We are currently in the process of replacing some of our file servers
with Active Directory joined Samba servers. However, during testing we
have noticed behaviour that has caught us off guard.
Changes in user group membership in AD do not show up on our file
servers. Specifically, changing a user's groups in AD won't affect group
membership on the Samba server once the user has authenticated. Even
killing their processes won't.
This is a problem, as once a client has established a connection to a
share, it will keep access to the share even if group membership has
long since been revoked.
It is my understanding that group membership is updated at
authentication time and cached forever. Is there a way around this?
With "winbind cache time = 10" changes in group membership show up in
`id` quickly _only_ as long as the user in question has no active
session. Once they show up in `net status sessions` group membership
sticks forever.
I am experiencing this behaviour with 4.5.8-Debian, but looking through
the bugs this seems to be a recurring theme in all versions. Are there
good workarounds?
[global]
obey pam restrictions = yes
netbios name = redacted
workgroup = REDACTED
security = ADS
realm = REDACTED.DE
log level = 0
usershare max shares = 0
usershare path = /dev/null
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
inherit permissions = yes
idmap config *:backend = tdb
idmap config *:range = 1000 - 99999
idmap config REDACTED:backend = rid
idmap config REDACTED:range = 100000 - 500000
template shell = /bin/bash
template homedir = /home/%D/%U
load printers = no
printcap name = /dev/null
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind refresh tickets = Yes
winbind cache time = 10
winbind offline Logon = true
winbind expand groups = 3
--
Malte zu Klampen / PC-Labor / Institut für Geowissenschaften
CAU zu Kiel / Otto-Hahn-Platz 5, D-24118 Kiel
Tel. +49 431 880-3904
:wq!
On Mon, 25 Sep 2017 15:16:54 +0200 Malte zu Klampen via samba <samba at lists.samba.org> wrote:> We are currently in the process of replacing some of our file servers > with Active Directory joined Samba servers. However, during testing > we have noticed behaviour that has caught us off guard. > > Changes in user group membership in AD do not show up on our file > servers. Specifically, changing a user's groups in AD won't affect > group membership on the Samba server once the user has authenticated. > Even killing their processes won't. > > This is a problem, as once a client has established a connection to a > share, it will keep access to the share even if group membership has > long since been revoked. > > It is my understanding that group membership is updated at > authentication time and cached forever. Is there a way around this? > > With "winbind cache time = 10" changes in group membership show up in > `id` quickly _only_ as long as the user in question has no active > session. Once they show up in `net status sessions` group membership > sticks forever. > > > I am experiencing this behaviour with 4.5.8-Debian, but looking > through the bugs this seems to be a recurring theme in all versions. > Are there good workarounds? >Try removing 'winbind offline Logon = true', you should only need this on a laptop or similar. Rowland
On 25/09/17 15:52, Rowland Penny via samba wrote:> On Mon, 25 Sep 2017 15:16:54 +0200 > Malte zu Klampen via samba <samba at lists.samba.org> wrote: > >> We are currently in the process of replacing some of our file servers >> with Active Directory joined Samba servers. However, during testing >> we have noticed behaviour that has caught us off guard. >> >> Changes in user group membership in AD do not show up on our file >> servers. Specifically, changing a user's groups in AD won't affect >> group membership on the Samba server once the user has authenticated. >> Even killing their processes won't. >> >> This is a problem, as once a client has established a connection to a >> share, it will keep access to the share even if group membership has >> long since been revoked. >> >> It is my understanding that group membership is updated at >> authentication time and cached forever. Is there a way around this? >> >> With "winbind cache time = 10" changes in group membership show up in >> `id` quickly _only_ as long as the user in question has no active >> session. Once they show up in `net status sessions` group membership >> sticks forever. >> >> >> I am experiencing this behaviour with 4.5.8-Debian, but looking >> through the bugs this seems to be a recurring theme in all versions. >> Are there good workarounds? >> > > Try removing 'winbind offline Logon = true', you should only need this > on a laptop or similar. > > Rowland >No dice, sadly. The only way to reliably have Samba recognise the change in groups is to try to establish a session from a different computer, which forces authentication. As long es the user remains logged in on their client, they keep access to shares even though their access has been revoked and their session killed on the server. The client immediately reestablishes a connection to the share and carries on.
Hai, Now you have overlapping id's. idmap config *:range = 1000 - 99999 I suggest, leave some room for your "linux users" Like : idmap config *:range = 2000 - 99999 In addition, also, run : net cache flush And run : systemctl stop winbind sleep 1 systemctl start winbind Then.. what does : id Administrator Tells you now. And id someOtheruser? Now please note also, your using 4.5.8 from debian. I dont know how much winbind fixed they also pickuped from samba but 4.5.8 can be tricky. I suggest, have a good look at the winbind debian bugs and samba changelog 4.5.9 for example. You have a few options. 1) Compile samba yourself. ( then i suggest move to 4.6.8 ) 2) Use debian buster, but i dont advice that, you may end up with a broken system. 3) Build your own package, which can be hard. 4) Use my packages. ( 4.5.14 and 4.6.8 for stretch ) (http://apt.van-belle.nl) You choose. I suggest go for 4.6.8 but if you dont like the config change at this point, use 4.5.14. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Malte zu Klampen via samba > Verzonden: maandag 25 september 2017 15:17 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Winbind group membership not updating > > We are currently in the process of replacing some of our file > servers with Active Directory joined Samba servers. However, > during testing we have noticed behaviour that has caught us off guard. > > Changes in user group membership in AD do not show up on our > file servers. Specifically, changing a user's groups in AD > won't affect group membership on the Samba server once the > user has authenticated. Even killing their processes won't. > > This is a problem, as once a client has established a > connection to a share, it will keep access to the share even > if group membership has long since been revoked. > > It is my understanding that group membership is updated at > authentication time and cached forever. Is there a way around this? > > With "winbind cache time = 10" changes in group membership > show up in `id` quickly _only_ as long as the user in > question has no active session. Once they show up in `net > status sessions` group membership sticks forever. > > > I am experiencing this behaviour with 4.5.8-Debian, but > looking through the bugs this seems to be a recurring theme > in all versions. Are there good workarounds? > > > > [global] > obey pam restrictions = yes > > netbios name = redacted > workgroup = REDACTED > security = ADS > realm = REDACTED.DE > log level = 0 > usershare max shares = 0 > usershare path = /dev/null > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > inherit permissions = yes > > idmap config *:backend = tdb > idmap config *:range = 1000 - 99999 > idmap config REDACTED:backend = rid > idmap config REDACTED:range = 100000 - 500000 > template shell = /bin/bash > template homedir = /home/%D/%U > > load printers = no > printcap name = /dev/null > > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = no > winbind enum groups = no > winbind refresh tickets = Yes > winbind cache time = 10 > winbind offline Logon = true > winbind expand groups = 3 > > > > -- > Malte zu Klampen / PC-Labor / Institut für Geowissenschaften > CAU zu Kiel / Otto-Hahn-Platz 5, D-24118 Kiel > Tel. +49 431 880-3904 > :wq! > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hej, There are no Linux users (above 1000 that is), and there never will be. net cache flush does absolutely nothing. I've already suspected that the version might be at fault and checked 4.7.0 with the same result. I suspect the problem is not a bug per se, but an architectural problem with how sessions are constructed. As far as I can tell, group membership is resolved once at the start of the session, and never updated (or the session terminated and the client forced to re-auth) until the client logs off. But even if i kill their session, it immediately respawns with outdated groups. Here's what I'm doing: Create a share that requires a specific group Add user to group Log in user on Windows client, connect to share Remove user from group Log in user on a different Windows client, try to connect to the share What happens: The share remains accessible from the first client User gets denied on the second client Even if I kill the session on the server, it is immediately respawned. I simply can not keep them from accessing the share from the first client unless they log off. How do I work around this? I can't hound people I (automatically, I might add) remove from groups to log off. I can accept a delay, but at some point after losing group membership they should get booted off the server automatically. On 25/09/17 16:50, L.P.H. van Belle via samba wrote:> Hai, > > Now you have overlapping id's. > idmap config *:range = 1000 - 99999 > > I suggest, leave some room for your "linux users" > Like : idmap config *:range = 2000 - 99999 > > In addition, also, run : net cache flush > And run : > systemctl stop winbind > sleep 1 > systemctl start winbind > > Then.. what does : id Administrator > Tells you now. > And id someOtheruser? > > Now please note also, your using 4.5.8 from debian. > I dont know how much winbind fixed they also pickuped from samba but 4.5.8 can be tricky. > I suggest, have a good look at the winbind debian bugs and samba changelog 4.5.9 for example. > > You have a few options. > 1) Compile samba yourself. ( then i suggest move to 4.6.8 ) > 2) Use debian buster, but i dont advice that, you may end up with a broken system. > 3) Build your own package, which can be hard. > 4) Use my packages. ( 4.5.14 and 4.6.8 for stretch ) (http://apt.van-belle.nl) > You choose. I suggest go for 4.6.8 but if you dont like the config change at this point, use 4.5.14. > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Malte zu Klampen via samba >> Verzonden: maandag 25 september 2017 15:17 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Winbind group membership not updating >> >> We are currently in the process of replacing some of our file >> servers with Active Directory joined Samba servers. However, >> during testing we have noticed behaviour that has caught us off guard. >> >> Changes in user group membership in AD do not show up on our >> file servers. Specifically, changing a user's groups in AD >> won't affect group membership on the Samba server once the >> user has authenticated. Even killing their processes won't. >> >> This is a problem, as once a client has established a >> connection to a share, it will keep access to the share even >> if group membership has long since been revoked. >> >> It is my understanding that group membership is updated at >> authentication time and cached forever. Is there a way around this? >> >> With "winbind cache time = 10" changes in group membership >> show up in `id` quickly _only_ as long as the user in >> question has no active session. Once they show up in `net >> status sessions` group membership sticks forever. >> >> >> I am experiencing this behaviour with 4.5.8-Debian, but >> looking through the bugs this seems to be a recurring theme >> in all versions. Are there good workarounds? >> >> >> >> [global] >> obey pam restrictions = yes >> >> netbios name = redacted >> workgroup = REDACTED >> security = ADS >> realm = REDACTED.DE >> log level = 0 >> usershare max shares = 0 >> usershare path = /dev/null >> >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> inherit permissions = yes >> >> idmap config *:backend = tdb >> idmap config *:range = 1000 - 99999 >> idmap config REDACTED:backend = rid >> idmap config REDACTED:range = 100000 - 500000 >> template shell = /bin/bash >> template homedir = /home/%D/%U >> >> load printers = no >> printcap name = /dev/null >> >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = no >> winbind enum groups = no >> winbind refresh tickets = Yes >> winbind cache time = 10 >> winbind offline Logon = true >> winbind expand groups = 3 >> >> >> >> -- >> Malte zu Klampen / PC-Labor / Institut für Geowissenschaften >> CAU zu Kiel / Otto-Hahn-Platz 5, D-24118 Kiel >> Tel. +49 431 880-3904 >> :wq! >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >