Web lists-archives.com

Re: [Samba] Persistent Winbind gid cache

Le lun. 8 oct. 2018 à 15:57, Rowland Penny via samba
<samba@xxxxxxxxxxxxxxx> a écrit :
> On Mon, 8 Oct 2018 15:26:28 +0200
> Prunk Dump via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > Hello Samba team !
> >
> > I'm network administrator in a french high school where I store my
> > user/group ID using rfc2307. My client stations use Winbind to query
> > rfc2307 attributes.
> >
> > Each new years, as all my students move to another class, almost all
> > my user's gid are updated in AD.
> >
> > This gid is very important in my network because pam_mount mount only
> > the share corresponding the to user's gid.
> >
> > I don't know why,  but sometimes the old gid ( from the previous year
> > ) is attributed by pam_mount to the user so the wrong share are
> > mounted. So I suspect some persistent Winbind cache.
> >
> > From the documentation :
> > -> idmap cache time default to one week
> > -> winbind cache time default to 5 minutes
> >
> > But after nearly two months I still experience some bad group
> > attribution.
> >
> > All my servers and clients are Debian Stretch with Samba-4.5.12.
> > Is there some case (ex : slow server response) where Winbind use a
> > cached uid/gid even if the cache time is over ?
> >
> As always, posting the smb.conf would be a big help.
> You seem to be talking about a users gidNumber, but, until Samba 4.6.0,
> every users effective primary group was Domain Users.
> The only cache used has a time default and the DC is contacted after
> this time, unless 'winbind offline logon = yes' is set and a DC cannot
> be contacted.
> So, more info please.
> Rowland

Hi !

Thanks for the help !

I use Samba 4.5 ( Debian stable ) and to get the primary group I want,
I change the user's primaryGroupID in AD.

I know this is usually a bad idea ( as said in the samba
documentation). But in my case there is some arguments in favor of
this method :
-> My users are still member of the "Domain Users" group but not as
primary group.
-> My network is 90% Linux and 10% Windows ( around 450 Linux and 40
Windows clients).
-> I never seen any problems with the "Domain Users" group on
theWindows clients with this setup.
-> As my Linux clients mount shares with NFSv4. My users absolutely
need to have a right gid to create some shared files.
-> It's difficult for my to move to samba 4.6 or newer because I lost
Debian security updates. Security and stability is very important with
450 stations.

Here my smb.conf (on clients) :

   workgroup = FICHLAN
   security = ADS

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = Yes

   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = no
   winbind enum groups = no
   winbind expand groups = 1

   idmap config *:backend = tdb
   idmap config *:range = 2000-9999
   idmap config FICHLAN:backend = ad
   idmap config FICHLAN:schema_mode = rfc2307
   idmap config FICHLAN:range = 3000000-9999999
   winbind nss info = rfc2307

The strange thing is that my user seems to have the right gid once the
login is done. I can't find files in my user home folder with a bad
gid. The problem seems to appear only at the pam_mount stage.

Thanks James for the tips ! I will try to understand what contain the
netsamlogon_cache.tdb file.



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba