[Samba] Winbind group membership not updating
Rowland Penny
rpenny at samba.org
Mon Sep 25 13:52:47 UTC 2017
On Mon, 25 Sep 2017 15:16:54 +0200
Malte zu Klampen via samba <samba at lists.samba.org> wrote:
> We are currently in the process of replacing some of our file servers
> with Active Directory joined Samba servers. However, during testing
> we have noticed behaviour that has caught us off guard.
>
> Changes in user group membership in AD do not show up on our file
> servers. Specifically, changing a user's groups in AD won't affect
> group membership on the Samba server once the user has authenticated.
> Even killing their processes won't.
>
> This is a problem, as once a client has established a connection to a
> share, it will keep access to the share even if group membership has
> long since been revoked.
>
> It is my understanding that group membership is updated at
> authentication time and cached forever. Is there a way around this?
>
> With "winbind cache time = 10" changes in group membership show up in
> `id` quickly _only_ as long as the user in question has no active
> session. Once they show up in `net status sessions` group membership
> sticks forever.
>
>
> I am experiencing this behaviour with 4.5.8-Debian, but looking
> through the bugs this seems to be a recurring theme in all versions.
> Are there good workarounds?
>
Try removing 'winbind offline Logon = true', you should only need this
on a laptop or similar.
Rowland
More information about the samba
mailing list