-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ephi Dror wrote: > Hello again, > > I looked at the code and found out that really the > only way to have accurate group membership info is > if one of the following functions are called: > > In winbindd_pam.c: > > 1. winbindd_dual_pam_auth() > 2. winbindd_dual_pam_auth_crap() > > I would recommend to think about ways to call > netsamlogon_clear_cached_user() in other places to allow > none authentication pam functions such as "id" to work well.
The samlogon reply or PAC information is the only completely accurate view of the user group membership. Querying AD is not always guaranteed to work. So the samlogon cache takes precendence. As to an experiation time on the cache entry, we have never agreed on how this to do this without potentially deleting information during a valid user session since applications are not required to call pm_close_session(). Also, the concept of an SMBsession become more difficult to track in this case. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFItE5bIR7qMdg1EfYRAg6GAKDXUAsBV8qC/qN5DDc/63mObAdEygCg3D27 dFyS9vaRyK4nhTSI1peEJ8M= =yg0/ -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
