Winbind group membership not updating

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Winbind group membership not updating

Samba - General mailing list
We are currently in the process of replacing some of our file servers
with Active Directory joined Samba servers. However, during testing we
have noticed behaviour that has caught us off guard.

Changes in user group membership in AD do not show up on our file
servers. Specifically, changing a user's groups in AD won't affect group
membership on the Samba server once the user has authenticated. Even
killing their processes won't.

This is a problem, as once a client has established a connection to a
share, it will keep access to the share even if group membership has
long since been revoked.

It is my understanding that group membership is updated at
authentication time and cached forever. Is there a way around this?

With "winbind cache time = 10" changes in group membership show up in
`id` quickly _only_ as long as the user in question has no active
session. Once they show up in `net status sessions` group membership
sticks forever.


I am experiencing this behaviour with 4.5.8-Debian, but looking through
the bugs this seems to be a recurring theme in all versions. Are there
good workarounds?



[global]
         obey pam restrictions = yes

         netbios name = redacted
         workgroup = REDACTED
         security = ADS
         realm = REDACTED.DE
         log level = 0
         usershare max shares = 0
         usershare path = /dev/null

         vfs objects = acl_xattr
         map acl inherit = Yes
         store dos attributes = Yes
         inherit permissions = yes

         idmap config *:backend = tdb
         idmap config *:range =          1000 -  99999
         idmap config REDACTED:backend = rid
         idmap config REDACTED:range = 100000 - 500000
         template shell = /bin/bash
         template homedir = /home/%D/%U

         load printers = no
         printcap name = /dev/null

         winbind trusted domains only = no
         winbind use default domain = yes
         winbind enum users  = no
         winbind enum groups = no
         winbind refresh tickets = Yes
         winbind cache time = 10
         winbind offline Logon = true
         winbind expand groups = 3



--
Malte zu Klampen / PC-Labor / Institut für Geowissenschaften
CAU zu Kiel / Otto-Hahn-Platz 5, D-24118 Kiel
Tel.   +49 431 880-3904
:wq!


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Winbind group membership not updating

Samba - General mailing list
On Mon, 25 Sep 2017 15:16:54 +0200
Malte zu Klampen via samba <[hidden email]> wrote:

> We are currently in the process of replacing some of our file servers
> with Active Directory joined Samba servers. However, during testing
> we have noticed behaviour that has caught us off guard.
>
> Changes in user group membership in AD do not show up on our file
> servers. Specifically, changing a user's groups in AD won't affect
> group membership on the Samba server once the user has authenticated.
> Even killing their processes won't.
>
> This is a problem, as once a client has established a connection to a
> share, it will keep access to the share even if group membership has
> long since been revoked.
>
> It is my understanding that group membership is updated at
> authentication time and cached forever. Is there a way around this?
>
> With "winbind cache time = 10" changes in group membership show up in
> `id` quickly _only_ as long as the user in question has no active
> session. Once they show up in `net status sessions` group membership
> sticks forever.
>
>
> I am experiencing this behaviour with 4.5.8-Debian, but looking
> through the bugs this seems to be a recurring theme in all versions.
> Are there good workarounds?
>

Try removing 'winbind offline Logon = true', you should only need this
on a laptop or similar.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Winbind group membership not updating

Samba - General mailing list


On 25/09/17 15:52, Rowland Penny via samba wrote:

> On Mon, 25 Sep 2017 15:16:54 +0200
> Malte zu Klampen via samba <[hidden email]> wrote:
>
>> We are currently in the process of replacing some of our file servers
>> with Active Directory joined Samba servers. However, during testing
>> we have noticed behaviour that has caught us off guard.
>>
>> Changes in user group membership in AD do not show up on our file
>> servers. Specifically, changing a user's groups in AD won't affect
>> group membership on the Samba server once the user has authenticated.
>> Even killing their processes won't.
>>
>> This is a problem, as once a client has established a connection to a
>> share, it will keep access to the share even if group membership has
>> long since been revoked.
>>
>> It is my understanding that group membership is updated at
>> authentication time and cached forever. Is there a way around this?
>>
>> With "winbind cache time = 10" changes in group membership show up in
>> `id` quickly _only_ as long as the user in question has no active
>> session. Once they show up in `net status sessions` group membership
>> sticks forever.
>>
>>
>> I am experiencing this behaviour with 4.5.8-Debian, but looking
>> through the bugs this seems to be a recurring theme in all versions.
>> Are there good workarounds?
>>
>
> Try removing 'winbind offline Logon = true', you should only need this
> on a laptop or similar.
>
> Rowland
>
No dice, sadly. The only way to reliably have Samba recognise the change
in groups is to try to establish a session from a different computer,
which forces authentication.

As long es the user remains logged in on their client, they keep access
to shares even though their access has been revoked and their session
killed on the server. The client immediately reestablishes a connection
to the share and carries on.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Winbind group membership not updating

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai,

Now you have overlapping id's.
idmap config *:range =          1000 -  99999

I suggest, leave some room for your "linux users"
Like : idmap config *:range =          2000 -  99999

In addition, also, run : net cache flush
And run :
systemctl stop winbind
sleep 1
systemctl start winbind

Then..  what does :  id Administrator
Tells you now.
And id someOtheruser?

Now please note also, your using 4.5.8 from debian.
I dont know how much winbind fixed they also pickuped from samba but 4.5.8 can be tricky.
I suggest, have a good look at the winbind debian bugs and samba changelog 4.5.9 for example.

You have a few options.
1) Compile samba yourself. ( then i suggest move to 4.6.8 )
2) Use debian buster, but i dont advice that, you may end up with a broken system.
3) Build your own package, which can be hard.
4) Use my packages.  ( 4.5.14 and 4.6.8 for stretch ) (http://apt.van-belle.nl)
You choose. I suggest go for 4.6.8 but if you dont like the config change at this point, use 4.5.14.


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Malte zu Klampen via samba
> Verzonden: maandag 25 september 2017 15:17
> Aan: [hidden email]
> Onderwerp: [Samba] Winbind group membership not updating
>
> We are currently in the process of replacing some of our file
> servers with Active Directory joined Samba servers. However,
> during testing we have noticed behaviour that has caught us off guard.
>
> Changes in user group membership in AD do not show up on our
> file servers. Specifically, changing a user's groups in AD
> won't affect group membership on the Samba server once the
> user has authenticated. Even killing their processes won't.
>
> This is a problem, as once a client has established a
> connection to a share, it will keep access to the share even
> if group membership has long since been revoked.
>
> It is my understanding that group membership is updated at
> authentication time and cached forever. Is there a way around this?
>
> With "winbind cache time = 10" changes in group membership
> show up in `id` quickly _only_ as long as the user in
> question has no active session. Once they show up in `net
> status sessions` group membership sticks forever.
>
>
> I am experiencing this behaviour with 4.5.8-Debian, but
> looking through the bugs this seems to be a recurring theme
> in all versions. Are there good workarounds?
>
>
>
> [global]
>          obey pam restrictions = yes
>
>          netbios name = redacted
>          workgroup = REDACTED
>          security = ADS
>          realm = REDACTED.DE
>          log level = 0
>          usershare max shares = 0
>          usershare path = /dev/null
>
>          vfs objects = acl_xattr
>          map acl inherit = Yes
>          store dos attributes = Yes
>          inherit permissions = yes
>
>          idmap config *:backend = tdb
>          idmap config *:range =          1000 -  99999
>          idmap config REDACTED:backend = rid
>          idmap config REDACTED:range = 100000 - 500000
>          template shell = /bin/bash
>          template homedir = /home/%D/%U
>
>          load printers = no
>          printcap name = /dev/null
>
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users  = no
>          winbind enum groups = no
>          winbind refresh tickets = Yes
>          winbind cache time = 10
>          winbind offline Logon = true
>          winbind expand groups = 3
>
>
>
> --
> Malte zu Klampen / PC-Labor / Institut für Geowissenschaften
> CAU zu Kiel / Otto-Hahn-Platz 5, D-24118 Kiel
> Tel.   +49 431 880-3904
> :wq!
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Winbind group membership not updating

Samba - General mailing list
Hej,

There are no Linux users (above 1000 that is), and there never will be.

net cache flush does absolutely nothing.

I've already suspected that the version might be at fault and checked
4.7.0 with the same result.

I suspect the problem is not a bug per se, but an architectural problem
with how sessions are constructed. As far as I can tell, group
membership is resolved once at the start of the session, and never
updated (or the session terminated and the client forced to re-auth)
until the client logs off.

But even if i kill their session, it immediately respawns with outdated
groups.

Here's what I'm doing:

Create a share that requires a specific group
Add user to group
Log in user on Windows client, connect to share
Remove user from group
Log in user on a different Windows client, try to connect to the share

What happens:

The share remains accessible from the first client
User gets denied on the second client

Even if I kill the session on the server, it is immediately respawned. I
simply can not keep them from accessing the share from the first client
unless they log off.

How do I work around this? I can't hound people I (automatically, I
might add) remove from groups to log off. I can accept a delay, but at
some point after losing group membership they should get booted off the
server automatically.



On 25/09/17 16:50, L.P.H. van Belle via samba wrote:

> Hai,
>
> Now you have overlapping id's.
> idmap config *:range =          1000 -  99999
>
> I suggest, leave some room for your "linux users"
> Like : idmap config *:range =          2000 -  99999
>
> In addition, also, run : net cache flush
> And run :
> systemctl stop winbind
> sleep 1
> systemctl start winbind
>
> Then..  what does :  id Administrator
> Tells you now.
> And id someOtheruser?
>
> Now please note also, your using 4.5.8 from debian.
> I dont know how much winbind fixed they also pickuped from samba but 4.5.8 can be tricky.
> I suggest, have a good look at the winbind debian bugs and samba changelog 4.5.9 for example.
>
> You have a few options.
> 1) Compile samba yourself. ( then i suggest move to 4.6.8 )
> 2) Use debian buster, but i dont advice that, you may end up with a broken system.
> 3) Build your own package, which can be hard.
> 4) Use my packages.  ( 4.5.14 and 4.6.8 for stretch ) (http://apt.van-belle.nl)
> You choose. I suggest go for 4.6.8 but if you dont like the config change at this point, use 4.5.14.
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:[hidden email]] Namens
>> Malte zu Klampen via samba
>> Verzonden: maandag 25 september 2017 15:17
>> Aan: [hidden email]
>> Onderwerp: [Samba] Winbind group membership not updating
>>
>> We are currently in the process of replacing some of our file
>> servers with Active Directory joined Samba servers. However,
>> during testing we have noticed behaviour that has caught us off guard.
>>
>> Changes in user group membership in AD do not show up on our
>> file servers. Specifically, changing a user's groups in AD
>> won't affect group membership on the Samba server once the
>> user has authenticated. Even killing their processes won't.
>>
>> This is a problem, as once a client has established a
>> connection to a share, it will keep access to the share even
>> if group membership has long since been revoked.
>>
>> It is my understanding that group membership is updated at
>> authentication time and cached forever. Is there a way around this?
>>
>> With "winbind cache time = 10" changes in group membership
>> show up in `id` quickly _only_ as long as the user in
>> question has no active session. Once they show up in `net
>> status sessions` group membership sticks forever.
>>
>>
>> I am experiencing this behaviour with 4.5.8-Debian, but
>> looking through the bugs this seems to be a recurring theme
>> in all versions. Are there good workarounds?
>>
>>
>>
>> [global]
>>           obey pam restrictions = yes
>>
>>           netbios name = redacted
>>           workgroup = REDACTED
>>           security = ADS
>>           realm = REDACTED.DE
>>           log level = 0
>>           usershare max shares = 0
>>           usershare path = /dev/null
>>
>>           vfs objects = acl_xattr
>>           map acl inherit = Yes
>>           store dos attributes = Yes
>>           inherit permissions = yes
>>
>>           idmap config *:backend = tdb
>>           idmap config *:range =          1000 -  99999
>>           idmap config REDACTED:backend = rid
>>           idmap config REDACTED:range = 100000 - 500000
>>           template shell = /bin/bash
>>           template homedir = /home/%D/%U
>>
>>           load printers = no
>>           printcap name = /dev/null
>>
>>           winbind trusted domains only = no
>>           winbind use default domain = yes
>>           winbind enum users  = no
>>           winbind enum groups = no
>>           winbind refresh tickets = Yes
>>           winbind cache time = 10
>>           winbind offline Logon = true
>>           winbind expand groups = 3
>>
>>
>>
>> --
>> Malte zu Klampen / PC-Labor / Institut für Geowissenschaften
>> CAU zu Kiel / Otto-Hahn-Platz 5, D-24118 Kiel
>> Tel.   +49 431 880-3904
>> :wq!
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Winbind group membership not updating

Samba - General mailing list
On Tue, 26 Sep 2017 11:16:46 +0200
Malte zu Klampen via samba <[hidden email]> wrote:

> Hej,
>
> There are no Linux users (above 1000 that is), and there never will
> be.
>
> net cache flush does absolutely nothing.
>
> I've already suspected that the version might be at fault and checked
> 4.7.0 with the same result.
>
> I suspect the problem is not a bug per se, but an architectural
> problem with how sessions are constructed. As far as I can tell,
> group membership is resolved once at the start of the session, and
> never updated (or the session terminated and the client forced to
> re-auth) until the client logs off.
>
> But even if i kill their session, it immediately respawns with
> outdated groups.
>
> Here's what I'm doing:
>
> Create a share that requires a specific group
> Add user to group
> Log in user on Windows client, connect to share
> Remove user from group
> Log in user on a different Windows client, try to connect to the share
>
> What happens:
>
> The share remains accessible from the first client
> User gets denied on the second client
>
> Even if I kill the session on the server, it is immediately
> respawned. I simply can not keep them from accessing the share from
> the first client unless they log off.
>
> How do I work around this? I can't hound people I (automatically, I
> might add) remove from groups to log off. I can accept a delay, but
> at some point after losing group membership they should get booted
> off the server automatically.
>
>

I don't think you can work around this, I am fairly sure if you try
this against a windows server, you would get the same result, unless
the user logs out, they will still think they are members of the group
and will get access.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Winbind group membership not updating

Samba - General mailing list


On 26/09/17 11:53, Rowland Penny via samba wrote:
> I don't think you can work around this, I am fairly sure if you try
> this against a windows server, you would get the same result, unless
> the user logs out, they will still think they are members of the group
> and will get access.
>
> Rowland
>

...huh. Yes, of course. I was fixated on the *NIX side and didn't think
how Windows behaves in this situation.

Well, I am happy to report that Samba behaves exactly like Windows in
this regard. It still vexes me that I can't find a way to boot users off
a share they shouldn't have access to anymore, but I guess that's less
of a Samba problem and more of a problem best solved with a File Share
Access Compliance Squad convincing people to log off once in a while...


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Winbind group membership not updating

Samba - General mailing list
On Tue, Sep 26, 2017 at 02:50:20PM +0200, Malte zu Klampen via samba wrote:

>
>
> On 26/09/17 11:53, Rowland Penny via samba wrote:
> > I don't think you can work around this, I am fairly sure if you try
> > this against a windows server, you would get the same result, unless
> > the user logs out, they will still think they are members of the group
> > and will get access.
> >
> > Rowland
> >
>
> ...huh. Yes, of course. I was fixated on the *NIX side and didn't think how
> Windows behaves in this situation.
>
> Well, I am happy to report that Samba behaves exactly like Windows in this
> regard. It still vexes me that I can't find a way to boot users off a share
> they shouldn't have access to anymore, but I guess that's less of a Samba
> problem and more of a problem best solved with a File Share Access
> Compliance Squad convincing people to log off once in a while...

Doesn't smbcontrol close-share do what you want here ?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba