After additional newsgroup trolling it appears that the
"require_membership_of=[SID or NAME]"
option to pam_winbind.so is the appropriate method for controlling ADS
login by group. Unfortunately Red Hat's rpm man page for pam_winbind
stated "pam_winbind does not support any additional options" which is
obviously not correct. This was probably correct for the initial 3.x
release?
So....of a RHEL4_U4 box I did the following:
Created /etc/pam.d/auth-winbind with:
auth sufficient /lib/security/$ISA/pam_winbind.so
use_first_pass require_membership_of=NameOfGroup1
auth sufficient /lib/security/$ISA/pam_winbind.so
use_first_pass require_membership_of=NameOfGroup2
Edited /etc/pam.d/system-auth to include:
auth sufficient /lib/security/$ISA/pam_stack.so
service=auth-winbind
After a user attempts to logon (pass or fail) their group info is
updated so "groups username" and "wbinfo -r username" show
the correct
info....These 2 commands appear to only be updated after a logon
attempt. Getent will display correct info after winbind cache time
expires.
So...logins are fast and accurate, problem solved. It is clear
pam_listfile.so is not appropriate to use in the manner I had been
trying.
Hope this helps.
Noal
-----Original Message-----
From: samba-bounces+noal.miles=tdstelecom.com@lists.samba.org
[mailto:samba-bounces+noal.miles=tdstelecom.com@lists.samba.org] On
Behalf Of Miles, Noal
Sent: Friday, December 01, 2006 2:28 PM
To: samba@lists.samba.org
Subject: [Samba] Winbind caching group membership issue
Hi All,
I am using samba-common-3.0.10-1.4E.9 on a RHEL4_U4 x86 machine. The
ADS server is WS03 sp1 running in Windows Server 2003 interim mode. In
general thing are working well. However, when winbind caching is
enabled (default), group membership does not appear to update, i.e.
"wbinfo -r bob" and "groups bob" don't reflect changes
in ADS group
membership. "getent group groupname" does show the correct info on
the
second query. Always takes 2 queries regardless of elapsed time. With
winbind caching off, each command returns correctly the first time
(though slowly).
Using tcpdump with winbind caching enabled, I can "see" the ADS domain
controller being queried when winbind cache time expires when each
command is executed. However, the "wbinfo" and "groups"
results are not
updated no matter the amount of elapsed time. It should be noted that
if I stop winbind and delete *.tdb then restart, updated info is
returned by "wbinfo" and "groups" but again, next changes
will not be
reflected.
Why do I care? I am trying to use pam_listfile.so to control what ADS
accounts can log on to the box (by group membership). Pam_listfile is
not "seeing" updated group membership when winbind caching is enabled.
Somewhat ironically pam_winbind.so "sees" things correctly I suppose
because it never consults the cache.
What am I missing? Thanks for the help,
Noal
Some potentially relevant settings from smb.conf include:
idmap backend = idmap_rid:APP=17000000-40000000
winbind enum users = yes
winbind enum groups = yes
idmap uid = 17000000-40000000
idmap gid = 17000000-40000000
winbind use default domain = yes
winbind cache time = 30
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba