[Samba] deny file access or specific users
mj
lists at merit.unu.edu
Wed Oct 10 09:04:29 UTC 2018
Hi,
For some users I am trying to deny file access to our domain member
servers, yet keeping their AD account for all other purposes, like email
and ldap authorized clients.
So I figured I removed the unix attributes from a user in ADUC, while
keeping the rest. I expected that would make the user 'invisible' for
the domain member (file) servers, while maintaining the account for
everything else.
Now, a day later, on one our domain member servers the user is gone:
> root at server1:~# wbinfo -u | grep test
> test
> root at server1:~# id test
> id: ‘test’: no such user
> root at server1:~# getent passwd test
> root at server1:~#
but on another server, the user still remains
> root at server2:~# wbinfo -u | grep test
> test
> root at server2:~# id test
> uid=63993(test) gid=513(domain users) groups=513(domain users),1000001(BUILTIN\users)
> root at server2:~# getent passwd test
> test:*:63993:513::/home/WRKGRP/test:/bin/false
> root at server2:~#
Probably running net cache flush will remove the user on server2 as
well, but is there an expiration on the winbind cache? Will the user
disppear from server2 automatically after a certain period?
Otherwise we have to perform the additional manual flush of the net
cache on each domain member server, each time we want to deny fileserver
access for a user.
Or is there a better way to keeping everything, while centrally denying
fileserver access for specific users?
MJ
More information about the samba
mailing list