[Samba] Adding user to group doesn't propagate?
Harald Hannelius
harald+samba at arcada.fi
Thu Sep 17 07:41:01 UTC 2020
On Wed, 16 Sep 2020, Rowland penny via samba wrote:
> On 16/09/2020 09:02, Harald Hannelius via samba wrote:
>> On Mon, 31 Aug 2020, Jonathon Reinhart via samba wrote:
>>> On Mon, Aug 31, 2020 at 9:21 AM Harald Hannelius via samba
>>> <samba at lists.samba.org> wrote:
>>>> On Wed, 17 Jun 2020, Harald Hannelius wrote:
>>>>> On Wed, 17 Jun 2020, Harald Hannelius via samba wrote:
>>>>>> On Wed, 17 Jun 2020, Rowland penny via samba wrote:
>>>>>>> On 17/06/2020 11:54, Harald Hannelius wrote:
>>>>>>>> On Wed, 17 Jun 2020, Rowland penny via samba wrote:
>>>>>>>>> On 17/06/2020 11:39, Harald Hannelius via samba wrote:
>>>>>>>>
>>>>>>>> Sorry, You lost me here. Has this been discussed recently? I'm in the
>>>>>>>> middle of so many projects I haven't had time to sit and follow this
>>>>>>>> list
>>>>>>>> as much as I'd like to.
>>>>>>> No, it hasn't been discussed before, it happened to myself a couple of
>>>>>>> weeks ago, I added the user to a group and 'id' didn't show the group,
>>>>>>> everything else showed the user was a group member. I just put it down
>>>>>>> to
>>>>>>> one of those things, but the following day, 'id' showed the group, so
>>>>>>> I
>>>>>>> think it must be a cache problem.
>>>>>>
>>>>>> I see.
>>>>>>
>>>>>> I just checked, and all other users who show up correctly in the new
>>>>>> group
>>>>>> are indeed not logged on to the domain.
>>>>>>
>>>>>> Could it be that an active session locks the group memberships until
>>>>>> the
>>>>>> user logs out and in again? This might even be exactly like Windows
>>>>>> works
>>>>>> if I read correctly.
>>>>>>
>>>>>>>> I read somewhere that there's some caching going on, but there was no
>>>>>>>> real solution on how to purge this cache other than have the client
>>>>>>>> log
>>>>>>>> out of their computer and on again. I have asked my colleague to do
>>>>>>>> this,
>>>>>>>> so it might be that waiting until tomorrow won't work.
>>>>>>>
>>>>>>> I tried all that, it just worked the following day. The only thing I
>>>>>>> didn't do, raise the log level.
>>>>>>
>>>>>> Ok, I'll wait if the logout/login doesn't work.
>>>>>
>>>>> The user restarted their computer and presto: 'groups username' showed
>>>>> the
>>>>> new membership on the member-server.
>>>>
>>>> Googling a problem, and finding one's own e-mail thread as the first hit.
>>>> I
>>>> had already forgot about this.
>>>>
>>>> Added a group on the DC, added two members to that group and at least on
>>>> of
>>>> those are logged on to the domain. The group doesn't show up on a
>>>> member-server.
>>>>
>>>> I will probably have to wait until tomorrow before I'm able to use that
>>>> group?
>>>>
>>>> Are there plans to fix this so one can add groups and edit group
>>>> memberships faster?
>>>>
>>>
>>> I too have observed this.
>>>
>>> Network:
>>> - Two Samba DCs (4.9.5+dfsg-5+deb10u1)
>>> - File server: FreeNAS-11.2-U7 (running Samba 4.9.15)
>>>
>>> My internal ticket notes:
>>>
>>> - I added `jdoe` to the `cost estimates` folder ACL, and he was able
>>> to see the `AAA` subdirectory immediately (because he was on that ACL
>>> already)
>>> - I added him to the `XXX Finance` group, and it had no effect
>>> - The NAS did not believe he was a member of that group:
>>> root at nas[~]# id jdoe
>>> uid=100041(jdoe) gid=100000(domain users) groups=100000(domain
>>> users),100010(xxx program),100016(engineering),100025(aaa
>>> program),90000002(BUILTIN\users)
>>> - I tried clicking `REBUILD DIRECTORY SERVICE CACHE` in the FreeNAS
>>> GUI and it had no effect
>>> - I ran `watch id jdoe` and as soon as he authenticated with the NAS
>>> (his machine is not yet joined) and hit enter, his membership changed
>>> on the NAS:
>>> uid=100041(jdoe) gid=100000(domain users) groups=100000(domain
>>> users),100010(xxx program),100016(engineering),100025(aaa
>>> program),100031(xxx finance),90000002(BUILTIN\users)
>>>
>>> So apparently re-authenticating triggers group membership update... or
>>> something like that.
>>>
>>> How does a Windows server handle this?
>>>
>>> Resources:
>>> -
>>> https://www.ixsystems.com/community/threads/slow-updating-active-directory-user-group-cache.57448/
>>> -
>>> https://www.ixsystems.com/community/threads/permissions-cifs-wont-pull-user-or-group-from-the-network.46044/
>>> -
>>> https://www.ixsystems.com/community/threads/windows-users-groups-not-refreshing.28883/
>>> -
>>> https://www.ixsystems.com/community/threads/ad-group-memberships-wont-update.63404/
>>>
>>> Possibly related Samba source code:
>>> - wcache_invalidate_samlogon() [1] "Invalidate the getpwnam and
>>> getgroups entries for a winbindd domain": Called only from
>>> - winbindd_dual_pam_auth
>>> - winbind_dual_SamLogon
>>>
>>>
>>> [1]:
>>> https://gitlab.com/samba-team/samba/-/blob/03f79a3bd71bc7a0a401d5f19560e831251d32b7/source3/winbindd/winbindd_cache.c#L3056
>>
>> Does anyone have any tips on how to circumvent this problem? I have almost
>> daily group membership-changes, and sometimes waiting 24 hours isn't enough
>> for the changes in a group to propagate.
>>
>> I have tried to restart smbd, nmbd and winbindd on the member server to no
>> avail. On the test-server that nobody uses the changes show up much much
>> earlier.
>>
>> Is there a way to check if a user is authenticated to the domain at the
>> present moment, and then kick out the user?
>>
>>
> On the few occasions that this has hit me, I tracked it down to a time
> difference, so have you checked this ?
This seems to hit me every time I add someone to a group.
All servers are of course hooked up to the NTP-network.
--
Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
More information about the samba
mailing list