Web lists-archives.com

[Samba] deny file access or specific users


For some users I am trying to deny file access to our domain member servers, yet keeping their AD account for all other purposes, like email and ldap authorized clients.

So I figured I removed the unix attributes from a user in ADUC, while keeping the rest. I expected that would make the user 'invisible' for the domain member (file) servers, while maintaining the account for everything else.

Now, a day later, on one our domain member servers the user is gone:

root@server1:~# wbinfo -u | grep test
root@server1:~# id test
id: ‘test’: no such user
root@server1:~# getent passwd test

but on another server, the user still remains

root@server2:~# wbinfo -u | grep test
root@server2:~# id test
uid=63993(test) gid=513(domain users) groups=513(domain users),1000001(BUILTIN\users)
root@server2:~# getent passwd test

Probably running net cache flush will remove the user on server2 as well, but is there an expiration on the winbind cache? Will the user disppear from server2 automatically after a certain period?

Otherwise we have to perform the additional manual flush of the net cache on each domain member server, each time we want to deny fileserver access for a user.

Or is there a better way to keeping everything, while centrally denying fileserver access for specific users?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba