samba - Jun 2023 - Group memberships on Linux AD Member (syncing randomly)

Hi,

I'm running Samba Active Directory 4.16.9 with packages from Sernet.
Domain members are Linux servers (Ubuntu 20.04, RHEL 8) with Sernet 
Samba 4.16.x.

I'm getting crazy with group memberships syncing from AD to Linux 
members. It is completely random as when changes in AD group are visible 
in Linux OS (or more precise: winbind), it might take minutes, hours or 
days as when these changes will take place. I have tuned

winbind cache time
idmap cache time
idmap negative cache time

I tried to clear winbind cache as described here: 
https://serverfault.com/questions/476086/samba-winbind-user-resolution

None of this helps, the only thing that works is "net cache samlogon 
delete $USER", but I can't do this for every user on every server after
I change his group memberships. I'm using idmap_rid and problem is 
visible directly with wbinfo (so no Linux name service cache involved).

Can someone explain what is happening or where I need to tune?

thank you
Matthias

Hi Matthias,

On 6/30/23 15:40, Matthias Leopold via samba wrote:
> Can someone explain what is happening or where I need to tune?
this is by design. :)

The only reliable way (lacking S4U2SELF support) to get group membership 
for an AD user, is using the group list the DC passes along to us as 
part of the authentication process.

We're trying extra hard to store this data *persistently* in the 
SAM-logon cache and not in an easily user flushable cache.

-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba
SAMBA+ Samba packages                   https://samba.plus/
SAMBA+ AIX Webinar        https://samba.plus/samba-webinars

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20230630/b2d5abdb/OpenPGP_signature.sig>

Hello,

look at your replication sync period: how often do your DCs replicate 
from another? If its the default of 15mins then it can tak<e up to 
15mins to replicate to the other DCs in your net! Or you could just make 
the change on the DC thats used by the domain member linux client.

Another thing: The infos (like group membership) on domain members will 
ONLY get updated if the users logs in successfully. Thats why we wait 
for a couple of mins (replication time + 5min) and then the users should 
try to login every 5 mins until it works. Not good but we found that it 
works. This means you have to fully disconnect before attempting to auth 
again (fully disconnect all shares and unmount them!).

Idk if the last part could be changed, that would be a huge time saver!

Hope this helps, Matthias.

Am 30.06.23 um 15:40 schrieb Matthias Leopold via samba:
> Hi,
>
> I'm running Samba Active Directory 4.16.9 with packages from Sernet.
> Domain members are Linux servers (Ubuntu 20.04, RHEL 8) with Sernet 
> Samba 4.16.x.
>
> I'm getting crazy with group memberships syncing from AD to Linux 
> members. It is completely random as when changes in AD group are 
> visible in Linux OS (or more precise: winbind), it might take minutes, 
> hours or days as when these changes will take place. I have tuned
>
> winbind cache time
> idmap cache time
> idmap negative cache time
>
> I tried to clear winbind cache as described here: 
> https://serverfault.com/questions/476086/samba-winbind-user-resolution
>
> None of this helps, the only thing that works is "net cache samlogon 
> delete $USER", but I can't do this for every user on every server 
> after I change his group memberships. I'm using idmap_rid and problem 
> is visible directly with wbinfo (so no Linux name service cache 
> involved).
>
> Can someone explain what is happening or where I need to tune?
>
> thank you
> Matthias
>
-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
Twitter: https://twitter.com/EllerholdGruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold



---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten
Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und
um sofortiges l?schen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier:
http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not
the intended recipient, please notify us and immediately delete this e-mail and
its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/