I needed to cleanup membership in a user, and i've used ADUC. To verify
it i've done on the DC with FSMO roles:
root at vdcsv1:~# id adonella
uid=12105(LNFFVG\adonella) gid=10513(LNFFVG\domain users)
gruppi=10513(LNFFVG\domain
users),11037(LNFFVG\sv_piscina),11034(LNFFVG\sv_maestre),11085(LNFFVG\sv_materna),3000009(BUILTIN\users)
The old membership. But on another dc or in a dm:
root at vdcsv2:~# id adonella
uid=12105(LNFFVG\adonella) gid=10513(LNFFVG\domain users)
gruppi=10513(LNFFVG\domain
users),11029(LNFFVG\sv_riabili_npm),3000009(BUILTIN\users)
root at vdmpp1:~# id adonella
uid=12105(adonella) gid=11029(sv_riabili_npm)
gruppi=11029(sv_riabili_npm),10513(domain
users),11032(sv_riabili),5001(BUILTIN\users)
the data is correct. In LDAP, the data seems correct too, even for the
DC with FSMO roles:
root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb
"(SamAccountName=adonella)" | egrep "(gidNumber|memberOf)"
gidNumber: 11029
memberOf: CN=sv_riabili_npm,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC
What is happening?! Thanks.
PS: i've just tried to do a 'net cache flush' on the DC.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Wed, 2021-02-10 at 16:57 +0100, Marco Gaiarin via samba wrote:> I needed to cleanup membership in a user, and i've used ADUC. To > verify > it i've done on the DC with FSMO roles: > > root at vdcsv1:~# id adonella > uid=12105(LNFFVG\adonella) gid=10513(LNFFVG\domain users) > gruppi=10513(LNFFVG\domain > users),11037(LNFFVG\sv_piscina),11034(LNFFVG\sv_maestre),11085(LNFFVG > \sv_materna),3000009(BUILTIN\users) > > The old membership. But on another dc or in a dm: > > root at vdcsv2:~# id adonella > uid=12105(LNFFVG\adonella) gid=10513(LNFFVG\domain users) > gruppi=10513(LNFFVG\domain > users),11029(LNFFVG\sv_riabili_npm),3000009(BUILTIN\users) > root at vdmpp1:~# id adonella > uid=12105(adonella) gid=11029(sv_riabili_npm) > gruppi=11029(sv_riabili_npm),10513(domain > users),11032(sv_riabili),5001(BUILTIN\users) > > the data is correct. In LDAP, the data seems correct too, even for > the > DC with FSMO roles: > > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb > "(SamAccountName=adonella)" | egrep "(gidNumber|memberOf)" > gidNumber: 11029 > memberOf: > CN=sv_riabili_npm,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC> > > What is happening?! Thanks. > > > PS: i've just tried to do a 'net cache flush' on the DC.It might be the so-called samlogon cache of the PAC/info3 from a Kerberos or NTLM authentication via winbind. I wouldn't normally expect those on a DC, but if you had used wbinfo -a you might have filled that in. On a domain member (and the winbindd on the DC is the same code) we use the information from a successful authentication for the group membership as it is the most reliable. If another wbinfo -a fixes it, then we know that was the issue. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Hai Andrew, wbinfo -a reports back.. Invalid option :-( what are we missing here? Version 4.13.2-Debian Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Andrew Bartlett > via samba > Verzonden: woensdag 10 februari 2021 18:38 > Aan: Marco Gaiarin; samba at lists.samba.org > Onderwerp: Re: [Samba] 'dirty cache' on a DC? > > On Wed, 2021-02-10 at 16:57 +0100, Marco Gaiarin via samba wrote: > > I needed to cleanup membership in a user, and i've used ADUC. To > > verify > > it i've done on the DC with FSMO roles: > > > > root at vdcsv1:~# id adonella > > uid=12105(LNFFVG\adonella) gid=10513(LNFFVG\domain users) > > gruppi=10513(LNFFVG\domain > > users),11037(LNFFVG\sv_piscina),11034(LNFFVG\sv_maestre),11085(LNFFVG > > \sv_materna),3000009(BUILTIN\users) > > > > The old membership. But on another dc or in a dm: > > > > root at vdcsv2:~# id adonella > > uid=12105(LNFFVG\adonella) gid=10513(LNFFVG\domain users) > > gruppi=10513(LNFFVG\domain > > users),11029(LNFFVG\sv_riabili_npm),3000009(BUILTIN\users) > > root at vdmpp1:~# id adonella > > uid=12105(adonella) gid=11029(sv_riabili_npm) > > gruppi=11029(sv_riabili_npm),10513(domain > > users),11032(sv_riabili),5001(BUILTIN\users) > > > > the data is correct. In LDAP, the data seems correct too, even for > > the > > DC with FSMO roles: > > > > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb > > "(SamAccountName=adonella)" | egrep "(gidNumber|memberOf)" > > gidNumber: 11029 > > memberOf: > > CN=sv_riabili_npm,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC> > > > > > What is happening?! Thanks. > > > > > > PS: i've just tried to do a 'net cache flush' on the DC. > > It might be the so-called samlogon cache of the PAC/info3 from a > Kerberos or NTLM authentication via winbind. I wouldn't normally > expect those on a DC, but if you had used wbinfo -a you might have > filled that in. > > On a domain member (and the winbindd on the DC is the same code) we use > the information from a successful authentication for the group > membership as it is the most reliable. > > If another wbinfo -a fixes it, then we know that was the issue. > > Andrew Bartlett > > -- > Andrew Bartlett (he/him) https://samba.org/~abartlet/ > Samba Team Member (since 2001) https://samba.org > Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba