Re: [Samba] deny file access or specific users
- Date: Wed, 10 Oct 2018 10:16:25 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] deny file access or specific users
On Wed, 10 Oct 2018 11:04:29 +0200
mj via samba <samba@xxxxxxxxxxxxxxx> wrote:
> For some users I am trying to deny file access to our domain member
> servers, yet keeping their AD account for all other purposes, like
> email and ldap authorized clients.
> So I figured I removed the unix attributes from a user in ADUC, while
> keeping the rest. I expected that would make the user 'invisible' for
> the domain member (file) servers, while maintaining the account for
> everything else.
> Now, a day later, on one our domain member servers the user is gone:
> > root@server1:~# wbinfo -u | grep test
> > test
> > root@server1:~# id test
> > id: ‘test’: no such user
> > root@server1:~# getent passwd test
> > root@server1:~#
> but on another server, the user still remains
> > root@server2:~# wbinfo -u | grep test
> > test
> > root@server2:~# id test
> > uid=63993(test) gid=513(domain users) groups=513(domain
> > users),1000001(BUILTIN\users) root@server2:~# getent passwd test
> > test:*:63993:513::/home/WRKGRP/test:/bin/false
> > root@server2:~#
> Probably running net cache flush will remove the user on server2 as
> well, but is there an expiration on the winbind cache? Will the user
> disppear from server2 automatically after a certain period?
Yes, provided the user isn't logged into or connected to the share.
> Otherwise we have to perform the additional manual flush of the net
> cache on each domain member server, each time we want to deny
> fileserver access for a user.
You should only have to do this once, unless you are using the 'rid'
> Or is there a better way to keeping everything, while centrally
> denying fileserver access for specific users?
Yes, set the users permissions with 'setfacl' or from Windows.
To unsubscribe from this list go to the following URL and read the