… or: How to update group membership information of the computer account.

When updating Active Directory group membership of your users you usally ask them to logoff and logon again. You don’t tell them why, you just tell them to do so. What happens? When logging on again the group membership information of a user (within their kerberos tickets) gets updated and they can access the ressources they have access to.
You can check which tickets a user has by using the klist command:
Klist for current user

But how about the system / computer account. You can’t logoff and logon the system account. You would need to restart the system – or wait for the tickets to expire, which is, by default, about 9 hours. klist can do that for you again. By running


klist -li 0x3e7

you get a list of the system account’s tickets:

Klist for system account

And by running


klist -li 0x3e7 purge

 

you can delete all tickets and force the system to get new ones with updated group membership information without rebooting at all:

Klist for system account tickets purged

The important part of running this command is to use the li parameter which is the lower part of the desired users logon id. For the system account this is 0x3e7.