I have inherited several RHEL5 servers that were set up to authenticate users against their AD accounts via winbind. Everything works fine until I update group membership in AD. For some users, the changes never make it to the output of the "groups" command, although they are reflected in the output of "getent group <groupname>".
For example, consider the following:
[root@hcc1pl1 ~]# groups plubans
plubans : domain users systems infrastructure development
[root@hcc1pl1 ~]# getent group q1esb
q1esb:*:23136:q1qai,q1prodi
If I add myself to q1esb on the DC that winbind is using, you can see that the membership is updated:
[root@hcc1pl1 ~]# lsof -i | grep winbind
winbindd 31339 root 17u IPv4 63817934 TCP hcc1pl1:56541->hcnas01:microsoft-ds (ESTABLISHED)
winbindd 31339 root 21u IPv4 63817970 TCP hcc1pl1:53622->hcnas01:ldap (ESTABLISHED)
[root@hcc1pl1 ~]# ldapsearch -u -x -LLL -h hcnas01 -D "plubans@XXX.XXX" -W -b "CN=Peter Lubans,OU=Standard User Accounts,OU=Users,OU=XXX,DC=XXX,DC=XXX" "(sAMAccountName=*)" memberOf
Enter LDAP Password:
…
memberOf: CN=q1esb,OU=Security Groups,OU=Groups,OU=XXX,DC=XXX,DC=XXX
…
Note that winbind is running without caching (-n flag):
[root@hcc1pl1 ~]# ps -ef | grep winbind
root 31339 1 0 13:50 ? 00:00:00 winbindd -n
root 31340 31339 0 13:50 ? 00:00:00 winbindd -n
root 31351 31339 0 13:50 ? 00:00:00 winbindd -n
root 31352 31339 0 13:50 ? 00:00:00 winbindd -n
root 31353 31339 0 13:50 ? 00:00:00 winbindd -n
Now getent shows that that group has the correct members:
[root@hcc1pl1 ~]# getent group q1esb
q1esb:*:23136:q1qai,plubans,q1prodi
But the updated membership is not reflected in my account details:
[root@hcc1pl1 ~]# groups plubans
plubans : domain users systems infrastructure development
[root@hcc1pl1 ~]#
The truly vexing part of this problem is that it works fine for other accounts on this machine, and for my account on machines that I have configured from the ground up.
Any ideas?
Best Answer
It appears that this was caused by group information being cached at logon-time in /var/cache/samba/netsamlogon_cache.tdb. I guess that although '-n' instructed winbind not to cache it's queries against LDAP, the presence of the membership information in that TDB file was enough to mess things up.