On 24.02.2021 10:53, Rowland penny via samba wrote:> On 24/02/2021 09:36, Matthias K?hne | Ellerhold AG via samba wrote:
>> Hello,
>>
>> I just asked the user to ssh into DC1. And lo and behold after that he
>> has the correct groups.
>>
>> I let him connect to a fileserver via SMB and it updated the groups
>> correctly too. Yay
>
>
> Yes, you can only rely on a users groups being correct after the user
> has logged in.
>
>>
>>
>> So it seems like the cache (on a Domain Member and on a DC) only gets
>> updated if the user connects to it. net cache flush doesnt seem to do
>> anything here.
>
>
> 'net cache flush' empties the winbind cache, so this wouldn't
fix the
> problem you were having.
>
>> Winbind Offline Logon is enabled. Is this the / a problem?
>
>
> No, offline logon relies on the winbind cache being somewhere that
> survives a reboot (which on Debian it doesn't), so you need the users
> data in the cache to begin with and this means the user has logged in
> at least once.
>
>>
>> Is there any command I could run to update the groups without asking
the
>> user to login to the machine?
>>
>
> You could run 'wbinfo -a username', but this will mean that you
must
> know the users password.
>
> Why do you need to know what groups a user is a member of ?
Match group admin-group
? AllowUsers *
Match group remotessh
? AllowUsers *
in /etc/ssh/sshd_config comes to mind... Thanks,
Christian