Am 2/18/21 um 3:44 PM schrieb Jason Keltz:> On 2/18/2021 1:06 AM, Ralph Boehme wrote: > >> Am 2/18/21 um 2:03 AM schrieb Jason Keltz via samba: >>> If I regularly clear the samlogon cache, I believe I get the updated >>> groups, so it's like the equivalent of expiring it.? I'd rather if I >>> didn't have to do it, but at least there is a way.? It would be >>> preferable, of course, if the samlogon cache expired on its own using >>> the winbind cache time. ? With SSSD, I think setting >>> "entry_cache_timeout" would do the same thing as me manually clearing >>> the samlogon cache in winbind.? Lots of fun. >> in case this wasn't clear: a login *always* updates the cache. > > Hi Ralph, > > Thanks for your message and clarification.? Apparently, I misunderstood. > That's not the way it's working for me all the time.fwiw, the cache is updated with an *SMB* login! Not on ssh login or similar. Another variable in the mix could be nscd who might be caching group membership info. So while debugging, make sure to stop nscd. If groups are not updated upon SMB login, something unexpected is going on. -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210218/7826c5a6/OpenPGP_signature.sig>
On 2/18/2021 10:13 AM, Ralph Boehme wrote:> Am 2/18/21 um 3:44 PM schrieb Jason Keltz: >> On 2/18/2021 1:06 AM, Ralph Boehme wrote: >> >>> Am 2/18/21 um 2:03 AM schrieb Jason Keltz via samba: >>>> If I regularly clear the samlogon cache, I believe I get the >>>> updated groups, so it's like the equivalent of expiring it.? I'd >>>> rather if I didn't have to do it, but at least there is a way.? It >>>> would be preferable, of course, if the samlogon cache expired on >>>> its own using the winbind cache time. ? With SSSD, I think setting >>>> "entry_cache_timeout" would do the same thing as me manually >>>> clearing the samlogon cache in winbind.? Lots of fun. >>> in case this wasn't clear: a login *always* updates the cache. >> >> Hi Ralph, >> >> Thanks for your message and clarification.? Apparently, I >> misunderstood. That's not the way it's working for me all the time. > > fwiw, the cache is updated with an *SMB* login! Not on ssh login or > similar. > > Another variable in the mix could be nscd who might be caching group > membership info. So while debugging, make sure to stop nscd. > > If groups are not updated upon SMB login, something unexpected is > going on.Ok re: smb.??? That won't help in this situation.? These are all unix workstations. nscd isn't installed... (I meant to say that in my original message). I'm not really sure how to debug this issue.? My solution will be to clear the samlogon cache regularly.? I just tried that on my "broken" system, and now "groups", and "groups jas" are all normal with the most recent changes I made.? I update a group in DC, log out, and back in about a minute and a half later, and the group information is completely perfect with the newly added group.? I repeat with another group, and again, it's perfect. for unix logins and users using groups other than just "domain users", samlogon cache is a bit of a headache, but I have a workaround I guess. Jason.
Am 2/18/21 um 4:13 PM schrieb Ralph Boehme via samba:> Am 2/18/21 um 3:44 PM schrieb Jason Keltz: >> On 2/18/2021 1:06 AM, Ralph Boehme wrote: >> >>> Am 2/18/21 um 2:03 AM schrieb Jason Keltz via samba: >>>> If I regularly clear the samlogon cache, I believe I get the updated >>>> groups, so it's like the equivalent of expiring it.? I'd rather if I >>>> didn't have to do it, but at least there is a way.? It would be >>>> preferable, of course, if the samlogon cache expired on its own >>>> using the winbind cache time. ? With SSSD, I think setting >>>> "entry_cache_timeout" would do the same thing as me manually >>>> clearing the samlogon cache in winbind.? Lots of fun. >>> in case this wasn't clear: a login *always* updates the cache. >> >> Hi Ralph, >> >> Thanks for your message and clarification.? Apparently, I >> misunderstood. That's not the way it's working for me all the time. > > fwiw, the cache is updated with an *SMB* login! Not on ssh login or > similar.sorry, in fact the samlogon cache is updated upon ssh/local login. Trying to do too many things at once... :) -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210218/42b8391d/OpenPGP_signature.sig>