Markert, Martin
2015-Jun-08 10:46 UTC
[Samba] Active Directory group membership changes not reflected in winbind information
Hi, I?ve added an existing group (?2d3d?) to an existing user (?jschopp?) on our AD server. When I execute ?id jschopp? the new group membership is not reflected: # id jschopp uid=1333(jschopp) gid=2020(dom?nen-benutzer) groups=2020(dom?nen-benutzer),610(BUILTIN+users) This is a strange behavior. Is this a caching issue? Kind regards, Martin AD: Windows Server 2008 RC2 with Windows Services for UNIX AD member: CentOS 6.6, sernet-samba-4.1.14-9 This is my Samba/Winbind configuration: [global] workgroup = ARRI server string = Samba Server Version %v netbios name = BARBARELLA # logs split per machine log file = /var/log/samba/%m.log # max 50KB per log file, then rotate max log size = 50 log level = 3 security = ads realm = ARRI.DE encrypt passwords = Yes winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + winbind offline logon = false ; winbind nss info = template rfc2307 ; idmap config ARRI:backend = rid ; idmap config ARRI:range = 10000-99999 idmap config * : backend = tdb idmap config * : range = 600-799 idmap config ARRI:backend = ad idmap config ARRI:range = 800-19999 idmap config ARRI:schema_mode = rfc2307 ; idmap config *:range = 16777216-33554431 ; idmap uid = 600-20000 ; idmap gid = 600-20000 allow trusted domains = Yes server signing = mandatory client signing = mandatory client use spnego = Yes ntlm auth = Yes lanman auth = No # --- Kerberos --- ; kdc:service ticket lifetime = 24 ; kdc:user ticket lifetime = 24 ; kdc:renewal lifetime = 120 ? shares following Martin Markert Systems Integrator Tuerkenstr. 89, 80799 M?nchen / Germany Phone +49 89 3809-1848 EMail MMarkert at arri.de Visit us on Facebook!________________________________ [http://www.arricommercial.de/wp-content/uploads/2015/04/2015-04-16a-E-mail-Signatur_ARRI_Media.jpg] <http://www.arri.de/filmtv> Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts> ARRI Media GmbH Sitz: M?nchen - Registergericht: Amtsgericht M?nchen Handelsregisternummer: HRB 69396 Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef Reidinger
Volker Lendecke
2015-Jun-08 11:06 UTC
[Samba] Active Directory group membership changes not reflected in winbind information
On Mon, Jun 08, 2015 at 10:46:33AM +0000, Markert, Martin wrote:> Hi, > I?ve added an existing group (?2d3d?) to an existing user (?jschopp?) on our AD server. When I execute ?id jschopp? the new group membership is not reflected: > > # id jschopp > uid=1333(jschopp) gid=2020(dom?nen-benutzer) groups=2020(dom?nen-benutzer),610(BUILTIN+users) > > This is a strange behavior. Is this a caching issue?Yes. Please re-login to the server to update that info. With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
Markert, Martin
2015-Jun-08 11:28 UTC
[Samba] Active Directory group membership changes not reflected in winbind information
Hi Volker, thank you for your answer. What do you mean? Restarting winbind? Kind regards, Martin>Martin Markert Systems Integrator Tuerkenstr. 89, 80799 M?nchen / Germany Phone +49 89 3809-1848 EMail MMarkert at arri.de Visit us on Facebook!Am 08.06.2015 um 13:06 schrieb Volker Lendecke <Volker.Lendecke at SerNet.DE>:> > On Mon, Jun 08, 2015 at 10:46:33AM +0000, Markert, Martin wrote: >> Hi, >> I?ve added an existing group (?2d3d?) to an existing user (?jschopp?) on our AD server. When I execute ?id jschopp? the new group membership is not reflected: >> >> # id jschopp >> uid=1333(jschopp) gid=2020(dom?nen-benutzer) groups=2020(dom?nen-benutzer),610(BUILTIN+users) >> >> This is a strange behavior. Is this a caching issue? > > Yes. Please re-login to the server to update that info. > > With best regards, > > Volker Lendecke > > -- > SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen > phone: +49-551-370000-0, fax: +49-551-370000-9 > AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen > http://www.sernet.de, mailto:kontakt at sernet.de________________________________ [http://www.arricommercial.de/wp-content/uploads/2015/04/2015-04-16a-E-mail-Signatur_ARRI_Media.jpg] <http://www.arri.de/filmtv> Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts> ARRI Media GmbH Sitz: M?nchen - Registergericht: Amtsgericht M?nchen Handelsregisternummer: HRB 69396 Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef Reidinger