Web lists-archives.com

Re: [Samba] Winbind group membership not updating




On Tue, 26 Sep 2017 11:16:46 +0200
Malte zu Klampen via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hej,
> 
> There are no Linux users (above 1000 that is), and there never will
> be.
> 
> net cache flush does absolutely nothing.
> 
> I've already suspected that the version might be at fault and checked 
> 4.7.0 with the same result.
> 
> I suspect the problem is not a bug per se, but an architectural
> problem with how sessions are constructed. As far as I can tell,
> group membership is resolved once at the start of the session, and
> never updated (or the session terminated and the client forced to
> re-auth) until the client logs off.
> 
> But even if i kill their session, it immediately respawns with
> outdated groups.
> 
> Here's what I'm doing:
> 
> Create a share that requires a specific group
> Add user to group
> Log in user on Windows client, connect to share
> Remove user from group
> Log in user on a different Windows client, try to connect to the share
> 
> What happens:
> 
> The share remains accessible from the first client
> User gets denied on the second client
> 
> Even if I kill the session on the server, it is immediately
> respawned. I simply can not keep them from accessing the share from
> the first client unless they log off.
> 
> How do I work around this? I can't hound people I (automatically, I 
> might add) remove from groups to log off. I can accept a delay, but
> at some point after losing group membership they should get booted
> off the server automatically.
> 
> 

I don't think you can work around this, I am fairly sure if you try
this against a windows server, you would get the same result, unless
the user logs out, they will still think they are members of the group
and will get access.

Rowland 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba