[Samba] Winbind group membership not updating
Malte zu Klampen
malte.zuklampen at ifg.uni-kiel.de
Mon Sep 25 13:16:54 UTC 2017
We are currently in the process of replacing some of our file servers
with Active Directory joined Samba servers. However, during testing we
have noticed behaviour that has caught us off guard.
Changes in user group membership in AD do not show up on our file
servers. Specifically, changing a user's groups in AD won't affect group
membership on the Samba server once the user has authenticated. Even
killing their processes won't.
This is a problem, as once a client has established a connection to a
share, it will keep access to the share even if group membership has
long since been revoked.
It is my understanding that group membership is updated at
authentication time and cached forever. Is there a way around this?
With "winbind cache time = 10" changes in group membership show up in
`id` quickly _only_ as long as the user in question has no active
session. Once they show up in `net status sessions` group membership
sticks forever.
I am experiencing this behaviour with 4.5.8-Debian, but looking through
the bugs this seems to be a recurring theme in all versions. Are there
good workarounds?
[global]
obey pam restrictions = yes
netbios name = redacted
workgroup = REDACTED
security = ADS
realm = REDACTED.DE
log level = 0
usershare max shares = 0
usershare path = /dev/null
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
inherit permissions = yes
idmap config *:backend = tdb
idmap config *:range = 1000 - 99999
idmap config REDACTED:backend = rid
idmap config REDACTED:range = 100000 - 500000
template shell = /bin/bash
template homedir = /home/%D/%U
load printers = no
printcap name = /dev/null
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind refresh tickets = Yes
winbind cache time = 10
winbind offline Logon = true
winbind expand groups = 3
--
Malte zu Klampen / PC-Labor / Institut für Geowissenschaften
CAU zu Kiel / Otto-Hahn-Platz 5, D-24118 Kiel
Tel. +49 431 880-3904
:wq!
More information about the samba
mailing list