Hey there,
we're running Samba 4.7.4 (Debian SID) as an AD/DC and a seperate Samba
4.7.4 Fileserver to use Posix ACLs.
Now it's possible that a user is assigned to a group after logging in to a
Windows machine. This will result into an access denied when the user trys to
access a directory where the new group has access to.
As far as I know Windows retrieves a Kerberos ticket on login containing the
assigned groups. When the assigned groups changes afterwards Samba denies the
access to this directory using the "old" Kerberos ticket.
After some time I found out that it's possible to do a "smbcontrol smbd
kill-client-ip <IP>" to reset the Kerberos ticket. Then the Kerberos
ticket ist updated and the client has access to the share.
Now we're writing a frontend that assigns users to group, so we search for
the "best practice" way. The easiest thing would be to call the
smbcontrol command from our code, but I think that you agree that this isn't
a nice way.
So is there a way to solve this problem from the client side without running a
command on the fileserver? For example a little script which runs on Windows?
Or is there a better way to solve this issue apart from
"kill-client-ip"? And is there maybe even a Python/C API available, so
we don't need to call a command directly from our code?
Thank you in advance.
Kind regards
Sören