Bug 227325 - netsamlogon_cache.tdb group information becomes stale
netsamlogon_cache.tdb group information becomes stale
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: samba (Show other bugs)
4.4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Simo Sorce
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-05 04:50 EST by Jose Plans
Modified: 2010-10-22 08:51 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHEA-2007-0698
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-15 11:14:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
netlogon_cache.patch (5.88 KB, patch)
2007-02-05 04:53 EST, Jose Plans
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Samba Project 3014 None None None Never

  None (edit)
Description Jose Plans 2007-02-05 04:50:53 EST
Description of problem:

Using samba 3.0.10 and winbind, winbind still uses netsamlogon tdbs, making the
authentication cache inaccurate.
I.e. :

"
 Customer has found that when a user is added to a secondary group via the ADS
Users and Groups interface,
 the secondary group does not show up on the Samba client.  Currently, the
customer has found that if 
 they stop winbind, delete the netsamlogon_cache.tdb file and then restart
winbind, the group will be seen.  
 We have recreated this issue in our lab running RHEL 4 U4 as the Samba domain
member server and with a Windows 2K3 ADS. 
 This is most likely a form of Samba bugzilla 2861 and 3014.  It appears that
the fix was to remove netsamlogon_cache.tdb
 from Samba, but that change was not made until 3.0.21.
"

This file and its usage has been removed from Samba in later releases (I believe
3.0.21) and a bugzilla was created to fix the
problem.

The fix just removes the usage of this file and resulted successful for the
customer.

* https://bugzilla.samba.org/show_bug.cgi?id=3014#c2

Following this comment I created a patch that should match upstream on our samba
3.0.10 tree.
Could it be reviewed and applied. It does fix the problem.


Customer has found that when a user is added to a secondary group via the ADS
Users and Groups interface, the secondary group does not show up on the Samba
client.  Currently, the customer has found that if they stop winbind, delete the
netsamlogon_cache.tdb file and then restart winbind, the group will be seen.  We
have recreated this issue in our lab running RHEL 4 U4 as the Samba domain
member server and with a Windows 2K3 ADS.  This is most likely a form of Samba
bugzilla 2861 and 3014.  It appears that the fix was to remove
netsamlogon_cache.tdb from Samba, but that change was not made until 3.0.21.

Version-Release number of selected component (if applicable):


How reproducible:
Always.

Steps to Reproduce:
1. Create a secondary group on the DS.
2. Add a user to this group.
3. Check user details using winbind/nss.
  
Actual results:
Old cache results as being the new expected cache.


Expected results:
New results cache or no cache.


Additional info:
Upstream removed netsamlogon tdbs.

     Jose
Comment 1 Jose Plans 2007-02-05 04:53:12 EST
Created attachment 147344 [details]
netlogon_cache.patch

This patch should match upstream and fixes the problem.
Comment 3 RHEL Product and Program Management 2007-05-09 03:56:49 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 Guenther Deschner 2007-07-03 11:42:19 EDT
Fixed in later samba versions, sucessfully tested with 3.0.25b 
(the samlogoncache.tdb needs to stay as it's the core of the offline
authentication).

Comment 9 errata-xmlrpc 2007-11-15 11:14:56 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2007-0698.html

Note You need to log in before you can comment on or make changes to this bug.