3

I have a really strange issue where the wbinfo -g command properly indicates the AD domain group I am interested in and shows a particular user in that group - this is always true, so on the linux side it seems to have the proper information.

However - the "groups" command will initially show the user being part of the group in question, but some time after having logged in that user - the membership to the group goes away in the "groups" command (but remains in the wbinfo -g).

I say erratic because I'm not confident yet that it is somehow timing out versus a result of something. I've chased down 3 things so far that I thought may have caused it, but when trying to repeat I couldn't see the problem - so I'm left with some kind of timeout theory.

But here is an illogical oddity: wbinfo --gid-info vs wbinfo -r What is odd is that the former will show the user in question in its list, but the latter will not show the group id. Its like wbinfo has a split personality.

I duplicated the scenario this time while redirecting all of the samba logs and syslog (ubuntu) to a file. Really didn't see any errors except for the following at about the time I seemed to lose the group: "Printcap cache time expired", "reloading printcap cache", "reloading status: error" all in succession. If printcap is not properly configured, is it possible it could be mucking with me? The steps after verifying the group membership was OK to when it was not was the following:

1) Exited out of a bunch of terminal windows on server, 2) Logged out user from server GUI 3) Logged in "user5" on server. Previous attempts had this sequence work fine and later just "lose" the group over time. Don't think it is the login of the user. Either the logs were of no help, or somehow the printcap is indicating the error.

The samba logs do not have any error conditions present that explain this situation.

Anyone have any experience seeing something like this? Are there different rules for different group type/scopes (domain local, global, universal)? Does the nsswitch.conf file somehow play a part in the translation between AD info cached, and the information that is actually used by the file system? Any help would be appreciated.

Ian Frisbie
  • 81
  • 1
  • 4
  • `I say erratic because I'm not confident yet that it is somehow timing out versus a result of something.` <-- You need to do some more digging to narrow this down (check your samba/winbind logs, `/var/log/messages`, etc.) -- it's pretty hard to troubleshoot when we don't know how you're evoking the bad behavior, and anything we offer you now would be blind guesses... – voretaq7 Oct 24 '12 at 16:17
  • The last time it happened (I've run 4 scenarios with new users) I actually didn't do anything, it just eventually was "lost". The other three times I wasn't doing anything other than logging in/out, touching files - and activating httpd through some wiki queries - so I think its some kind of timeout/expiration. Will try to fish through the logs - but not really sure what to look for. – Ian Frisbie Oct 24 '12 at 16:30
  • As with any log exploration, look for things that don't seem right :-) (it helps if you can watch the logs and make the problem happen while you're looking -- that narrows down the number of possibly-significant messages) – voretaq7 Oct 24 '12 at 16:31
  • But here is an illogical oddity: wbinfo --gid-info vs wbinfo -r What is odd is that the former will show the user in question in its list, but the latter will not show the group id. Its like wbinfo has a split personality. Are there any settings for additional debug output for logs? – Ian Frisbie Oct 24 '12 at 16:32
  • I duplicated the scenario this time while redirecting all of the samba logs and syslog (ubuntu) to a file. Really didn't see any errors except for the following at about the time I seemed to lose the group: "Printcap cache time expired", "reloading printcap cache", "reloading status: error" all in succession. If printcap is not properly configured, is it possible it could be mucking with me? The steps after verifying the group membership was OK to when it was not was the following: 1) Exited out of a bunch of terminal windows on server, 2) Logged out user from server GUI – Ian Frisbie Oct 24 '12 at 17:31
  • 3) Logged in "user5" on server. Previous attempts had this sequence work fine and later just "lose" the group over time. Don't think it is the login of the user. Either the logs were of no help, or somehow the printcap is indicating the error. – Ian Frisbie Oct 24 '12 at 17:33
  • Please include all of the above as edits to your question -- it's nigh unreadable as comments... – voretaq7 Oct 24 '12 at 19:03

0 Answers0