Web lists-archives.com

Re: [Samba] Winbind group membership not updating

On 25/09/17 15:52, Rowland Penny via samba wrote:
On Mon, 25 Sep 2017 15:16:54 +0200
Malte zu Klampen via samba <samba@xxxxxxxxxxxxxxx> wrote:

We are currently in the process of replacing some of our file servers
with Active Directory joined Samba servers. However, during testing
we have noticed behaviour that has caught us off guard.

Changes in user group membership in AD do not show up on our file
servers. Specifically, changing a user's groups in AD won't affect
group membership on the Samba server once the user has authenticated.
Even killing their processes won't.

This is a problem, as once a client has established a connection to a
share, it will keep access to the share even if group membership has
long since been revoked.

It is my understanding that group membership is updated at
authentication time and cached forever. Is there a way around this?

With "winbind cache time = 10" changes in group membership show up in
`id` quickly _only_ as long as the user in question has no active
session. Once they show up in `net status sessions` group membership
sticks forever.

I am experiencing this behaviour with 4.5.8-Debian, but looking
through the bugs this seems to be a recurring theme in all versions.
Are there good workarounds?

Try removing 'winbind offline Logon = true', you should only need this
on a laptop or similar.


No dice, sadly. The only way to reliably have Samba recognise the change in groups is to try to establish a session from a different computer, which forces authentication.

As long es the user remains logged in on their client, they keep access to shares even though their access has been revoked and their session killed on the server. The client immediately reestablishes a connection to the share and carries on.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba