Discussion:
[Samba] New group membership not taken into account on member servers
Sébastien Le Ray
2014-10-03 15:29:23 UTC
Permalink
Hi list,

I run into an issue on my members servers. They don't "see" new
memberships of users.
wbinfo -r someuser does not returns the new group GID (either newly
created group or already existing one).
wbinfo --group-info somegroup correctly returns "someuser" as its member

Tried net cache flush, restarted winbind.
It occurs on two (one 4.1.9, one 4.1.11) of the three samba member
servers I have. The third one is a 4.1.11 too.

Any hints?

Regards
Vash
2014-10-04 08:55:18 UTC
Permalink
S?bastien Le Ray <sebastien-samba <at> orniz.org> writes:

Hello!
Post by Sébastien Le Ray
Any hints?
Are you using rfc2307 and NIS extension?

--
Eros
Sébastien Le Ray
2014-10-04 12:14:15 UTC
Permalink
Hi,
Post by Vash
Are you using rfc2307 and NIS extension?
Yes I am. All groups have a unix GID, the configuration is correct on
the member server (since the working one and the non-working one have
the same smb.conf except for the share options?)
On the two DC I have on the domain wbinfo -r username gives correct
results, ADUC gives correct results no matter which DC is selected.
Running winbind -i -n does not solves the issue (so this does not seem
to be a cache issue)

Regards
Volker Lendecke
2014-10-04 12:29:03 UTC
Permalink
Post by Sébastien Le Ray
Hi,
Post by Vash
Are you using rfc2307 and NIS extension?
Yes I am. All groups have a unix GID, the configuration is correct
on the member server (since the working one and the non-working one
have the same smb.conf except for the share options?)
On the two DC I have on the domain wbinfo -r username gives correct
results, ADUC gives correct results no matter which DC is selected.
Running winbind -i -n does not solves the issue (so this does not
seem to be a cache issue)
Please retry after doing wbinfo -a or doing a SMB/PAM login.

Thanks,

Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
Sébastien Le Ray
2014-10-04 15:47:15 UTC
Permalink
Post by Volker Lendecke
Post by Sébastien Le Ray
Hi,
Post by Vash
Are you using rfc2307 and NIS extension?
Yes I am. All groups have a unix GID, the configuration is correct
on the member server (since the working one and the non-working one
have the same smb.conf except for the share options?)
On the two DC I have on the domain wbinfo -r username gives correct
results, ADUC gives correct results no matter which DC is selected.
Running winbind -i -n does not solves the issue (so this does not
seem to be a cache issue)
Please retry after doing wbinfo -a or doing a SMB/PAM login.
Hi,

No change? This seems to be some cache issue (but not at winbind level
since -n doesn't solve it) but even net cache flush doesn't solve it.
In fact the issue occurs on the three servers? It seems that the one
that seemed to work had its cache clean, I just added myself to a
group, checked on both DC (all right), net cache flush + wbinfo -a? The
group is still not shown (but --group-info indicates that I'm member).

Any further suggestion?

Regards
Min Wai Chan
2014-10-04 17:12:54 UTC
Permalink
Try these?

This should short the cache time to 5 mins
Cut it lower if you need a shorter time...

winbind cache time = 300
idmap cache time = 300
idmap negative cache time = 300


On Sat, Oct 4, 2014 at 11:47 PM, S?bastien Le Ray <sebastien-samba at orniz.org
Post by Sébastien Le Ray
Post by Volker Lendecke
Post by Sébastien Le Ray
Hi,
Post by Vash
Are you using rfc2307 and NIS extension?
Yes I am. All groups have a unix GID, the configuration is correct
on the member server (since the working one and the non-working one
have the same smb.conf except for the share options?)
On the two DC I have on the domain wbinfo -r username gives correct
results, ADUC gives correct results no matter which DC is selected.
Running winbind -i -n does not solves the issue (so this does not
seem to be a cache issue)
Please retry after doing wbinfo -a or doing a SMB/PAM login.
Hi,
No change? This seems to be some cache issue (but not at winbind level
since -n doesn't solve it) but even net cache flush doesn't solve it.
In fact the issue occurs on the three servers? It seems that the one that
seemed to work had its cache clean, I just added myself to a group,
checked on both DC (all right), net cache flush + wbinfo -a? The group is
still not shown (but --group-info indicates that I'm member).
Any further suggestion?
Regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Sébastien Le Ray
2014-10-04 19:03:12 UTC
Permalink
No more success (btw winbind cache time default to 300 & idmap negative
to 120).

Regards
Post by Min Wai Chan
Try these?
This should short the cache time to 5 mins
Cut it lower if you need a shorter time...
winbind cache time = 300
idmap cache time = 300
idmap negative cache time = 300
Min Wai Chan
2014-10-04 19:44:08 UTC
Permalink
ah...

Did you new group have gid???

On Sun, Oct 5, 2014 at 3:03 AM, S?bastien Le Ray <sebastien-samba at orniz.org>
No more success (btw winbind cache time default to 300 & idmap negative to
120).
Regards
Try these?
Post by Min Wai Chan
This should short the cache time to 5 mins
Cut it lower if you need a shorter time...
winbind cache time = 300
idmap cache time = 300
idmap negative cache time = 300
Sébastien Le Ray
2014-10-04 20:52:10 UTC
Permalink
Yes, and it is correctly returned by getent group/wbinfo --group-info
Post by Min Wai Chan
ah...
Did you new group have gid???
On Sun, Oct 5, 2014 at 3:03 AM, S?bastien Le Ray
No more success (btw winbind cache time default to 300 & idmap
negative to 120).
Regards
Try these?
This should short the cache time to 5 mins
Cut it lower if you need a shorter time...
winbind cache time = 300
idmap cache time = 300
idmap negative cache time = 300
steve
2014-10-05 05:52:14 UTC
Permalink
Post by Sébastien Le Ray
Yes, and it is correctly returned by getent group/wbinfo --group-info
Is wbinfo and getent returning the new membership on _all_ the DCs? Does
the user dn contain the correct memberOf and the group dn the member on
_all_ DCs?

Could we take winbind out of the mix for a while and try sssd. It would
narrow it down for us a bit more.
Post by Sébastien Le Ray
Post by Min Wai Chan
ah...
Did you new group have gid???
On Sun, Oct 5, 2014 at 3:03 AM, S?bastien Le Ray
No more success (btw winbind cache time default to 300 & idmap
negative to 120).
Regards
Try these?
This should short the cache time to 5 mins
Cut it lower if you need a shorter time...
winbind cache time = 300
idmap cache time = 300
idmap negative cache time = 300
steve
2014-10-05 08:22:25 UTC
Permalink
Post by steve
Post by Sébastien Le Ray
Yes, and it is correctly returned by getent group/wbinfo --group-info
Is wbinfo and getent returning the new membership on _all_ the DCs?
Does the user dn contain the correct memberOf and the group dn the
member on _all_ DCs?
Cannot find how to look at memberOf & member on the ADSI :/ But ADUC
gives correct results not matter which DC I'm connected to so I guess it
should be OK.
wbinfo is OK on all DC. No getent group since they don't have
nss-winbind installed, only the members have.
Post by steve
Could we take winbind out of the mix for a while and try sssd. It
would narrow it down for us a bit more.
I'll try to set up this tomorrow
Thanks
There was the other suggestion of using id or a login and all the wbinfo
stuff. All force an ldap lookup, but I think you've already tried them.
steve
2014-10-05 09:46:08 UTC
Permalink
Post by steve
There was the other suggestion of using id or a login and all the
wbinfo stuff. All force an ldap lookup, but I think you've already
tried them.
Yes, id someuser is wrong, getent passwd is wrong, wbinfo -r is wrong
wbinfo --group-info is good :)
If all else fails, there's always the winbind-or-bust check-list:
http://linuxcostablanca.blogspot.com.es/2014/06/samba4-winbind-desperation.html

Don't forget the links, e.g. for 32 bit:
ln -s /usr/local/samba/lib/libnss_winbind.so /lib
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
ldconfig

HTH,
Steve
Hans-Kristian Bakke
2014-10-05 14:56:54 UTC
Permalink
When I get issues like that (membership correctly displayed with
getent group, but not in groups <user>), I usually have to delete the
netsamlogon_cache.tdb (I could just delete the user in question to
force refresh to avoid restarting winbind, but that is more of an
hassle)

service winbind stop
rm /var/cache/samba/netsamlogon_cache.tdb
service winbind start

It doesn't really help to login again to refresh the users group
membership. It seems to be stuck, even for days, until I do this.

Hans-Kristian
Post by steve
Post by steve
There was the other suggestion of using id or a login and all the
wbinfo stuff. All force an ldap lookup, but I think you've already
tried them.
Yes, id someuser is wrong, getent passwd is wrong, wbinfo -r is wrong
wbinfo --group-info is good :)
http://linuxcostablanca.blogspot.com.es/2014/06/samba4-winbind-desperation.html
ln -s /usr/local/samba/lib/libnss_winbind.so /lib
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
ldconfig
HTH,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Sébastien Le Ray
2014-10-05 17:07:48 UTC
Permalink
Where can I send you beer?
Is this some "known issue"? I'll try to see on #samba-technical if some
samba dev is interested in it. It seems that the netsamlogon_cache gets
in some state where it is not updated anymore. But maybe I'm missing
something on my side.
Is sssd more reliable since it relies on LDAP only and not AD internals?

Regards
Post by Hans-Kristian Bakke
When I get issues like that (membership correctly displayed with
getent group, but not in groups <user>), I usually have to delete the
netsamlogon_cache.tdb (I could just delete the user in question to
force refresh to avoid restarting winbind, but that is more of an
hassle)
service winbind stop
rm /var/cache/samba/netsamlogon_cache.tdb
service winbind start
It doesn't really help to login again to refresh the users group
membership. It seems to be stuck, even for days, until I do this.
Hans-Kristian
Hans-Kristian Bakke
2014-10-05 17:30:41 UTC
Permalink
This post might be inappropriate. Click to display it.
Sébastien Le Ray
2014-10-05 18:12:36 UTC
Permalink
Post by Hans-Kristian Bakke
I will switch from winbind to SSSD when I upgrade our systems to
jessie at work. The migration needs to be planned a bit though, as I
wan't to use the UID and GID native to SSSD instead of the RID-based
ones I needed for winbind, so some scripting will be needed.
Does that mean that you don't use rfc2307 attributes or that they're not
supported ?

I also read that wheezy sssd isn't compatible with wheezy-backports samba4?
steve
2014-10-05 18:33:43 UTC
Permalink
Post by Sébastien Le Ray
Post by Hans-Kristian Bakke
I will switch from winbind to SSSD when I upgrade our systems to
jessie at work. The migration needs to be planned a bit though, as I
wan't to use the UID and GID native to SSSD instead of the RID-based
ones I needed for winbind, so some scripting will be needed.
Does that mean that you don't use rfc2307 attributes or that they're not
supported ?
No. You stay exactly as you are with rfc2307 in the directory.
Post by Sébastien Le Ray
I also read that wheezy sssd isn't compatible with wheezy-backports samba4?
On Debian and Ubuntu, disable winbind and just build your own:
https://fedorahosted.org/released/sssd/sssd-1.12.1.tar.gz

The configuration is really simple:
http://linuxcostablanca.blogspot.com.es/2014/04/sssd-ad-backend-with-samba4.html

HTH,
Steve
steve
2014-10-05 18:27:18 UTC
Permalink
On 05/10/14 19:30, Hans-Kristian Bakke wrote:
The migration needs to be planned a bit though, as I
Post by Hans-Kristian Bakke
wan't to use the UID and GID native to SSSD instead of the RID-based
ones I needed for winbind, so some scripting will be needed.
For Debian Jessie
That version still needs winbind running (but not configured). As a
replacement for winbind, go for sssd 1.12.1. Recommended.
HTH,
Steve
Hans-Kristian Bakke
2014-10-05 18:54:25 UTC
Permalink
I keep reading that Samba4 is supposed to not be working correctly
without winbind because of some internal API-calls, but still
everything seems to work nicely with the version in Debian Jessie. I
do not have winbind installed at all in my two Debian Jessie installs.
With "works nicely" I mean that I can use AD-groups to regulate access
to shares, and it works like it should do, just without the caching
issues of winbind (changes in access permissions are instantly
reflected on the next access in my tests)

And yes, I do not use RFC2307, but instead rely on deterministic
uid/gid mapping on the Linux-members, which currently is no extra work
as all the hosts run the same winbind configuration. I do not have the
NIS-extensions installed at all. I just don't like adding special
purpose stuff to AD just for Linux, when my use case does not need it
in any way. Perhaps I will view things differently in the future,
especially if I start running some winbind and some SSSD setups in the
same environment.
Post by Hans-Kristian Bakke
The migration needs to be planned a bit though, as I
Post by Hans-Kristian Bakke
wan't to use the UID and GID native to SSSD instead of the RID-based
ones I needed for winbind, so some scripting will be needed.
For Debian Jessie
That version still needs winbind running (but not configured). As a
replacement for winbind, go for sssd 1.12.1. Recommended.
HTH,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Michael Adam
2014-10-09 08:11:17 UTC
Permalink
Hi,
Post by Sébastien Le Ray
Where can I send you beer?
Is this some "known issue"? I'll try to see on #samba-technical if
some samba dev is interested in it. It seems that the
netsamlogon_cache gets in some state where it is not updated
anymore. But maybe I'm missing something on my side.
Is sssd more reliable since it relies on LDAP only and not AD internals?
Regards
Post by Hans-Kristian Bakke
When I get issues like that (membership correctly displayed with
getent group, but not in groups <user>), I usually have to delete the
netsamlogon_cache.tdb (I could just delete the user in question to
force refresh to avoid restarting winbind, but that is more of an
hassle)
service winbind stop
rm /var/cache/samba/netsamlogon_cache.tdb
service winbind start
It doesn't really help to login again to refresh the users group
membership. It seems to be stuck, even for days, until I do this.
This is basically the hint that Volker gave a few mails above:

The login should refresh the cache entry in the netsamlogon-cache.tdb.

If it does not do so, this is a bug, and we need
to fix it.

In order to futher analyze, we need to have:

- smb.conf
- nsswitch.conf
- description of the domain setup
single domain? number of dcs? are there trusts?
- does the problem only occur with users from trusted domain
or also from primary?
- is this readily reproducible, e.g. by changing
group membership in the domain and then logging in
again to the samba server.
- we need a level10 log of samba (all log files) of
the login process that fails to update netsamlogon-cache.tdb.

I guess the best thing would be to add a bug report
for this to collect the relevant data.

Cheers - Michael
Post by Sébastien Le Ray
Post by Hans-Kristian Bakke
Hans-Kristian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20141009/f4590758/attachment.pgp>
Sébastien Le Ray
2014-10-05 09:04:27 UTC
Permalink
Post by steve
There was the other suggestion of using id or a login and all the
wbinfo stuff. All force an ldap lookup, but I think you've already
tried them.
Yes, id someuser is wrong, getent passwd is wrong, wbinfo -r is wrong
wbinfo --group-info is good :)
Sébastien Le Ray
2014-10-05 08:15:00 UTC
Permalink
Post by steve
Post by Sébastien Le Ray
Yes, and it is correctly returned by getent group/wbinfo --group-info
Is wbinfo and getent returning the new membership on _all_ the DCs?
Does the user dn contain the correct memberOf and the group dn the
member on _all_ DCs?
Cannot find how to look at memberOf & member on the ADSI :/ But ADUC
gives correct results not matter which DC I'm connected to so I guess it
should be OK.
wbinfo is OK on all DC. No getent group since they don't have
nss-winbind installed, only the members have.
Post by steve
Could we take winbind out of the mix for a while and try sssd. It
would narrow it down for us a bit more.
I'll try to set up this tomorrow


Thanks
steve
2014-10-04 18:03:24 UTC
Permalink
Post by Sébastien Le Ray
Any further suggestion?
nscd? Failing that, delete the winbind dbs with a big hammer.
Sébastien Le Ray
2014-10-04 18:18:37 UTC
Permalink
Post by steve
Post by Sébastien Le Ray
Any further suggestion?
nscd? Failing that, delete the winbind dbs with a big hammer.
Already rm winbindd_*.tdb? no result :)
Loading...