Slow updating Active Directory user/group cache

Status
Not open for further replies.

notpulllsar

Cadet
Joined
Sep 1, 2017
Messages
5
My recently deployed Freenas 11.0-U2 is attached to Active Directory and is syncing users and groups but very, very slowly.

After attaching to AD I created a dataset and shared it out over SMB. I created a new group in AD just for testing permissions and added myself to that group in AD. I changed the group permissions on the dataset in Freenas to the newly created group, but my user was unable to write to the share. I troubleshooted this for a little while and then decided I would tackle it in the morning.

The next morning I tried to write to the share and it worked! Yay - now to test that it will disallow a user NOT in that group. I removed myself from that group in AD but was still able to write to the share for about 6 hours then the user was no longer permitted.

To see what was going on with the cache I performed the following:
  1. wbinfo -n <username> (to get the SID of my AD account)
  2. wbinfo --user-domgroups <SID> (to get the AD groups' SIDs my account is a member of)
One of the lines returned from step 2 was the group in question that at the time was not associated with my AD account. So I rm'd the /var/db/samba4/winbindd_cache* and restarted the samba service. This did not resolve the problem and the group SID was still present according to wbinfo. Then I removed /var/db/samba4/netsamlogon_cache.tdb and restarted samba service. This time I quickly ran wbinfo and the group SID in question was gone! I ran the command again a couple seconds later and it was back. My AD account was not a member of that group at that time. Where could that have been cached other than in the cache files I removed?

Just to clarify that this does not appear to be an issue with my domain controller -- when I removed the group from my account and ran: net user /domain <username> on my Windows laptop it returned all groups associated with my account and this particular group was not present in the results of that command.

Is there another cache file somewhere that is keeping this old group membership data around? Is there a config file directive that I can change to make it either 1. Not keep AD user and group cache (tried it in the GUI, didn't make a difference) or 2. make the cache update more frequently?

Thanks in advance for any assistance.
 
D

dlavigne

Guest
Were you able to find the answer to this? If not, does clicking "Rebuild Directory Service Cache" do the right thing?
 

notpulllsar

Cadet
Joined
Sep 1, 2017
Messages
5
Were you able to find the answer to this? If not, does clicking "Rebuild Directory Service Cache" do the right thing?

I had not looked at this issue further since my original post. I tried rebuilding the cache using that functionality prior to the steps taken in my post. Tried it with AD user/group cache enabled and disabled but the results were the same.

I tried it again just moments ago with caching disabled. After clicking on "Rebuild Directory Server Cache" I waited 10 minutes and the group membership cache on the Freenas box did not change. I expect it will change eventually. It shouldn't be using any AD cache but it appears that it is.
 

notpulllsar

Cadet
Joined
Sep 1, 2017
Messages
5
I'm looking at the /etc/krb5.conf kerberos config file on the Freenas box and under the [realms] section I see that my backup domain controller is set as the kdc and admin_server directives while the kpasswd_server is my primary domain controller. I didn't reference my backup DC (at least, don't think I did) when I established AD binding between the Freenas box and my domain.

Could that be causing unexpected issues? I checked my backup DC and verified that the changes on my AD account propagated correctly but the Freenas box still has not updated the cache yet.
 

notpulllsar

Cadet
Joined
Sep 1, 2017
Messages
5
Answering my own question -

Forcing the kdc and admin_server directives in /etc/krb5.conf to match the kpasswd_server did not make a difference in the caching.

I'm now looking in /etc/local/smb4.conf, Samba's config file. In particular I am investigating the following directive: winbind cache time. This directive is explained here but I will provide the definition below.
  • winbind cache time - This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server again. This does not apply to authentication requests, these are always evaluated in real time unless the winbind offline logon option has been enabled
On my Freenas server, winbind cache time is set to 7200 seconds (2 hours). I am considering setting this to something considerably lower, like 300 (5 minutes) or less, or perhaps disabling it altogether. Has anyone done this and if so, have you seen a problematic spike in directory server querying?
 

notpulllsar

Cadet
Joined
Sep 1, 2017
Messages
5
Update -

I changed the winbind cache time parameter and it still did not resolve the AD group member caching issue. I have moved on to another solution for my NAS project. Having AD group membership work properly is a non-negotiable aspect of this project and unfortunately I am unable to use Freenas for it due to the issues with AD cache I was having.

P.S. I really liked using Freenas while it lasted and I intend on using it again if I need a NAS solution in a project that doesn't require strict AD group membership data being correct.
 
Status
Not open for further replies.
Top