Prev: Server-Profile only applied when domain user gets Admin privileges on WinXP
Next: [Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?
From: Neil Price on 26 Apr 2010 05:50
On 2010/04/23 10:58 PM, Chris Smith wrote:
>
> Don't know if it's related but on 2 systems with 3.5.2 I could not get
> the new idmap backend (moved from tdb to rid) to work without deleting
> the gencache* tdb's in addition to the winbind ones.
>
>
I had the same problem on 3.4.7 moving from tdb to ldap. I also had get
rid of nscd which for some reason Debian always installs with Samba. I
was confused because everything would come right after a reboot. I
thought that Samba is emulating Windows a little TOO closely!

I wrote this little script while I was messing with different idmap options:
#!/bin/sh
#
# stop samba, reset cache and restart
/etc/init.d/winbind stop
/etc/init.d/samba stop
rm -f /var/run/samba/gencache.tdb
rm -f /var/cache/samba/*.tdb
/etc/init.d/samba start
/etc/init.d/winbind start
/etc/init.d/nslcd restart


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Oliver Weinmann on 26 Apr 2010 07:00
Ok, there is no bug. I looked through the smb.conf and added the
following parameters:

idmap cache time = 1
idmap negative cache time = 1
winbind cache time = 1

Now SLES11 acts as expected. Also I noticed that running a su -
"username" is not the same as wbinfo -a. :)

Thanks and Regards,
Oliver
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Chris Smith on 27 Apr 2010 10:20
On Mon, Apr 26, 2010 at 4:35 AM, Volker Lendecke
<Volker.Lendecke(a)sernet.de> wrote:
> netsamlogon_cache.tdb is probably the culprit. Once you log
> in using pam or for example wbinfo -a the problem should be
> gone.

I deleted netsamlogon_cache.tdb as well.
Didn't do a wbinfo -a, but did a wbinfo -u and wbinfo -g.
The idmapping did not change even after restarting samba until I
manually deleted those tdb's.

Chris
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Volker Lendecke on 27 Apr 2010 10:50
On Tue, Apr 27, 2010 at 10:10:29AM -0400, Chris Smith wrote:
> > netsamlogon_cache.tdb is probably the culprit. Once you log
> > in using pam or for example wbinfo -a the problem should be
> > gone.
>
> I deleted netsamlogon_cache.tdb as well.
> Didn't do a wbinfo -a, but did a wbinfo -u and wbinfo -g.
> The idmapping did not change even after restarting samba until I
> manually deleted those tdb's.

wbinfo -a or an equivalent is the authoritative source.

Quote from http://msdn.microsoft.com/en-us/magazine/cc188757.aspx:

> The authorization framework in Windows has become so
> complicated that it's virtually impossible for a server
> developer to manually discover the groups for a user.

That's the reason why we rely on the DC with wbinfo -a and
can just do flawed attempts to get it right without -a.

Volker
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
First  |  Prev  | 
Pages: 1 2
Prev: Server-Profile only applied when domain user gets Admin privileges on WinXP
Next: [Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?