Re: [Samba] Winbind group membership not updating
- Date: Mon, 25 Sep 2017 14:52:47 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Winbind group membership not updating
On Mon, 25 Sep 2017 15:16:54 +0200
Malte zu Klampen via samba <samba@xxxxxxxxxxxxxxx> wrote:
> We are currently in the process of replacing some of our file servers
> with Active Directory joined Samba servers. However, during testing
> we have noticed behaviour that has caught us off guard.
> Changes in user group membership in AD do not show up on our file
> servers. Specifically, changing a user's groups in AD won't affect
> group membership on the Samba server once the user has authenticated.
> Even killing their processes won't.
> This is a problem, as once a client has established a connection to a
> share, it will keep access to the share even if group membership has
> long since been revoked.
> It is my understanding that group membership is updated at
> authentication time and cached forever. Is there a way around this?
> With "winbind cache time = 10" changes in group membership show up in
> `id` quickly _only_ as long as the user in question has no active
> session. Once they show up in `net status sessions` group membership
> sticks forever.
> I am experiencing this behaviour with 4.5.8-Debian, but looking
> through the bugs this seems to be a recurring theme in all versions.
> Are there good workarounds?
Try removing 'winbind offline Logon = true', you should only need this
on a laptop or similar.
To unsubscribe from this list go to the following URL and read the