Web lists-archives.com

[Samba] deny file access or specific users




Hi,

For some users I am trying to deny file access to our domain member servers, yet keeping their AD account for all other purposes, like email and ldap authorized clients.

So I figured I removed the unix attributes from a user in ADUC, while keeping the rest. I expected that would make the user 'invisible' for the domain member (file) servers, while maintaining the account for everything else.

Now, a day later, on one our domain member servers the user is gone:

root@server1:~# wbinfo -u | grep test
test
root@server1:~# id test
id: ‘test’: no such user
root@server1:~# getent passwd test
root@server1:~#

but on another server, the user still remains

root@server2:~# wbinfo -u | grep test
test
root@server2:~# id test
uid=63993(test) gid=513(domain users) groups=513(domain users),1000001(BUILTIN\users)
root@server2:~# getent passwd test
test:*:63993:513::/home/WRKGRP/test:/bin/false
root@server2:~#

Probably running net cache flush will remove the user on server2 as well, but is there an expiration on the winbind cache? Will the user disppear from server2 automatically after a certain period?

Otherwise we have to perform the additional manual flush of the net cache on each domain member server, each time we want to deny fileserver access for a user.

Or is there a better way to keeping everything, while centrally denying fileserver access for specific users?

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba