[Samba] Winbind group membership not updating

Malte zu Klampen malte.zuklampen at ifg.uni-kiel.de
Tue Sep 26 09:16:46 UTC 2017 

Hej,

There are no Linux users (above 1000 that is), and there never will be.

net cache flush does absolutely nothing.

I've already suspected that the version might be at fault and checked 
4.7.0 with the same result.

I suspect the problem is not a bug per se, but an architectural problem 
with how sessions are constructed. As far as I can tell, group 
membership is resolved once at the start of the session, and never 
updated (or the session terminated and the client forced to re-auth) 
until the client logs off.

But even if i kill their session, it immediately respawns with outdated 
groups.

Here's what I'm doing:

Create a share that requires a specific group
Add user to group
Log in user on Windows client, connect to share
Remove user from group
Log in user on a different Windows client, try to connect to the share

What happens:

The share remains accessible from the first client
User gets denied on the second client

Even if I kill the session on the server, it is immediately respawned. I 
simply can not keep them from accessing the share from the first client 
unless they log off.

How do I work around this? I can't hound people I (automatically, I 
might add) remove from groups to log off. I can accept a delay, but at 
some point after losing group membership they should get booted off the 
server automatically.



On 25/09/17 16:50, L.P.H. van Belle via samba wrote:
> Hai,
> 
> Now you have overlapping id's.
> idmap config *:range =          1000 -  99999
> 
> I suggest, leave some room for your "linux users"
> Like : idmap config *:range =          2000 -  99999
> 
> In addition, also, run : net cache flush
> And run :
> systemctl stop winbind
> sleep 1
> systemctl start winbind
> 
> Then..  what does :  id Administrator
> Tells you now.
> And id someOtheruser?
> 
> Now please note also, your using 4.5.8 from debian.
> I dont know how much winbind fixed they also pickuped from samba but 4.5.8 can be tricky.
> I suggest, have a good look at the winbind debian bugs and samba changelog 4.5.9 for example.
> 
> You have a few options.
> 1) Compile samba yourself. ( then i suggest move to 4.6.8 )
> 2) Use debian buster, but i dont advice that, you may end up with a broken system.
> 3) Build your own package, which can be hard.
> 4) Use my packages.  ( 4.5.14 and 4.6.8 for stretch ) (http://apt.van-belle.nl)
> You choose. I suggest go for 4.6.8 but if you dont like the config change at this point, use 4.5.14.
> 
> 
> Greetz,
> 
> Louis
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Malte zu Klampen via samba
>> Verzonden: maandag 25 september 2017 15:17
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Winbind group membership not updating
>>
>> We are currently in the process of replacing some of our file
>> servers with Active Directory joined Samba servers. However,
>> during testing we have noticed behaviour that has caught us off guard.
>>
>> Changes in user group membership in AD do not show up on our
>> file servers. Specifically, changing a user's groups in AD
>> won't affect group membership on the Samba server once the
>> user has authenticated. Even killing their processes won't.
>>
>> This is a problem, as once a client has established a
>> connection to a share, it will keep access to the share even
>> if group membership has long since been revoked.
>>
>> It is my understanding that group membership is updated at
>> authentication time and cached forever. Is there a way around this?
>>
>> With "winbind cache time = 10" changes in group membership
>> show up in `id` quickly _only_ as long as the user in
>> question has no active session. Once they show up in `net
>> status sessions` group membership sticks forever.
>>
>>
>> I am experiencing this behaviour with 4.5.8-Debian, but
>> looking through the bugs this seems to be a recurring theme
>> in all versions. Are there good workarounds?
>>
>>
>>
>> [global]
>>           obey pam restrictions = yes
>>
>>           netbios name = redacted
>>           workgroup = REDACTED
>>           security = ADS
>>           realm = REDACTED.DE
>>           log level = 0
>>           usershare max shares = 0
>>           usershare path = /dev/null
>>
>>           vfs objects = acl_xattr
>>           map acl inherit = Yes
>>           store dos attributes = Yes
>>           inherit permissions = yes
>>
>>           idmap config *:backend = tdb
>>           idmap config *:range =          1000 -  99999
>>           idmap config REDACTED:backend = rid
>>           idmap config REDACTED:range = 100000 - 500000
>>           template shell = /bin/bash
>>           template homedir = /home/%D/%U
>>
>>           load printers = no
>>           printcap name = /dev/null
>>
>>           winbind trusted domains only = no
>>           winbind use default domain = yes
>>           winbind enum users  = no
>>           winbind enum groups = no
>>           winbind refresh tickets = Yes
>>           winbind cache time = 10
>>           winbind offline Logon = true
>>           winbind expand groups = 3
>>
>>
>>
>> --
>> Malte zu Klampen / PC-Labor / Institut für Geowissenschaften
>> CAU zu Kiel / Otto-Hahn-Platz 5, D-24118 Kiel
>> Tel.   +49 431 880-3904
>> :wq!
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> 
>

More information about the samba mailing list