Winbind 3.5.2 caching issues under SLES11???
in [Samba]
|
Prev: Server-Profile only applied when domain user gets Admin privileges on WinXP
Next: [Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?
From: Chris Smith on 23 Apr 2010 17:00 On Fri, Apr 23, 2010 at 10:40 AM, Oliver Weinmann <oliver.weinmann(a)vega.de> wrote: > I don't know if this is a problem of SLES11 or winbind itself. I > recently installed the lastest samba winbind 3..5.2 on a SLES9 box and a > SLES11 box. > > If I remove a user from a group in Active Directory the change is > visible immediately on the SLES9 box but not on the SLES11 box. Both are > running exactly the same version of winbind: Don't know if it's related but on 2 systems with 3.5.2 I could not get the new idmap backend (moved from tdb to rid) to work without deleting the gencache* tdb's in addition to the winbind ones. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Oliver Weinmann on 26 Apr 2010 04:00 Deleting the tdb files didn't solve the problem. It's really weird. For example I have a AD user that is member of three groups: Domain users (primary) And two other project groups. I removed him from the two project groups, the change is immediately effective under SLES9 3.5.2 Winbind but on the SLES11 system, even after a reboot the change is still not effective. I wonder where the hell this is beeing cached? Because if the winbind daemon would query active directory it should no longer list this user as a member of the two project groups. The Behaviour is the same throughout all of our SLES11 machines. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Volker Lendecke on 26 Apr 2010 04:40 On Mon, Apr 26, 2010 at 09:51:47AM +0200, Oliver Weinmann wrote: > > Deleting the tdb files didn't solve the problem. It's really weird. For > example I have a AD user that is member of three groups: > > Domain users (primary) > > And two other project groups. > > I removed him from the two project groups, the change is immediately > effective under SLES9 3.5.2 Winbind but on the SLES11 system, even after > a reboot the change is still not effective. I wonder where the hell this > is beeing cached? Because if the winbind daemon would query active > directory it should no longer list this user as a member of the two > project groups. > > The Behaviour is the same throughout all of our SLES11 machines. netsamlogon_cache.tdb is probably the culprit. Once you log in using pam or for example wbinfo -a the problem should be gone. Volker
From: Oliver Weinmann on 26 Apr 2010 04:50 netsamlogon_cache.tdb is probably the culprit. Once you log in using pam or for example wbinfo -a the problem should be gone. Volker Ok, I have now deleted the netsamlogon_cache.tdb, restarted the samba service and logged in as the user. The groups are now no longer shown. I tried the same steps again with a different user and the problem is the same again. This time it was sufficient to restart the samba service. I wonder why on the SLES9 system the change is immediately effective but on the SLES11 box I need to restart the winbind service? The configs are exactly the same on both machines. Anyway thanks for pointing this out Volker. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Volker Lendecke on 26 Apr 2010 05:20
On Mon, Apr 26, 2010 at 10:48:19AM +0200, Oliver Weinmann wrote: > Ok, I have now deleted the netsamlogon_cache.tdb, restarted the samba > service and logged in as the user. The groups are now no longer shown. I > tried the same steps again with a different user and the problem is the > same again. This time it was sufficient to restart the samba service. I > wonder why on the SLES9 system the change is immediately effective but > on the SLES11 box I need to restart the winbind service? The configs are > exactly the same on both machines. If you can reproduce that after wbinfo -a (or a similar operation) you get wrong nss information (group memberships etc), then we have a severe bug that needs fixing. Please provide us detailed information how to reproduce this problem. Ah, please also make sure that you reproduce this without nscd, that one could also cache things. Thanks, Volker |