Re: [Samba] Winbind group membership not updating
- Date: Mon, 25 Sep 2017 16:32:19 +0200
- From: Malte zu Klampen via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Winbind group membership not updating
On 25/09/17 15:52, Rowland Penny via samba wrote:
On Mon, 25 Sep 2017 15:16:54 +0200
Malte zu Klampen via samba <samba@xxxxxxxxxxxxxxx> wrote:
We are currently in the process of replacing some of our file servers
with Active Directory joined Samba servers. However, during testing
we have noticed behaviour that has caught us off guard.
Changes in user group membership in AD do not show up on our file
servers. Specifically, changing a user's groups in AD won't affect
group membership on the Samba server once the user has authenticated.
Even killing their processes won't.
This is a problem, as once a client has established a connection to a
share, it will keep access to the share even if group membership has
long since been revoked.
It is my understanding that group membership is updated at
authentication time and cached forever. Is there a way around this?
With "winbind cache time = 10" changes in group membership show up in
`id` quickly _only_ as long as the user in question has no active
session. Once they show up in `net status sessions` group membership
I am experiencing this behaviour with 4.5.8-Debian, but looking
through the bugs this seems to be a recurring theme in all versions.
Are there good workarounds?
Try removing 'winbind offline Logon = true', you should only need this
on a laptop or similar.
No dice, sadly. The only way to reliably have Samba recognise the change
in groups is to try to establish a session from a different computer,
which forces authentication.
As long es the user remains logged in on their client, they keep access
to shares even though their access has been revoked and their session
killed on the server. The client immediately reestablishes a connection
to the share and carries on.
To unsubscribe from this list go to the following URL and read the