[Mirror] Group membership not updating in winbind

This is just a mirror of Marcin Mogielnicki's now non-existent article about winbind group membership. I got ahold of it by kindly asking him via E-Mail. Thanks for that.

It's slightly modified for better readability. Again, the following is not my own writing.


File server running smbd, security=ads (i.e. acting as domain member), user connects to Samba share and gets group membership captured correctly when connecting first time - and it never gets updated after that.

Root cause

Samba updates group membership when it gets calculated by AD domain controller and it gets calculated only when user logs in to a server running smbd and winbind. Which is triggered by wbinfo -a or kerberized SMB login only. As this is a serious limitation, meaning that no group membership would be known at all on machines user never logs in on, fallback group membership code was developed that pulls group membership of user from AD without user logging in but as machine account used by winbind does not have the rights to ask for user group membership it is considered flaky with its results unreliable. Hence winbind never relies on it - it will call it when no group membership is known at all but it will never be used to refresh cached group memberships. As result of that - in some scenarios winbind captures user group memberships once and updates them never after that.

It is not possible to disable caching of group membership, i.e. there is no way to disable such behaviour by putting a line in smb.conf. Note that this is not Samba issue but AD design issue, such behaviour is consistent with the way Windows behaves, which effectively is that AD group membership is updated when a user authenticates during login.

How to force group membership refresh for a user

Group membership is cached in a file named netsamlogon_cache.tdb which can be investigated by tdbtool (all versions of Samba) or net cache samlogon (Samba 4.7 or newer). Deleting cached entries from that file triggers one time update of group memberships by calling fallback update code and putting its result back in netsamlogon_cache.tdb - and after that they are cached forever again.

tdbtool way:

$ wbinfo -n user.name
S-1-5-21-3023451936-689652692-1079546996-40725 SID_USER (1)

append \0 to SID and put it in quotes:

$ tdbtool netsamlogon_cache.tdb delete "S-1-5-21-3023451936-689652692-1079546996-40725\0"

group membership will be updated first time the OS needs it, wait for a few minutes for tdb file to have it populated,

net cache samlogon way:

$ net cache samlogon list|head
SID                                                Name                                     When cached
S-1-5-21-3023451936-689652692-1079546996-40725     DOM\user.name                            Tue Apr 27 07:59:19 AM 2018 BST
S-1-5-21-3023451936-689652692-1079546996-41432     DOM\user.name2                           Tue Apr 27 02:13:33 PM 2018 BST

$ net cache samlogon delete S-1-5-21-3023451936-689652692-1079546996-40725

Same as previously - group membership will be updated first time the OS needs it, wait for a few minutes for tdb file to have it populated.