Matthias Leopold
2023-Jun-30 13:40 UTC
[Samba] Group memberships on Linux AD Member (syncing randomly)
Hi, I'm running Samba Active Directory 4.16.9 with packages from Sernet. Domain members are Linux servers (Ubuntu 20.04, RHEL 8) with Sernet Samba 4.16.x. I'm getting crazy with group memberships syncing from AD to Linux members. It is completely random as when changes in AD group are visible in Linux OS (or more precise: winbind), it might take minutes, hours or days as when these changes will take place. I have tuned winbind cache time idmap cache time idmap negative cache time I tried to clear winbind cache as described here: https://serverfault.com/questions/476086/samba-winbind-user-resolution None of this helps, the only thing that works is "net cache samlogon delete $USER", but I can't do this for every user on every server after I change his group memberships. I'm using idmap_rid and problem is visible directly with wbinfo (so no Linux name service cache involved). Can someone explain what is happening or where I need to tune? thank you Matthias
Ralph Boehme
2023-Jun-30 14:23 UTC
[Samba] Group memberships on Linux AD Member (syncing randomly)
Hi Matthias, On 6/30/23 15:40, Matthias Leopold via samba wrote:> Can someone explain what is happening or where I need to tune?this is by design. :) The only reliable way (lacking S4U2SELF support) to get group membership for an AD user, is using the group list the DC passes along to us as part of the authentication process. We're trying extra hard to store this data *persistently* in the SAM-logon cache and not in an easily user flushable cache. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba SAMBA+ Samba packages https://samba.plus/ SAMBA+ AIX Webinar https://samba.plus/samba-webinars -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20230630/b2d5abdb/OpenPGP_signature.sig>
Matthias Kühne | Ellerhold Aktiengesellschaft
2023-Jul-02 09:55 UTC
[Samba] Group memberships on Linux AD Member (syncing randomly)
Hello, look at your replication sync period: how often do your DCs replicate from another? If its the default of 15mins then it can tak<e up to 15mins to replicate to the other DCs in your net! Or you could just make the change on the DC thats used by the domain member linux client. Another thing: The infos (like group membership) on domain members will ONLY get updated if the users logs in successfully. Thats why we wait for a couple of mins (replication time + 5min) and then the users should try to login every 5 mins until it works. Not good but we found that it works. This means you have to fully disconnect before attempting to auth again (fully disconnect all shares and unmount them!). Idk if the last part could be changed, that would be a huge time saver! Hope this helps, Matthias. Am 30.06.23 um 15:40 schrieb Matthias Leopold via samba:> Hi, > > I'm running Samba Active Directory 4.16.9 with packages from Sernet. > Domain members are Linux servers (Ubuntu 20.04, RHEL 8) with Sernet > Samba 4.16.x. > > I'm getting crazy with group memberships syncing from AD to Linux > members. It is completely random as when changes in AD group are > visible in Linux OS (or more precise: winbind), it might take minutes, > hours or days as when these changes will take place. I have tuned > > winbind cache time > idmap cache time > idmap negative cache time > > I tried to clear winbind cache as described here: > https://serverfault.com/questions/476086/samba-winbind-user-resolution > > None of this helps, the only thing that works is "net cache samlogon > delete $USER", but I can't do this for every user on every server > after I change his group memberships. I'm using idmap_rid and problem > is visible directly with wbinfo (so no Linux name service cache > involved). > > Can someone explain what is happening or where I need to tune? > > thank you > Matthias >-- Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Web: www.ellerhold.de Facebook: www.facebook.com/ellerhold.gruppe Instagram: www.instagram.com/ellerhold.gruppe Twitter: https://twitter.com/EllerholdGruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/