[Samba] Group membership not updating on one DC only

Matthias Kühne | Ellerhold AG matthias.kuehne at ellerhold.de
Fri Feb 26 06:41:05 UTC 2021


Am 24.02.21 um 22:42 schrieb Rowland penny via samba:
> On 24/02/2021 21:20, Christian via samba wrote:
>>> Why do you need to know what groups a user is a member of ?

ACL. Access to file shares, access to services, access to SSH, ...

We had a Samba Share on a file server (not any of the DCs) that the user 
in question had no write access to. We've given RW access to a specific 
group in AD. Ive added the user to the group and waited endlessly for 
the server to update the groups of the user. Thats when I discovered the 
groups were missings even on 2 DCs.

I should have told him to re-connect to the share after X minutes but I 
thought net cache flush etc was enough.

>> Match group admin-group
>>   AllowUsers *
>> Match group remotessh
>>   AllowUsers *
>> in /etc/ssh/sshd_config comes to mind... Thanks,

Winbind seems to update the group membership and after that SSHd uses 
these rules. So it works as expected.

> That is a valid reason, well it would be except for the fact that 
> disabled users can still login via SSH.

Huh? How do I properly disable a user then? Delete him?

> I wonder if you could use kerberos instead of keys along with the 
> groups ? Never tried it, just thinking out loud.

You mean pam_krb5 instead of pam_winbind?

Thanks for your continued help Rowland!

Matthias Kühne
Senior Webentwickler

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99

Web     www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold

Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

More information about the samba mailing list