[Samba] Winbind group membership not updating
Rowland Penny
rpenny at samba.org
Tue Sep 26 09:53:04 UTC 2017
On Tue, 26 Sep 2017 11:16:46 +0200
Malte zu Klampen via samba <samba at lists.samba.org> wrote:
> Hej,
>
> There are no Linux users (above 1000 that is), and there never will
> be.
>
> net cache flush does absolutely nothing.
>
> I've already suspected that the version might be at fault and checked
> 4.7.0 with the same result.
>
> I suspect the problem is not a bug per se, but an architectural
> problem with how sessions are constructed. As far as I can tell,
> group membership is resolved once at the start of the session, and
> never updated (or the session terminated and the client forced to
> re-auth) until the client logs off.
>
> But even if i kill their session, it immediately respawns with
> outdated groups.
>
> Here's what I'm doing:
>
> Create a share that requires a specific group
> Add user to group
> Log in user on Windows client, connect to share
> Remove user from group
> Log in user on a different Windows client, try to connect to the share
>
> What happens:
>
> The share remains accessible from the first client
> User gets denied on the second client
>
> Even if I kill the session on the server, it is immediately
> respawned. I simply can not keep them from accessing the share from
> the first client unless they log off.
>
> How do I work around this? I can't hound people I (automatically, I
> might add) remove from groups to log off. I can accept a delay, but
> at some point after losing group membership they should get booted
> off the server automatically.
>
>
I don't think you can work around this, I am fairly sure if you try
this against a windows server, you would get the same result, unless
the user logs out, they will still think they are members of the group
and will get access.
Rowland
More information about the samba
mailing list