[Samba] winbind not resolving group membership changes

Rob VanFleet rob.vanfleet at wku.edu
Fri Oct 9 09:22:47 MDT 2009 

I'm using Samba 3.0.33 (RHEL 5) to connect to a Windows 2008 active 
directory server.  I am restricting SSH logins to a particular AD group. 
   The users allowed to login will change frequently, so it's important 
to me that their group membership is updated when their access to this 
server is granted or revoked. The problem that I keep running into is 
that group membership on the Samba machine doesn't seem to sync up with 
the Windows DC until a user authenticates.

Essentially, if I remove a user from the login group in AD, they will 
still be able to login to the Samba box once, then their group 
membership will be updated.  Conversely, if they are added to the login 
group (and the Samba box has "seen" their user before - it doesn't seem 
to happen with new users) they will not appear to be in that group from 
the Samba box's perspective until they have been authenticated - in that 
case, it often requires a wbinfo --authenticate username%password, since 
their SSH login attempts will fail due to them appearing to be not in 
the login group.  Once that is done, groups USERNAME will report 
accurate group membership.

I've tried adjusting the winbind cache time, to the point of disabling 
it in the init script, but I haven't had any success updating a group 
membership short of authenticating the user.  I was originally using the 
AllowGroups directive in sshd_config, and I switched that to using 
pam_succeed_if.so user ingroup in /etc/pam.d/system-auth, with the same 
result.

Here's what I have in smb.conf

[global]
    workgroup = AD
    password server = AD.WKU.EDU
    realm = AD.WKU.EDU
    security = ads
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    template shell = /usr/bin/rssh
    winbind use default domain = yes
    winbind offline logon = false
    winbind nested groups = yes
    winbind enum groups = yes
    winbind enum users = no
    template homedir = /var/www/html
    winbind cache time = 1
    passdb backend = tdbsam

nsswitch.conf:

passwd:     winbind files
shadow:     winbind files
group:      winbind files


I did some googling for this problem, and found a few instances that 
sounded similar, but I didn't see any solutions.  Thanks in advance for 
any assistance you might be able to provide.


Rob

More information about the samba mailing list