[Samba] Adding user to group doesn't propagate?
Rowland penny
rpenny at samba.org
Wed Sep 16 08:11:18 UTC 2020
On 16/09/2020 09:02, Harald Hannelius via samba wrote:
>
> On Mon, 31 Aug 2020, Jonathon Reinhart via samba wrote:
>> On Mon, Aug 31, 2020 at 9:21 AM Harald Hannelius via samba
>> <samba at lists.samba.org> wrote:
>>> On Wed, 17 Jun 2020, Harald Hannelius wrote:
>>>> On Wed, 17 Jun 2020, Harald Hannelius via samba wrote:
>>>>> On Wed, 17 Jun 2020, Rowland penny via samba wrote:
>>>>>> On 17/06/2020 11:54, Harald Hannelius wrote:
>>>>>>> On Wed, 17 Jun 2020, Rowland penny via samba wrote:
>>>>>>>> On 17/06/2020 11:39, Harald Hannelius via samba wrote:
>>>>>>>
>>>>>>> Sorry, You lost me here. Has this been discussed recently? I'm
>>>>>>> in the
>>>>>>> middle of so many projects I haven't had time to sit and follow
>>>>>>> this list
>>>>>>> as much as I'd like to.
>>>>>> No, it hasn't been discussed before, it happened to myself a
>>>>>> couple of
>>>>>> weeks ago, I added the user to a group and 'id' didn't show the
>>>>>> group,
>>>>>> everything else showed the user was a group member. I just put it
>>>>>> down to
>>>>>> one of those things, but the following day, 'id' showed the
>>>>>> group, so I
>>>>>> think it must be a cache problem.
>>>>>
>>>>> I see.
>>>>>
>>>>> I just checked, and all other users who show up correctly in the
>>>>> new group
>>>>> are indeed not logged on to the domain.
>>>>>
>>>>> Could it be that an active session locks the group memberships
>>>>> until the
>>>>> user logs out and in again? This might even be exactly like
>>>>> Windows works
>>>>> if I read correctly.
>>>>>
>>>>>>> I read somewhere that there's some caching going on, but there
>>>>>>> was no
>>>>>>> real solution on how to purge this cache other than have the
>>>>>>> client log
>>>>>>> out of their computer and on again. I have asked my colleague to
>>>>>>> do this,
>>>>>>> so it might be that waiting until tomorrow won't work.
>>>>>>
>>>>>> I tried all that, it just worked the following day. The only thing I
>>>>>> didn't do, raise the log level.
>>>>>
>>>>> Ok, I'll wait if the logout/login doesn't work.
>>>>
>>>> The user restarted their computer and presto: 'groups username'
>>>> showed the
>>>> new membership on the member-server.
>>>
>>> Googling a problem, and finding one's own e-mail thread as the first
>>> hit. I
>>> had already forgot about this.
>>>
>>> Added a group on the DC, added two members to that group and at
>>> least on of
>>> those are logged on to the domain. The group doesn't show up on a
>>> member-server.
>>>
>>> I will probably have to wait until tomorrow before I'm able to use that
>>> group?
>>>
>>> Are there plans to fix this so one can add groups and edit group
>>> memberships faster?
>>>
>>
>> I too have observed this.
>>
>> Network:
>> - Two Samba DCs (4.9.5+dfsg-5+deb10u1)
>> - File server: FreeNAS-11.2-U7 (running Samba 4.9.15)
>>
>> My internal ticket notes:
>>
>> - I added `jdoe` to the `cost estimates` folder ACL, and he was able
>> to see the `AAA` subdirectory immediately (because he was on that ACL
>> already)
>> - I added him to the `XXX Finance` group, and it had no effect
>> - The NAS did not believe he was a member of that group:
>> root at nas[~]# id jdoe
>> uid=100041(jdoe) gid=100000(domain users) groups=100000(domain
>> users),100010(xxx program),100016(engineering),100025(aaa
>> program),90000002(BUILTIN\users)
>> - I tried clicking `REBUILD DIRECTORY SERVICE CACHE` in the FreeNAS
>> GUI and it had no effect
>> - I ran `watch id jdoe` and as soon as he authenticated with the NAS
>> (his machine is not yet joined) and hit enter, his membership changed
>> on the NAS:
>> uid=100041(jdoe) gid=100000(domain users) groups=100000(domain
>> users),100010(xxx program),100016(engineering),100025(aaa
>> program),100031(xxx finance),90000002(BUILTIN\users)
>>
>> So apparently re-authenticating triggers group membership update... or
>> something like that.
>>
>> How does a Windows server handle this?
>>
>> Resources:
>> -
>> https://www.ixsystems.com/community/threads/slow-updating-active-directory-user-group-cache.57448/
>> -
>> https://www.ixsystems.com/community/threads/permissions-cifs-wont-pull-user-or-group-from-the-network.46044/
>> -
>> https://www.ixsystems.com/community/threads/windows-users-groups-not-refreshing.28883/
>> -
>> https://www.ixsystems.com/community/threads/ad-group-memberships-wont-update.63404/
>>
>> Possibly related Samba source code:
>> - wcache_invalidate_samlogon() [1] "Invalidate the getpwnam and
>> getgroups entries for a winbindd domain": Called only from
>> - winbindd_dual_pam_auth
>> - winbind_dual_SamLogon
>>
>>
>> [1]:
>> https://gitlab.com/samba-team/samba/-/blob/03f79a3bd71bc7a0a401d5f19560e831251d32b7/source3/winbindd/winbindd_cache.c#L3056
>
> Does anyone have any tips on how to circumvent this problem? I have
> almost daily group membership-changes, and sometimes waiting 24 hours
> isn't enough for the changes in a group to propagate.
>
> I have tried to restart smbd, nmbd and winbindd on the member server
> to no avail. On the test-server that nobody uses the changes show up
> much much earlier.
>
> Is there a way to check if a user is authenticated to the domain at
> the present moment, and then kick out the user?
>
>
On the few occasions that this has hit me, I tracked it down to a time
difference, so have you checked this ?
Rowland
More information about the samba
mailing list