Changes in active directory group does not reflect permissions on SMB share

[abratell]

Hi,

I have a freshly installed TrueNAS 13.0 which I've joined to a local Active Directory. On this this server I have created a dataset with ACL permissions, with an owner user/group in the Active Directory.

All permissions work fine but I've noticed a small issue. When I add or remove members from the Active Directory group, the changes are not reflected on the share. I.e. if I remove a user from the group the user still have the group permissions and if I add a user to the group it will not have any group permissions.

However, if I restart the SMB service the changes become active. Also, If I run the following command the changes become active:

Code:

# midclt call idmap.clear_idmap_cache -job

I do think I have a good connection to the directory:

Code:

# wbinfo -i 'DOMAIN\theuser'         
DOMAIN\theuser:*:100001189:100000514::/home/DOMAIN/theuser:/bin/sh

# wbinfo -i 'DOMAIN\thegroup'
DOMAIN\thegroup:*:100066740:100066740::/home/DOMAIN/thegroup:/bin/sh

# getent passwd 'DOMAIN\theuser'                  
DOMAIN\theuser:*:100001189:100000514::/home/DOMAIN/theuser:/bin/sh

# getent group 'DOMAIN\thegroup'
DOMAIN\thegroup:x:100066740

And the nsswitch.conf looks properly configured

Code:

# cat /etc/nsswitch.conf       

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD$
#

group: files winbind
hosts: files dns
networks: files
passwd: files winbind
shells: files
services: files
protocols: files
rpc: files
sudoers: files 

...as does smb4.conf

Code:

#cat /usr/local/etc/smb4.conf
#
# SMB.CONF(5)        The configuration file for the Samba suite 
# $FreeBSD$
#

[global]
        dns proxy = No
        aio max threads = 2
        max log size = 5120
        load printers = No
        printing = bsd
        disable spoolss = Yes
        dos filemode = Yes
        kernel change notify = No
        directory name cache size = 0
        server multi channel support = No
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        unix charset = UTF-8
        log level = 1 auth_json_audit:3@/var/log/samba4/auth_audit.log
        obey pam restrictions = False
        enable web service discovery = True
        logging = file
        server min protocol = SMB2_02
        unix extensions = No
        restrict anonymous = 2
        server string = TrueNAS Server
        bind interfaces only = Yes
        netbios name = tn1
        netbios aliases = 
        server role = member server
        kerberos method = secrets and keytab
        workgroup = DOMAIN
        realm = <domain>
        security = ADS
        local master = No
        domain master = No
        preferred master = No
        winbind cache time = 7200
        winbind max domain connections = 10
        client ldap sasl wrapping = seal
        template shell = /bin/sh
        template homedir = /home/%D/%U
        ads dns update = Yes
        allow trusted domains = No
        idmap config AD: backend = rid
        idmap config AD: range = 100000001-200000000
        idmap config *: backend = tdb
        idmap config *: range = 90000001-100000000
        registry shares = yes
        include = registry

Is this an expected behaviour? I've fiddled with this a while now but I don't seem to come any good solution. Any input or help would be appreciated.

 

[sretalla]

if I remove a user from the group the user still have the group permissions and if I add a user to the group it will not have any group permissions.

Are you taking into account the Token behavior of Kerberos?

Once a user logs on, they are granted a User Token, which can then be used to get access to anything that the user's SID and any GROUP SIDs the user is a member of has rights to... the user doesn't perform a "logon" event when asking a file server to authorize access, it just presents the token and that's compared to the ACLs.

If the user is already logged in (therefore in possession of a token as above with all current groups) and then you remove that user from a group... the user session can continue and the token will remain valid for all groups in it, possibly for something like 8-24 hours. (that would seem to explain the first case)

Similarly, if a different user (not currently in the needed group) logs on and is granted a token (without that group SID in it), then there's no amount of adding them to that group you can do to help them in that session with that token. (explaining the second case).

In both cases, the simple solution is to log that user out and log in again to have a new token generated (with the "right" SIDs in it).

 

[anodos]

Presuming that correct user group membership when viewed by "id <username>", the unix token is generated during SMB share tree connect. It's not expected to automatically have unix tokens for existing sessions auto-update when AD changes are made. Easiest way to make the change "visible" is to have user log off and log back in to their client.

 

[abratell]

Are you taking into account the Token behavior of Kerberos?

Once a user logs on, they are granted a User Token, which can then be used to get access to anything that the user's SID and any GROUP SIDs the user is a member of has rights to... the user doesn't perform a "logon" event when asking a file server to authorize access, it just presents the token and that's compared to the ACLs.

Presuming that correct user group membership when viewed by "id <username>", the unix token is generated during SMB share tree connect. It's not expected to automatically have unix tokens for existing sessions auto-update when AD changes are made. Easiest way to make the change "visible" is to have user log off and log back in to their client.

You are, of course, absolutely right. Thank you!