[Samba] Group membership not updating on one DC only
Matthias Kühne | Ellerhold AG
matthias.kuehne at ellerhold.de
Fri Feb 26 06:41:05 UTC 2021
Hello,
Am 24.02.21 um 22:42 schrieb Rowland penny via samba:
> On 24/02/2021 21:20, Christian via samba wrote:
>>> Why do you need to know what groups a user is a member of ?
ACL. Access to file shares, access to services, access to SSH, ...
We had a Samba Share on a file server (not any of the DCs) that the user
in question had no write access to. We've given RW access to a specific
group in AD. Ive added the user to the group and waited endlessly for
the server to update the groups of the user. Thats when I discovered the
groups were missings even on 2 DCs.
I should have told him to re-connect to the share after X minutes but I
thought net cache flush etc was enough.
>> Match group admin-group
>> AllowUsers *
>> Match group remotessh
>> AllowUsers *
>>
>> in /etc/ssh/sshd_config comes to mind... Thanks,
Winbind seems to update the group membership and after that SSHd uses
these rules. So it works as expected.
> That is a valid reason, well it would be except for the fact that
> disabled users can still login via SSH.
Huh? How do I properly disable a user then? Delete him?
> I wonder if you could use kerberos instead of keys along with the
> groups ? Never tried it, just thinking out loud.
You mean pam_krb5 instead of pam_winbind?
Thanks for your continued help Rowland!
--
Matthias Kühne
Senior Webentwickler
Datenschutzbeauftragter
Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul
Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99
Web www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe
Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold
----------------
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/
This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
More information about the samba
mailing list