samba - Jun 2018 - winbind, nsswitch, AD and group membership caching?

Folks;

using samba+winbindd+pam+nsswitch to make several Linux servers
authenticate against an AD domain, I do have my setup mostly working
now:

- AD users are able to ssh into the machine.
- wbinfo -g / -u does list all domain users.
- getent group / getent passwd does list Unix and AD users.


However, after changing some users group memberships in AD, I didn't
manage to propagate this change to the Linux servers; even after
waiting for several hours, "groups" for this user still doesn't
"see"
the new group memberships. 

Already looked at my smb.conf and stumbled across "winbind cache time"
which is set to the default (and should have expired all relevant user
information long ago).

Can anyone point me where to look to get this right?
Thanks in advance and all best,
Kristian

On Fri, 01 Jun 2018 11:53:55 +0200
Kristian via samba <samba at lists.samba.org> wrote:
> Folks;
> 
> using samba+winbindd+pam+nsswitch to make several Linux servers
> authenticate against an AD domain, I do have my setup mostly working
> now:
> 
> - AD users are able to ssh into the machine.
> - wbinfo -g / -u does list all domain users.
> - getent group / getent passwd does list Unix and AD users.
> 
> 
> However, after changing some users group memberships in AD, I didn't
> manage to propagate this change to the Linux servers; even after
> waiting for several hours, "groups" for this user still
doesn't "see"
> the new group memberships. 
> 
> Already looked at my smb.conf and stumbled across "winbind cache
time"
> which is set to the default (and should have expired all relevant user
> information long ago).
> 
> Can anyone point me where to look to get this right?
> Thanks in advance and all best,
> Kristian
> 
Have the users logged in ? If not, then this is the expected behaviour.

From the release notes for 4.6.0:

winbind contains code that tries to emulate the group membership
calculation that domain controllers do when a user logs in. This group
membership calculation is a very complex process, in particular for
domain trust relationship situations. Also, in many scenarios it is
impossible for winbind to correctly do this calculation due to access
restrictions in the domains: winbind using its machine account simply
does not have the rights to ask for an arbitrary user's group
memberships.

When a user logs in to a Samba server, the domain controller correctly
calculates the user's group memberships authoritatively and makes the
information available to the Samba server. This is the only reliable
way Samba can get informed about the groups a user is member of. 

Rowland

Hi Rowland;

thanks for your comment.

Am Freitag, den 01.06.2018, 11:05 +0100 schrieb Rowland Penny via
samba:
> 
> Have the users logged in ? If not, then this is the expected
> behaviour.
> 
The users have logged in several times using ssh; does that suffice? 

As far as I can tell right now, it *looks* like this is computed just
exactly once and never updated. Did a quick check with an empty VM that
joined the domain; after logging in there with the same user, group
assignment is the same as in Windows AD. Forgot to mention before: I'm
on Ubuntu 16.04 / samba 4.3.11. 

Best regards,
Kristian

El 01/06/18 a les 12:05, Rowland Penny via samba ha escrit:
> 
> Have the users logged in ? If not, then this is the expected behaviour.
> 
>  From the release notes for 4.6.0:
This can't be right?
I have servers where users are supposed to *never* login (and in fact 
they never do) but I need to check group membership. And it works[*]. 
The changes made in the DC are visible after the "winbind cache time"
or
after restarting winbind.
The specific server where I tested is running 4.6.12.


[*] More or less. Sometimes winbind stops working but I have a cron-job 
that checks and restarts it if necessary.


Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es/
Tel. +34 93 5883004 (Ext.3010)  Fax +34 93 5883007