On 2/17/2021 7:50 PM, Andrew Bartlett via samba wrote:> On Wed, 2021-02-17 at 19:37 -0500, Jason Keltz wrote:
>> On 2/17/2021 7:32 PM, Andrew Bartlett via samba wrote:
>>> On Wed, 2021-02-17 at 19:19 -0500, Jason Keltz via samba wrote:
>>>> I wanted to ask for more information on "net cache
samlogon" and
>>>> its
>>>>
>>>> relation to "winbind cache time".
>>> None.  This information is sticky until the next login, forever.
>>>
>>> We would like to eventually refresh this information via a ticket
>>> obtained with S4U2Self, but we can't right now.
>>>
>>> At one point we were thinking to totally remove the ability to find
>>> out
>>> much about users who hadn't ever logged in, because the
>>> alternatives
>>> are unreliable, but this never proceeded.
>>>
>>> I hope this helps,
>>>
>> Hi Andrew,
>>
>> So if I need to refresh the users groups on each login, would I then
>> need to clear these samlogon entries on my own?   Can I tell winbind
>> not
>> to store them in the first place?
> Not currently.
>
>> Why does it appear that without doing this, the users groups get
>> updated
>> sometimes and not other times?
> This is the argument for removing the other ways of obtaining group
> info.  If there isn't a samlogon cache, then we make as best as we can,
> subject to the cache time.  But it isn't as reliable (mostly in cross-
> realm interdomain trust situations) and as you found it means it isn't
> consistent.
>
>> And then what is the "winbind cache time" ?
> For other things that we were not able to work out from the samlogon
> cache.
>
> I know this sucks,
>
If I regularly clear the samlogon cache, I believe I get the updated 
groups, so it's like the equivalent of expiring it.? I'd rather if I 
didn't have to do it, but at least there is a way.? It would be 
preferable, of course, if the samlogon cache expired on its own using 
the winbind cache time. ? With SSSD, I think setting 
"entry_cache_timeout" would do the same thing as me manually clearing 
the samlogon cache in winbind.? Lots of fun.
Jason.