AD group membership changes not reflected in winbind information

I have actually acquired numerous RHEL5 web servers that were set up to confirm customers versus their advertisement accounts using winbind. Every little thing functions penalty till I upgrade team subscription in advertisement. For some customers, the adjustments never ever make it to the result of the "groups" command, although they are mirrored in the result of "getent team ".

As an example, take into consideration the following:

[origin @hcc1pl1 ~ ] # groups plubans¢ plubans: domain name customers systems framework development¢ [origin @hcc1pl1 ~ ] # getent team q1esb¢ q1esb: *:23136: q1qai, q1prodi

If I add myself to q1esb on the DC that winbind is making use of, you can see that the subscription is upgraded:

[origin @hcc1pl1 ~ ] # lsof - i|grep winbind
winbindd 31339root 17u IPv4 63817934TCP hcc1pl1:56541 - >hcnas01: microsoft - ds (ESTABLISHED) ¢ winbindd 31339root 21u IPv4 63817970TCP hcc1pl1:53622 - >hcnas01: ldap (ESTABLISHED) ¢ [origin @hcc1pl1 ~ ] # ldapsearch - u - x - LLL - h hcnas01 - D "plubans @XXX.XXX" - W - b "CN = Peter Lubans, OU = Standard User Accounts, OU = Users, OU = XXX, DC = XXX, DC = XXX" " (sAMAccountName = *) " memberOf¢ Enter LDAP Password: ¢ .. ¢ memberOf: CN = q1esb, OU = Security Groups, OU = Groups, OU = XXX, DC = XXX, DC = XXX¢ ..

Keep in mind that winbind is running without caching (- n flag):

[origin @hcc1pl1 ~ ] # ps - ef|grep winbind¢ origin 31339 1 0 13:50? 00:00:00 winbindd - n¢ origin 31340 31339 0 13:50? 00:00:00 winbindd - n¢ origin 31351 31339 0 13:50? 00:00:00 winbindd - n¢ origin 31352 31339 0 13:50? 00:00:00 winbindd - n¢ origin 31353 31339 0 13:50? 00:00:00 winbindd - n

Now getent programs that that team has the proper participants:

[origin @hcc1pl1 ~ ] # getent team q1esb¢ q1esb: *:23136: q1qai, plubans, q1prodi

But the upgraded subscription is not mirrored in my account information:

[origin @hcc1pl1 ~ ] # groups plubans¢ plubans: domain name customers systems framework development¢ [origin @hcc1pl1 ~ ] #

The absolutely troublesome component of this trouble is that it functions penalty for various other accounts on this equipment, and also for my account on equipments that I have actually set up from scratch.

Any kind of suggestions?

6
2022-06-07 15:16:32
Source Share
Answers: 3

I've had a comparable experience with RHEL is supply samba/winbind plans. It is been my experience that RHEL is winbind is a little questionable. What I observed was that as soon as a customer confirmed, their team subscription would certainly be properly upgraded, yet in addition to that, no adjustments in team subscription would certainly ever before turn up. This is not an optimum remedy, specifically if you remove a customer from a team that would certainly grant them accessibility to the equipment, given that it properly provides one last login that they should not get. This might or might not mirror your scenario specifically however, due to the fact that I additionally dealt with not seeing the team participants of an advertisement team when running getent group (it would certainly simply resemble a team without participants, also if groups username revealed them as a participant of the team), yet it shows up that is benefiting you.

What addressed the trouble for me was mounting the "tested" circulation of RPMs from enterprisesamba.org. Team subscription adjustments turned up quickly, no matter winbind cache setups. Called for no arrangement adjustments, BUT if you are mapping advertisement customers and also groups with a neighborhood idmap table mounting the new RPMS will certainly greater than most likely entirely remap your numerical team and also customer ids , so be planned for that (unload your getent group and also getent passwd result to a documents prior to updating so you have a reference to deal with documents possession with.

0
2022-06-28 20:32:57
Source

My only idea and also it is a really obscure one is that it could have something to do with interaction with your Infrastructure Master (which is in charge of upgrading team subscriptions throughout domain names).

1
2022-06-07 16:00:54
Source

It shows up that this was brought on by team details being cached at logon - time in/ var/cache/samba/ netsamlogon_cache. tdb. I presume that although' - n' advised winbind not to cache it is questions versus LDAP, the visibility of the subscription details because TDB documents sufficed to mess points up.

4
2022-06-07 15:56:08
Source