[Samba] Adding user to group doesn't propagate?

Rowland penny rpenny at samba.org
Wed Sep 16 08:11:18 UTC 2020 

On 16/09/2020 09:02, Harald Hannelius via samba wrote:
>
> On Mon, 31 Aug 2020, Jonathon Reinhart via samba wrote:
>> On Mon, Aug 31, 2020 at 9:21 AM Harald Hannelius via samba
>> <samba at lists.samba.org> wrote:
>>> On Wed, 17 Jun 2020, Harald Hannelius wrote:
>>>> On Wed, 17 Jun 2020, Harald Hannelius via samba wrote:
>>>>> On Wed, 17 Jun 2020, Rowland penny via samba wrote:
>>>>>> On 17/06/2020 11:54, Harald Hannelius wrote:
>>>>>>> On Wed, 17 Jun 2020, Rowland penny via samba wrote:
>>>>>>>> On 17/06/2020 11:39, Harald Hannelius via samba wrote:
>>>>>>>
>>>>>>> Sorry, You lost me here. Has this been discussed recently? I'm 
>>>>>>> in the
>>>>>>> middle of so many projects I haven't had time to sit and follow 
>>>>>>> this list
>>>>>>> as much as I'd like to.
>>>>>> No, it hasn't been discussed before, it happened to myself a 
>>>>>> couple of
>>>>>> weeks ago, I added the user to a group and 'id' didn't show the 
>>>>>> group,
>>>>>> everything else showed the user was a group member. I just put it 
>>>>>> down to
>>>>>> one of those things, but the following day, 'id' showed the 
>>>>>> group, so I
>>>>>> think it must be a cache problem.
>>>>>
>>>>> I see.
>>>>>
>>>>> I just checked, and all other users who show up correctly in the 
>>>>> new group
>>>>> are indeed not logged on to the domain.
>>>>>
>>>>> Could it be that an active session locks the group memberships 
>>>>> until the
>>>>> user logs out and in again? This might even be exactly like 
>>>>> Windows works
>>>>> if I read correctly.
>>>>>
>>>>>>> I read somewhere that there's some caching going on, but there 
>>>>>>> was no
>>>>>>> real solution on how to purge this cache other than have the 
>>>>>>> client log
>>>>>>> out of their computer and on again. I have asked my colleague to 
>>>>>>> do this,
>>>>>>> so it might be that waiting until tomorrow won't work.
>>>>>>
>>>>>> I tried all that, it just worked the following day. The only thing I
>>>>>> didn't do, raise the log level.
>>>>>
>>>>> Ok, I'll wait if the logout/login doesn't work.
>>>>
>>>> The user restarted their computer and presto: 'groups username' 
>>>> showed the
>>>> new membership on the member-server.
>>>
>>> Googling a problem, and finding one's own e-mail thread as the first 
>>> hit. I
>>> had already forgot about this.
>>>
>>> Added a group on the DC, added two members to that group and at 
>>> least on of
>>> those are logged on to the domain. The group doesn't show up on a
>>> member-server.
>>>
>>> I will probably have to wait until tomorrow before I'm able to use that
>>> group?
>>>
>>> Are there plans to fix this so one can add groups and edit group
>>> memberships faster?
>>>
>>
>> I too have observed this.
>>
>> Network:
>> - Two Samba DCs (4.9.5+dfsg-5+deb10u1)
>> - File server:  FreeNAS-11.2-U7 (running Samba 4.9.15)
>>
>> My internal ticket notes:
>>
>> - I added `jdoe` to the `cost estimates` folder ACL, and he was able
>> to see the `AAA` subdirectory immediately (because he was on that ACL
>> already)
>> - I added him to the `XXX Finance` group, and it had no effect
>> - The NAS did not believe he was a member of that group:
>>    root at nas[~]# id jdoe
>>    uid=100041(jdoe) gid=100000(domain users) groups=100000(domain
>>    users),100010(xxx program),100016(engineering),100025(aaa
>>    program),90000002(BUILTIN\users)
>> - I tried clicking `REBUILD DIRECTORY SERVICE CACHE` in the FreeNAS
>> GUI and it had no effect
>> - I ran `watch id jdoe` and as soon as he authenticated with the NAS
>> (his machine is not yet joined) and hit enter, his membership changed
>> on the NAS:
>>    uid=100041(jdoe) gid=100000(domain users) groups=100000(domain
>>    users),100010(xxx program),100016(engineering),100025(aaa
>>    program),100031(xxx finance),90000002(BUILTIN\users)
>>
>> So apparently re-authenticating triggers group membership update... or
>> something like that.
>>
>> How does a Windows server handle this?
>>
>> Resources:
>> - 
>> https://www.ixsystems.com/community/threads/slow-updating-active-directory-user-group-cache.57448/
>> - 
>> https://www.ixsystems.com/community/threads/permissions-cifs-wont-pull-user-or-group-from-the-network.46044/
>> - 
>> https://www.ixsystems.com/community/threads/windows-users-groups-not-refreshing.28883/
>> - 
>> https://www.ixsystems.com/community/threads/ad-group-memberships-wont-update.63404/
>>
>> Possibly related Samba source code:
>> - wcache_invalidate_samlogon() [1] "Invalidate the getpwnam and
>> getgroups entries for a winbindd domain": Called only from
>>  - winbindd_dual_pam_auth
>>  - winbind_dual_SamLogon
>>
>>
>> [1]: 
>> https://gitlab.com/samba-team/samba/-/blob/03f79a3bd71bc7a0a401d5f19560e831251d32b7/source3/winbindd/winbindd_cache.c#L3056
>
> Does anyone have any tips on how to circumvent this problem? I have 
> almost daily group membership-changes, and sometimes waiting 24 hours 
> isn't enough for the changes in a group to propagate.
>
> I have tried to restart smbd, nmbd and winbindd on the member server 
> to no avail. On the test-server that nobody uses the changes show up 
> much much earlier.
>
> Is there a way to check if a user is authenticated to the domain at 
> the present moment, and then kick out the user?
>
>
On the few occasions that this has hit me, I tracked it down to a time 
difference, so have you checked this ?

Rowland

More information about the samba mailing list