[Samba] Group membership update
waishon009 at gmail.com
Sun Mar 25 01:22:48 UTC 2018
we're running Samba 4.7.4 (Debian SID) as an AD/DC and a seperate Samba 4.7.4 Fileserver to use Posix ACLs.
Now it's possible that a user is assigned to a group after logging in to a Windows machine. This will result into an access denied when the user trys to access a directory where the new group has access to.
As far as I know Windows retrieves a Kerberos ticket on login containing the assigned groups. When the assigned groups changes afterwards Samba denies the access to this directory using the "old" Kerberos ticket.
After some time I found out that it's possible to do a "smbcontrol smbd kill-client-ip <IP>" to reset the Kerberos ticket. Then the Kerberos ticket ist updated and the client has access to the share.
Now we're writing a frontend that assigns users to group, so we search for the "best practice" way. The easiest thing would be to call the smbcontrol command from our code, but I think that you agree that this isn't a nice way.
So is there a way to solve this problem from the client side without running a command on the fileserver? For example a little script which runs on Windows?
Or is there a better way to solve this issue apart from "kill-client-ip"? And is there maybe even a Python/C API available, so we don't need to call a command directly from our code?
Thank you in advance.
More information about the samba