Hi, For some users I am trying to deny file access to our domain member servers, yet keeping their AD account for all other purposes, like email and ldap authorized clients. So I figured I removed the unix attributes from a user in ADUC, while keeping the rest. I expected that would make the user 'invisible' for the domain member (file) servers, while maintaining the account for everything else. Now, a day later, on one our domain member servers the user is gone:> root at server1:~# wbinfo -u | grep test > test > root at server1:~# id test > id: ‘test’: no such user > root at server1:~# getent passwd test > root at server1:~#but on another server, the user still remains> root at server2:~# wbinfo -u | grep test > test > root at server2:~# id test > uid=63993(test) gid=513(domain users) groups=513(domain users),1000001(BUILTIN\users) > root at server2:~# getent passwd test > test:*:63993:513::/home/WRKGRP/test:/bin/false > root at server2:~#Probably running net cache flush will remove the user on server2 as well, but is there an expiration on the winbind cache? Will the user disppear from server2 automatically after a certain period? Otherwise we have to perform the additional manual flush of the net cache on each domain member server, each time we want to deny fileserver access for a user. Or is there a better way to keeping everything, while centrally denying fileserver access for specific users? MJ
On Wed, 10 Oct 2018 11:04:29 +0200 mj via samba <samba at lists.samba.org> wrote:> Hi, > > For some users I am trying to deny file access to our domain member > servers, yet keeping their AD account for all other purposes, like > email and ldap authorized clients. > > So I figured I removed the unix attributes from a user in ADUC, while > keeping the rest. I expected that would make the user 'invisible' for > the domain member (file) servers, while maintaining the account for > everything else. > > Now, a day later, on one our domain member servers the user is gone: > > > root at server1:~# wbinfo -u | grep test > > test > > root at server1:~# id test > > id: ‘test’: no such user > > root at server1:~# getent passwd test > > root at server1:~# > > but on another server, the user still remains > > > root at server2:~# wbinfo -u | grep test > > test > > root at server2:~# id test > > uid=63993(test) gid=513(domain users) groups=513(domain > > users),1000001(BUILTIN\users) root at server2:~# getent passwd test > > test:*:63993:513::/home/WRKGRP/test:/bin/false > > root at server2:~# > > Probably running net cache flush will remove the user on server2 as > well, but is there an expiration on the winbind cache? Will the user > disppear from server2 automatically after a certain period?Yes, provided the user isn't logged into or connected to the share.> > Otherwise we have to perform the additional manual flush of the net > cache on each domain member server, each time we want to deny > fileserver access for a user.You should only have to do this once, unless you are using the 'rid' backend.> > Or is there a better way to keeping everything, while centrally > denying fileserver access for specific users?Yes, set the users permissions with 'setfacl' or from Windows. Rowland
Hi Rowland, Thanks for the quick reply. On 10/10/2018 11:16 AM, Rowland Penny via samba wrote:>> Probably running net cache flush will remove the user on server2 as >> well, but is there an expiration on the winbind cache? Will the user >> disppear from server2 automatically after a certain period? > > Yes, provided the user isn't logged into or connected to the share.Ok, I will wait a few days longer, and then check again.>> Or is there a better way to keeping everything, while centrally >> denying fileserver access for specific users? > > Yes, set the users permissions with 'setfacl' or from Windows.Hmm not sure if that feels better for our case. Thanks for the help! mj