[Samba] Winbind group membership not updating
L.P.H. van Belle
belle at bazuin.nl
Mon Sep 25 14:50:30 UTC 2017
Now you have overlapping id's.
idmap config *:range = 1000 - 99999
I suggest, leave some room for your "linux users"
Like : idmap config *:range = 2000 - 99999
In addition, also, run : net cache flush
And run :
systemctl stop winbind
systemctl start winbind
Then.. what does : id Administrator
Tells you now.
And id someOtheruser?
Now please note also, your using 4.5.8 from debian.
I dont know how much winbind fixed they also pickuped from samba but 4.5.8 can be tricky.
I suggest, have a good look at the winbind debian bugs and samba changelog 4.5.9 for example.
You have a few options.
1) Compile samba yourself. ( then i suggest move to 4.6.8 )
2) Use debian buster, but i dont advice that, you may end up with a broken system.
3) Build your own package, which can be hard.
4) Use my packages. ( 4.5.14 and 4.6.8 for stretch ) (http://apt.van-belle.nl)
You choose. I suggest go for 4.6.8 but if you dont like the config change at this point, use 4.5.14.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Malte zu Klampen via samba
> Verzonden: maandag 25 september 2017 15:17
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Winbind group membership not updating
> We are currently in the process of replacing some of our file
> servers with Active Directory joined Samba servers. However,
> during testing we have noticed behaviour that has caught us off guard.
> Changes in user group membership in AD do not show up on our
> file servers. Specifically, changing a user's groups in AD
> won't affect group membership on the Samba server once the
> user has authenticated. Even killing their processes won't.
> This is a problem, as once a client has established a
> connection to a share, it will keep access to the share even
> if group membership has long since been revoked.
> It is my understanding that group membership is updated at
> authentication time and cached forever. Is there a way around this?
> With "winbind cache time = 10" changes in group membership
> show up in `id` quickly _only_ as long as the user in
> question has no active session. Once they show up in `net
> status sessions` group membership sticks forever.
> I am experiencing this behaviour with 4.5.8-Debian, but
> looking through the bugs this seems to be a recurring theme
> in all versions. Are there good workarounds?
> obey pam restrictions = yes
> netbios name = redacted
> workgroup = REDACTED
> security = ADS
> realm = REDACTED.DE
> log level = 0
> usershare max shares = 0
> usershare path = /dev/null
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> inherit permissions = yes
> idmap config *:backend = tdb
> idmap config *:range = 1000 - 99999
> idmap config REDACTED:backend = rid
> idmap config REDACTED:range = 100000 - 500000
> template shell = /bin/bash
> template homedir = /home/%D/%U
> load printers = no
> printcap name = /dev/null
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = no
> winbind enum groups = no
> winbind refresh tickets = Yes
> winbind cache time = 10
> winbind offline Logon = true
> winbind expand groups = 3
> Malte zu Klampen / PC-Labor / Institut für Geowissenschaften
> CAU zu Kiel / Otto-Hahn-Platz 5, D-24118 Kiel
> Tel. +49 431 880-3904
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba