[Samba] winbind, nsswitch, AD and group membership caching?
rpenny at samba.org
Fri Jun 1 10:05:23 UTC 2018
On Fri, 01 Jun 2018 11:53:55 +0200
Kristian via samba <samba at lists.samba.org> wrote:
> using samba+winbindd+pam+nsswitch to make several Linux servers
> authenticate against an AD domain, I do have my setup mostly working
> - AD users are able to ssh into the machine.
> - wbinfo -g / -u does list all domain users.
> - getent group / getent passwd does list Unix and AD users.
> However, after changing some users group memberships in AD, I didn't
> manage to propagate this change to the Linux servers; even after
> waiting for several hours, "groups" for this user still doesn't "see"
> the new group memberships.
> Already looked at my smb.conf and stumbled across "winbind cache time"
> which is set to the default (and should have expired all relevant user
> information long ago).
> Can anyone point me where to look to get this right?
> Thanks in advance and all best,
Have the users logged in ? If not, then this is the expected behaviour.
From the release notes for 4.6.0:
winbind contains code that tries to emulate the group membership
calculation that domain controllers do when a user logs in. This group
membership calculation is a very complex process, in particular for
domain trust relationship situations. Also, in many scenarios it is
impossible for winbind to correctly do this calculation due to access
restrictions in the domains: winbind using its machine account simply
does not have the rights to ask for an arbitrary user's group
When a user logs in to a Samba server, the domain controller correctly
calculates the user's group memberships authoritatively and makes the
information available to the Samba server. This is the only reliable
way Samba can get informed about the groups a user is member of.
More information about the samba