[Samba] Group membership update

[Waishon]

Hey there,

we're running Samba 4.7.4 (Debian SID) as an AD/DC and a seperate Samba 4.7.4 Fileserver to use Posix ACLs.

Now it's possible that a user is assigned to a group after logging in to a Windows machine. This will result into an access denied when the user trys to access a directory where the new group has access to.

As far as I know Windows retrieves a Kerberos ticket on login containing the assigned groups. When the assigned groups changes afterwards Samba denies the access to this directory using the "old" Kerberos ticket.

After some time I found out that it's possible to do a "smbcontrol smbd kill-client-ip <IP>" to reset the Kerberos ticket. Then the Kerberos ticket ist updated and the client has access to the share.

Now we're writing a frontend that assigns users to group, so we search for the "best practice" way. The easiest thing would be to call the smbcontrol command from our code, but I think that you agree that this isn't a nice way.

So is there a way to solve this problem from the client side without running a command on the fileserver? For example a little script which runs on Windows?

Or is there a better way to solve this issue apart from "kill-client-ip"? And is there maybe even a Python/C API available, so we don't need to call a command directly from our code?

Thank you in advance.

Kind regards
Sören