Dear all.
I've a Windows AD running. An Ubuntu 24.04 with samba 4.19.5 has been
merged to AD without problems.
But I'm experiencing an issue.
When I try to get an ID from a user (id username at DOMAIN.LOCAL) it gets the
information from AD fine. But, after some time, when I change something on
AD (like user group membership) it does not appears on id command result.
But if I use ldapsearch for the same user the result is fine.
I'm suspecting regarding kerberos ticket obtained to proceed with the net
ads join. When this ticket becomes expired all user information is obtained
from cache.
Am I correct with this suspect?
How can I correct it?
In smb.conf I've:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind offline logon = no
winbind refresh tickets = yes
Any help will be appreciated.
--
http://www.linkedin.com/in/jmgorro
On Tue, 22 Jul 2025 10:13:44 +0200 Josep M Gorro via samba <samba at lists.samba.org> wrote:> Dear all. > > I've a Windows AD running. An Ubuntu 24.04 with samba 4.19.5 has been > merged to AD without problems. > But I'm experiencing an issue. > > When I try to get an ID from a user (id username at DOMAIN.LOCAL) it > gets the information from AD fine. But, after some time, when I > change something on AD (like user group membership) it does not > appears on id command result. But if I use ldapsearch for the same > user the result is fine. > > I'm suspecting regarding kerberos ticket obtained to proceed with the > net ads join. When this ticket becomes expired all user information > is obtained from cache. > > Am I correct with this suspect?Sorry, but no, the kerberos ticket used to join a computer isn't used after the join. Once a computer is joined using 'net ads join' it gets its own ticket and that is used. Your problem is that the users groups are read at logon and not updated until the user re-authenticates.> > How can I correct it? > > In smb.conf I've: > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind enum users = yes > winbind enum groups = yesYou do not require the 'winbind enum' lines, Samba will work perfectly well without them and if you have a large domain, can slow things down.> winbind use default domain = yes > winbind offline logon = no > winbind refresh tickets = yes > > Any help will be appreciated.I cannot comment on your authentication method, you haven't shown it, posting just part of the smb.conf is rarely helpful. Rowland
On Tuesday, 22 July 2025 10:13:44 Central European Summer Time Josep M Gorro via samba wrote:> Dear all.Hi,> When I try to get an ID from a user (id username at DOMAIN.LOCAL) it gets the > information from AD fine. But, after some time, when I change something on > AD (like user group membership) it does not appears on id command result. > But if I use ldapsearch for the same user the result is fine.correct information about a user from AD can only be collected when a user authenticates. You need to log in as that user! The reason is that only a DC has the permissions to collect that information. The machine account doesn't. Once a user authenticates, we fill the samlogon cache: net cache samlogon list Once the user is in that cache, the `id` command will provide correct information about a user. If you do changes to the user on AD, the user need to re-login. Best regards Andreas -- Andreas Schneider asn at samba.org Samba Team www.samba.org GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D