Web lists-archives.com

Re: [Samba] Winbind group membership not updating


There are no Linux users (above 1000 that is), and there never will be.

net cache flush does absolutely nothing.

I've already suspected that the version might be at fault and checked 4.7.0 with the same result.

I suspect the problem is not a bug per se, but an architectural problem with how sessions are constructed. As far as I can tell, group membership is resolved once at the start of the session, and never updated (or the session terminated and the client forced to re-auth) until the client logs off.

But even if i kill their session, it immediately respawns with outdated groups.

Here's what I'm doing:

Create a share that requires a specific group
Add user to group
Log in user on Windows client, connect to share
Remove user from group
Log in user on a different Windows client, try to connect to the share

What happens:

The share remains accessible from the first client
User gets denied on the second client

Even if I kill the session on the server, it is immediately respawned. I simply can not keep them from accessing the share from the first client unless they log off.

How do I work around this? I can't hound people I (automatically, I might add) remove from groups to log off. I can accept a delay, but at some point after losing group membership they should get booted off the server automatically.

On 25/09/17 16:50, L.P.H. van Belle via samba wrote:

Now you have overlapping id's.
idmap config *:range =          1000 -  99999

I suggest, leave some room for your "linux users"
Like : idmap config *:range =          2000 -  99999

In addition, also, run : net cache flush
And run :
systemctl stop winbind
sleep 1
systemctl start winbind

Then..  what does :  id Administrator
Tells you now.
And id someOtheruser?

Now please note also, your using 4.5.8 from debian.
I dont know how much winbind fixed they also pickuped from samba but 4.5.8 can be tricky.
I suggest, have a good look at the winbind debian bugs and samba changelog 4.5.9 for example.

You have a few options.
1) Compile samba yourself. ( then i suggest move to 4.6.8 )
2) Use debian buster, but i dont advice that, you may end up with a broken system.
3) Build your own package, which can be hard.
4) Use my packages.  ( 4.5.14 and 4.6.8 for stretch ) (http://apt.van-belle.nl)
You choose. I suggest go for 4.6.8 but if you dont like the config change at this point, use 4.5.14.



-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Malte zu Klampen via samba
Verzonden: maandag 25 september 2017 15:17
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: [Samba] Winbind group membership not updating

We are currently in the process of replacing some of our file
servers with Active Directory joined Samba servers. However,
during testing we have noticed behaviour that has caught us off guard.

Changes in user group membership in AD do not show up on our
file servers. Specifically, changing a user's groups in AD
won't affect group membership on the Samba server once the
user has authenticated. Even killing their processes won't.

This is a problem, as once a client has established a
connection to a share, it will keep access to the share even
if group membership has long since been revoked.

It is my understanding that group membership is updated at
authentication time and cached forever. Is there a way around this?

With "winbind cache time = 10" changes in group membership
show up in `id` quickly _only_ as long as the user in
question has no active session. Once they show up in `net
status sessions` group membership sticks forever.

I am experiencing this behaviour with 4.5.8-Debian, but
looking through the bugs this seems to be a recurring theme
in all versions. Are there good workarounds?

          obey pam restrictions = yes

          netbios name = redacted
          workgroup = REDACTED
          security = ADS
          realm = REDACTED.DE
          log level = 0
          usershare max shares = 0
          usershare path = /dev/null

          vfs objects = acl_xattr
          map acl inherit = Yes
          store dos attributes = Yes
          inherit permissions = yes

          idmap config *:backend = tdb
          idmap config *:range =          1000 -  99999
          idmap config REDACTED:backend = rid
          idmap config REDACTED:range = 100000 - 500000
          template shell = /bin/bash
          template homedir = /home/%D/%U

          load printers = no
          printcap name = /dev/null

          winbind trusted domains only = no
          winbind use default domain = yes
          winbind enum users  = no
          winbind enum groups = no
          winbind refresh tickets = Yes
          winbind cache time = 10
          winbind offline Logon = true
          winbind expand groups = 3

Malte zu Klampen / PC-Labor / Institut für Geowissenschaften
CAU zu Kiel / Otto-Hahn-Platz 5, D-24118 Kiel
Tel.   +49 431 880-3904

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba