Markert, Martin
2015-Jun-08 10:46 UTC
[Samba] Active Directory group membership changes not reflected in winbind information
Hi,
I?ve added an existing group (?2d3d?) to an existing user (?jschopp?) on our AD
server. When I execute ?id jschopp? the new group membership is not reflected:
# id jschopp
uid=1333(jschopp) gid=2020(dom?nen-benutzer)
groups=2020(dom?nen-benutzer),610(BUILTIN+users)
This is a strange behavior. Is this a caching issue?
Kind regards,
Martin
AD: Windows Server 2008 RC2 with Windows Services for UNIX
AD member: CentOS 6.6, sernet-samba-4.1.14-9
This is my Samba/Winbind configuration:
[global]
workgroup = ARRI
server string = Samba Server Version %v
netbios name = BARBARELLA
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 50
log level = 3
security = ads
realm = ARRI.DE
encrypt passwords = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
winbind offline logon = false
; winbind nss info = template rfc2307
; idmap config ARRI:backend = rid
; idmap config ARRI:range = 10000-99999
idmap config * : backend = tdb
idmap config * : range = 600-799
idmap config ARRI:backend = ad
idmap config ARRI:range = 800-19999
idmap config ARRI:schema_mode = rfc2307
; idmap config *:range = 16777216-33554431
; idmap uid = 600-20000
; idmap gid = 600-20000
allow trusted domains = Yes
server signing = mandatory
client signing = mandatory
client use spnego = Yes
ntlm auth = Yes
lanman auth = No
# --- Kerberos ---
; kdc:service ticket lifetime = 24
; kdc:user ticket lifetime = 24
; kdc:renewal lifetime = 120
? shares following
Martin Markert
Systems Integrator
Tuerkenstr. 89, 80799 M?nchen / Germany
Phone +49 89 3809-1848
EMail MMarkert at arri.de
Visit us on Facebook!________________________________
[http://www.arricommercial.de/wp-content/uploads/2015/04/2015-04-16a-E-mail-Signatur_ARRI_Media.jpg]
<http://www.arri.de/filmtv>
Get all the latest information from
www.arri.de/filmtv<http://www.arri.de/filmtv>,
Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>
ARRI Media GmbH
Sitz: M?nchen - Registergericht: Amtsgericht M?nchen
Handelsregisternummer: HRB 69396
Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef Reidinger
Volker Lendecke
2015-Jun-08 11:06 UTC
[Samba] Active Directory group membership changes not reflected in winbind information
On Mon, Jun 08, 2015 at 10:46:33AM +0000, Markert, Martin wrote:> Hi, > I?ve added an existing group (?2d3d?) to an existing user (?jschopp?) on our AD server. When I execute ?id jschopp? the new group membership is not reflected: > > # id jschopp > uid=1333(jschopp) gid=2020(dom?nen-benutzer) groups=2020(dom?nen-benutzer),610(BUILTIN+users) > > This is a strange behavior. Is this a caching issue?Yes. Please re-login to the server to update that info. With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
Markert, Martin
2015-Jun-08 11:28 UTC
[Samba] Active Directory group membership changes not reflected in winbind information
Hi Volker, thank you for your answer. What do you mean? Restarting winbind? Kind regards, Martin>Martin Markert Systems Integrator Tuerkenstr. 89, 80799 M?nchen / Germany Phone +49 89 3809-1848 EMail MMarkert at arri.de Visit us on Facebook!Am 08.06.2015 um 13:06 schrieb Volker Lendecke <Volker.Lendecke at SerNet.DE>:> > On Mon, Jun 08, 2015 at 10:46:33AM +0000, Markert, Martin wrote: >> Hi, >> I?ve added an existing group (?2d3d?) to an existing user (?jschopp?) on our AD server. When I execute ?id jschopp? the new group membership is not reflected: >> >> # id jschopp >> uid=1333(jschopp) gid=2020(dom?nen-benutzer) groups=2020(dom?nen-benutzer),610(BUILTIN+users) >> >> This is a strange behavior. Is this a caching issue? > > Yes. Please re-login to the server to update that info. > > With best regards, > > Volker Lendecke > > -- > SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen > phone: +49-551-370000-0, fax: +49-551-370000-9 > AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen > http://www.sernet.de, mailto:kontakt at sernet.de________________________________ [http://www.arricommercial.de/wp-content/uploads/2015/04/2015-04-16a-E-mail-Signatur_ARRI_Media.jpg] <http://www.arri.de/filmtv> Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts> ARRI Media GmbH Sitz: M?nchen - Registergericht: Amtsgericht M?nchen Handelsregisternummer: HRB 69396 Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef Reidinger
Possibly Parallel Threads
- Active Directory group membership changes not reflected in winbind information
- Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
- Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
- Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
- Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX