Bug 1848 - Samba / ADS / changing groups / new permissions not obeyed
Summary: Samba / ADS / changing groups / new permissions not obeyed
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.8
Hardware: x86 Linux
: P3 major
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-29 10:03 UTC by Richard de Vroede
Modified: 2005-02-07 09:23 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Richard de Vroede 2004-09-29 10:03:41 UTC
security = ADS

When I change a user's groups, the permissions aren't obeyed.

Example:
User X is in group A, B & C.
I have a directory N only accessible by group B.
I remove user X from group B on the ADS.
As I have set the winbind cache refresh very low, the change is seen with "id X"
very quickly. Great so far.

Problem is, somehow Samba still allows X to access directory N with smbclient -k
and with a Windows XP client. 

When I log in with smbclient without Kerberos, X can't access directory N
anymore. All as it should be again. 

After this the XP client has to log off, then log on, and then the permissions
are obeyed.

I tried both "client use spnego" no & yes. Same result.

I reproduced this behaviour in two different networks.
Comment 1 Richard de Vroede 2004-09-30 00:40:41 UTC
Relogging the XP client twice also aplies the changes to the permissions.
Comment 2 Richard de Vroede 2004-09-30 04:51:30 UTC
It's a winbindd issue.

Starting winbindd with -n (no caching) solves the problem.
This is ofcourse bad for performance, but at least I've finally got a working
setup ;)

Sidenote: It is also very, VERY important that both A-records and PTR-records in
DNS are correct!
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:23:59 UTC
behavior is by design.  Original bug report against 3.0.8pre1