Wed, 15 Jul 2020 at 15:29, Rowland penny via samba <samba at lists.samba.org> > wrote: > >> On 15/07/2020 13:59, Ian Coetzee via samba wrote: >>> Hi All, >>> >>> I have hit a snag with winbind's group caching on AD on one of our >> client's >>> infrastructure. >>> >>> We have a client that is using AD groups to control ssh access to >> servers. >>> The client is running a lot of different bugfix and build versions in the >>> 3.6 branch all running on RHEL using rpm's. >>> >>> I have seen this issue cropping up in the ML from time to time and most >> of >>> the solutions are to rm /var/lib/samba/netsamlogon_cache.tdb. >>> >>> Is there perhaps another way to tell winbind to invalidate the cache (or >>> ignore it all together)? >>> >>> I would prefer to not rm this file from a nightly cron (which is the >>> current solution in place) >>> >>> I have petitioned the client to update the samba version to samba 4, but >> it >>> does not look like they want to bite. >>> >>> Kind regards >>> Ian Coetzee >>> >> Just tell them that RHEL/Centos 6 goes EOL in November ;-) >> >> They really should upgrade, there have been numerous CVE's that have not >> been backported to 3.6.x because it is EOL. >> >> There have also been numerous bugfixes that haven't been backported. >> >> Rowland >> > Hi Roland, > > Thank you for the reply, I will see about getting them to upgrade, but so > far there has been no luck - they can't afford to be offline, so they don't > want updates - > > Will an update to samba 4.x fix the caching issue? > > Kind regards > Ian CoetzeeVery probably, but if it doesn't, at least you stand a chance of getting it fixed, you have no chance at the moment. As for the cost, well, what is going to cost if the network collapses ? Rowland
On Thu, 16 Jul 2020 at 09:34, Rowland penny via samba <samba at lists.samba.org> wrote:> On 16/07/2020 08:06, Ian Coetzee via samba wrote: > > On Wed, 15 Jul 2020 at 15:29, Rowland penny via samba < > samba at lists.samba.org> > > wrote: > > > >> On 15/07/2020 13:59, Ian Coetzee via samba wrote: > >>> Hi All, > >>> > >>> I have hit a snag with winbind's group caching on AD on one of our > >> client's > >>> infrastructure. > >>> > >>> We have a client that is using AD groups to control ssh access to > >> servers. > >>> The client is running a lot of different bugfix and build versions in > the > >>> 3.6 branch all running on RHEL using rpm's. > >>> > >>> I have seen this issue cropping up in the ML from time to time and most > >> of > >>> the solutions are to rm /var/lib/samba/netsamlogon_cache.tdb. > >>> > >>> Is there perhaps another way to tell winbind to invalidate the cache > (or > >>> ignore it all together)? > >>> > >>> I would prefer to not rm this file from a nightly cron (which is the > >>> current solution in place) > >>> > >>> I have petitioned the client to update the samba version to samba 4, > but > >> it > >>> does not look like they want to bite. > >>> > >>> Kind regards > >>> Ian Coetzee > >>> > >> Just tell them that RHEL/Centos 6 goes EOL in November ;-) > >> > >> They really should upgrade, there have been numerous CVE's that have not > >> been backported to 3.6.x because it is EOL. > >> > >> There have also been numerous bugfixes that haven't been backported. > >> > >> Rowland > >> > > Hi Roland, > > > > Thank you for the reply, I will see about getting them to upgrade, but so > > far there has been no luck - they can't afford to be offline, so they > don't > > want updates - > > > > Will an update to samba 4.x fix the caching issue? > > > > Kind regards > > Ian Coetzee > > Very probably, but if it doesn't, at least you stand a chance of getting > it fixed, you have no chance at the moment. >This is very true> > As for the cost, well, what is going to cost if the network collapses ? >We have tried this argument as well, clients eh....> > Rowland >Thank you. I will see what I can get done. Kind regards Ian Coetzeee