[Samba] winbind cache seems to change the group membership of a user

[Josef Meile]

Hi,

I'm using the "ChrootDirectory" option for the sshd daemon to jail my ssh
users. Additionally, I'm using the "Match group" option to only jail people
belonging to a specific active directory group. Here are the relevant lines
of the sshd_config file:

LogLevel Debug3
Subsystem sftp internal-sftp
Match group sftpusers
	ChrootDirectory /my/chroot/home
	ForceCommand internal-sftp

sftpusers is an active directory group.

I logged me in with a user belonging to that group. The first time, the user
will only see the home directories of the other jailed users, so, the real
root path won't be showed. However, if I log a second time, I will see that
I'm in "/my/chroot/home" and thus, I will be able to go to the real root.
After looking at the auth.log file, I saw that the second time that the user
logged in, this is shown:

debug 1: user testuser does not match group list sftpusers at line 86

So, it seems that the group membership is changed in the winbind cache.
Adding this line into my smb.conf file solved the problem only if I login
one second later:

Winbind cache time = 1

I really don't like this since I have some accounts, which are shared by two
users, so, if they login at the same time, one of them will see the real
root. Setting winbind to zero, just causes that the user can't login.

I also tried to create a local unix group called sftpusers and map the
domain group to the linux one, but it also don't work.

The only way I found to solve it was to match users instead of groups into
the sshd_config file; however, this isn't the best way of solve it if you
have several servers where you use the same setup.

Is this is some kind of bug? Or is there any other way of solving it?

Best regards
Josef