Re: [Samba] Persistent Winbind gid cache
- Date: Mon, 8 Oct 2018 18:14:03 +0200
- From: Prunk Dump via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Persistent Winbind gid cache
Le lun. 8 oct. 2018 à 15:57, Rowland Penny via samba
<samba@xxxxxxxxxxxxxxx> a écrit :
> On Mon, 8 Oct 2018 15:26:28 +0200
> Prunk Dump via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > Hello Samba team !
> > I'm network administrator in a french high school where I store my
> > user/group ID using rfc2307. My client stations use Winbind to query
> > rfc2307 attributes.
> > Each new years, as all my students move to another class, almost all
> > my user's gid are updated in AD.
> > This gid is very important in my network because pam_mount mount only
> > the share corresponding the to user's gid.
> > I don't know why, but sometimes the old gid ( from the previous year
> > ) is attributed by pam_mount to the user so the wrong share are
> > mounted. So I suspect some persistent Winbind cache.
> > From the documentation :
> > -> idmap cache time default to one week
> > -> winbind cache time default to 5 minutes
> > But after nearly two months I still experience some bad group
> > attribution.
> > All my servers and clients are Debian Stretch with Samba-4.5.12.
> > Is there some case (ex : slow server response) where Winbind use a
> > cached uid/gid even if the cache time is over ?
> As always, posting the smb.conf would be a big help.
> You seem to be talking about a users gidNumber, but, until Samba 4.6.0,
> every users effective primary group was Domain Users.
> The only cache used has a time default and the DC is contacted after
> this time, unless 'winbind offline logon = yes' is set and a DC cannot
> be contacted.
> So, more info please.
Thanks for the help !
I use Samba 4.5 ( Debian stable ) and to get the primary group I want,
I change the user's primaryGroupID in AD.
I know this is usually a bad idea ( as said in the samba
documentation). But in my case there is some arguments in favor of
this method :
-> My users are still member of the "Domain Users" group but not as
-> My network is 90% Linux and 10% Windows ( around 450 Linux and 40
-> I never seen any problems with the "Domain Users" group on
theWindows clients with this setup.
-> As my Linux clients mount shares with NFSv4. My users absolutely
need to have a right gid to create some shared files.
-> It's difficult for my to move to samba 4.6 or newer because I lost
Debian security updates. Security and stability is very important with
Here my smb.conf (on clients) :
workgroup = FICHLAN
security = ADS
realm = LAN.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind expand groups = 1
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config FICHLAN:backend = ad
idmap config FICHLAN:schema_mode = rfc2307
idmap config FICHLAN:range = 3000000-9999999
winbind nss info = rfc2307
The strange thing is that my user seems to have the right gid once the
login is done. I can't find files in my user home folder with a bad
gid. The problem seems to appear only at the pam_mount stage.
Thanks James for the tips ! I will try to understand what contain the
To unsubscribe from this list go to the following URL and read the