security = ADS
When I change a user's groups, the permissions aren't obeyed.
User X is in group A, B & C.
I have a directory N only accessible by group B.
I remove user X from group B on the ADS.
As I have set the winbind cache refresh very low, the change is seen with "id X"
very quickly. Great so far.
Problem is, somehow Samba still allows X to access directory N with smbclient -k
and with a Windows XP client.
When I log in with smbclient without Kerberos, X can't access directory N
anymore. All as it should be again.
After this the XP client has to log off, then log on, and then the permissions
I tried both "client use spnego" no & yes. Same result.
I reproduced this behaviour in two different networks.
Relogging the XP client twice also aplies the changes to the permissions.
It's a winbindd issue.
Starting winbindd with -n (no caching) solves the problem.
This is ofcourse bad for performance, but at least I've finally got a working
Sidenote: It is also very, VERY important that both A-records and PTR-records in
DNS are correct!
behavior is by design. Original bug report against 3.0.8pre1