The Samba-Bugzilla – Bug 8641
Winbind cache issue
Last modified: 2014-07-23 12:47:04 UTC
I have connected CentOS 6.0 (Samba version 3.5.4-68.el6_0.2). with Active Directory on Microsoft Windows Server 2008 (not R2, since I needed 32 bit version). I have configured AD authentication with authconfig-tui. Only CentosAdmins group can authorize, so I have inserted "auth requisite pam_succeed_if.so user ingroup CentosAdmins" in /etc/pam.d/password-auth.
Authentication works, buit I have weird problem with caching.
Example: If I remove user from CentosAdmins group on AD, he will still be able to login on the CentOS (and "getent group CentosAdmins" will still show user in that group), no matter if I set cache parameters (winbind cache time, idmap cache time, idmap negative cache time) to 1 or 100. Group membership on CentOS seems to update only when I try to log in with non-existing user, and then client pulls updates from AD. It seems to me that Winbind still looks in cache even though it should update group membership from AD (because of cache parameters).
If you need some logs, please specify which one I should attach.
This is because by default, when the user logs in with pam_winbind (authconfig-tui would have enabled this), the user's group information at the time of the authentication is cached in "netsamlogon_cache.tdb", and this cache is always consulted before a fresh LDAP lookup on the domain. This cache never expires, so the group information for that user will stay stale until they re-login again.
Right now implementing the correct behavior is difficult because the obvious ways require changing default AD permissions or adding machine accounts to domain groups, and the current ways to get the information if that cache is empty are not always consistent (and don't handle domain forests well).
If pam_winbind comes before pam_succeed_if in your auth stack, then at least pam_winbind will cause the group membership to be updated so that the check for group membership fails later in the PAM stack, denying the logon.
Note that pam_winbind also supports it's own option (require_membership_of) to only permit members access users in a domain group by name or SID. See the manpage for pam_winbind.conf
comment #1 explains it quite well. The current behaviour is what is to be expected. Group memberships will only be reliably updated when the user is being authenticated. Closing this as worksforme.
*** Bug 3996 has been marked as a duplicate of this bug. ***