[Samba] Winbind group membership not updating
Malte zu Klampen
malte.zuklampen at ifg.uni-kiel.de
Mon Sep 25 14:32:19 UTC 2017
On 25/09/17 15:52, Rowland Penny via samba wrote:
> On Mon, 25 Sep 2017 15:16:54 +0200
> Malte zu Klampen via samba <samba at lists.samba.org> wrote:
>> We are currently in the process of replacing some of our file servers
>> with Active Directory joined Samba servers. However, during testing
>> we have noticed behaviour that has caught us off guard.
>> Changes in user group membership in AD do not show up on our file
>> servers. Specifically, changing a user's groups in AD won't affect
>> group membership on the Samba server once the user has authenticated.
>> Even killing their processes won't.
>> This is a problem, as once a client has established a connection to a
>> share, it will keep access to the share even if group membership has
>> long since been revoked.
>> It is my understanding that group membership is updated at
>> authentication time and cached forever. Is there a way around this?
>> With "winbind cache time = 10" changes in group membership show up in
>> `id` quickly _only_ as long as the user in question has no active
>> session. Once they show up in `net status sessions` group membership
>> sticks forever.
>> I am experiencing this behaviour with 4.5.8-Debian, but looking
>> through the bugs this seems to be a recurring theme in all versions.
>> Are there good workarounds?
> Try removing 'winbind offline Logon = true', you should only need this
> on a laptop or similar.
No dice, sadly. The only way to reliably have Samba recognise the change
in groups is to try to establish a session from a different computer,
which forces authentication.
As long es the user remains logged in on their client, they keep access
to shares even though their access has been revoked and their session
killed on the server. The client immediately reestablishes a connection
to the share and carries on.
More information about the samba