I'm using Samba 3.0.33 (RHEL 5) to connect to a Windows 2008 active
directory server. I am restricting SSH logins to a particular AD group.
The users allowed to login will change frequently, so it's important
to me that their group membership is updated when their access to this
server is granted or revoked. The problem that I keep running into is
that group membership on the Samba machine doesn't seem to sync up with
the Windows DC until a user authenticates.
Essentially, if I remove a user from the login group in AD, they will
still be able to login to the Samba box once, then their group
membership will be updated. Conversely, if they are added to the login
group (and the Samba box has "seen" their user before - it doesn't
seem
to happen with new users) they will not appear to be in that group from
the Samba box's perspective until they have been authenticated - in that
case, it often requires a wbinfo --authenticate username%password, since
their SSH login attempts will fail due to them appearing to be not in
the login group. Once that is done, groups USERNAME will report
accurate group membership.
I've tried adjusting the winbind cache time, to the point of disabling
it in the init script, but I haven't had any success updating a group
membership short of authenticating the user. I was originally using the
AllowGroups directive in sshd_config, and I switched that to using
pam_succeed_if.so user ingroup in /etc/pam.d/system-auth, with the same
result.
Here's what I have in smb.conf
[global]
workgroup = AD
password server = AD.WKU.EDU
realm = AD.WKU.EDU
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /usr/bin/rssh
winbind use default domain = yes
winbind offline logon = false
winbind nested groups = yes
winbind enum groups = yes
winbind enum users = no
template homedir = /var/www/html
winbind cache time = 1
passdb backend = tdbsam
nsswitch.conf:
passwd: winbind files
shadow: winbind files
group: winbind files
I did some googling for this problem, and found a few instances that
sounded similar, but I didn't see any solutions. Thanks in advance for
any assistance you might be able to provide.
Rob
