[Samba] Winbind group membership not updating

Malte zu Klampen malte.zuklampen at ifg.uni-kiel.de
Mon Sep 25 13:16:54 UTC 2017

We are currently in the process of replacing some of our file servers 
with Active Directory joined Samba servers. However, during testing we 
have noticed behaviour that has caught us off guard.

Changes in user group membership in AD do not show up on our file 
servers. Specifically, changing a user's groups in AD won't affect group 
membership on the Samba server once the user has authenticated. Even 
killing their processes won't.

This is a problem, as once a client has established a connection to a 
share, it will keep access to the share even if group membership has 
long since been revoked.

It is my understanding that group membership is updated at 
authentication time and cached forever. Is there a way around this?

With "winbind cache time = 10" changes in group membership show up in 
`id` quickly _only_ as long as the user in question has no active 
session. Once they show up in `net status sessions` group membership 
sticks forever.

I am experiencing this behaviour with 4.5.8-Debian, but looking through 
the bugs this seems to be a recurring theme in all versions. Are there 
good workarounds?

         obey pam restrictions = yes

         netbios name = redacted
         workgroup = REDACTED
         security = ADS
         realm = REDACTED.DE
         log level = 0
         usershare max shares = 0
         usershare path = /dev/null

         vfs objects = acl_xattr
         map acl inherit = Yes
         store dos attributes = Yes
         inherit permissions = yes

         idmap config *:backend = tdb
         idmap config *:range =          1000 -  99999
         idmap config REDACTED:backend = rid
         idmap config REDACTED:range = 100000 - 500000
         template shell = /bin/bash
         template homedir = /home/%D/%U

         load printers = no
         printcap name = /dev/null

         winbind trusted domains only = no
         winbind use default domain = yes
         winbind enum users  = no
         winbind enum groups = no
         winbind refresh tickets = Yes
         winbind cache time = 10
         winbind offline Logon = true
         winbind expand groups = 3

Malte zu Klampen / PC-Labor / Institut für Geowissenschaften
CAU zu Kiel / Otto-Hahn-Platz 5, D-24118 Kiel
Tel.   +49 431 880-3904

More information about the samba mailing list