[Samba] Winbind group membership not updating

[Malte zu Klampen]

On 25/09/17 15:52, Rowland Penny via samba wrote:
> On Mon, 25 Sep 2017 15:16:54 +0200
> Malte zu Klampen via samba <samba at lists.samba.org> wrote:
> 
>> We are currently in the process of replacing some of our file servers
>> with Active Directory joined Samba servers. However, during testing
>> we have noticed behaviour that has caught us off guard.
>>
>> Changes in user group membership in AD do not show up on our file
>> servers. Specifically, changing a user's groups in AD won't affect
>> group membership on the Samba server once the user has authenticated.
>> Even killing their processes won't.
>>
>> This is a problem, as once a client has established a connection to a
>> share, it will keep access to the share even if group membership has
>> long since been revoked.
>>
>> It is my understanding that group membership is updated at
>> authentication time and cached forever. Is there a way around this?
>>
>> With "winbind cache time = 10" changes in group membership show up in
>> `id` quickly _only_ as long as the user in question has no active
>> session. Once they show up in `net status sessions` group membership
>> sticks forever.
>>
>>
>> I am experiencing this behaviour with 4.5.8-Debian, but looking
>> through the bugs this seems to be a recurring theme in all versions.
>> Are there good workarounds?
>>
> 
> Try removing 'winbind offline Logon = true', you should only need this
> on a laptop or similar.
> 
> Rowland
> 

No dice, sadly. The only way to reliably have Samba recognise the change 
in groups is to try to establish a session from a different computer, 
which forces authentication.

As long es the user remains logged in on their client, they keep access 
to shares even though their access has been revoked and their session 
killed on the server. The client immediately reestablishes a connection 
to the share and carries on.