notpulllsar
Cadet
- Joined
- Sep 1, 2017
- Messages
- 5
My recently deployed Freenas 11.0-U2 is attached to Active Directory and is syncing users and groups but very, very slowly.
After attaching to AD I created a dataset and shared it out over SMB. I created a new group in AD just for testing permissions and added myself to that group in AD. I changed the group permissions on the dataset in Freenas to the newly created group, but my user was unable to write to the share. I troubleshooted this for a little while and then decided I would tackle it in the morning.
The next morning I tried to write to the share and it worked! Yay - now to test that it will disallow a user NOT in that group. I removed myself from that group in AD but was still able to write to the share for about 6 hours then the user was no longer permitted.
To see what was going on with the cache I performed the following:
Just to clarify that this does not appear to be an issue with my domain controller -- when I removed the group from my account and ran: net user /domain <username> on my Windows laptop it returned all groups associated with my account and this particular group was not present in the results of that command.
Is there another cache file somewhere that is keeping this old group membership data around? Is there a config file directive that I can change to make it either 1. Not keep AD user and group cache (tried it in the GUI, didn't make a difference) or 2. make the cache update more frequently?
Thanks in advance for any assistance.
After attaching to AD I created a dataset and shared it out over SMB. I created a new group in AD just for testing permissions and added myself to that group in AD. I changed the group permissions on the dataset in Freenas to the newly created group, but my user was unable to write to the share. I troubleshooted this for a little while and then decided I would tackle it in the morning.
The next morning I tried to write to the share and it worked! Yay - now to test that it will disallow a user NOT in that group. I removed myself from that group in AD but was still able to write to the share for about 6 hours then the user was no longer permitted.
To see what was going on with the cache I performed the following:
- wbinfo -n <username> (to get the SID of my AD account)
- wbinfo --user-domgroups <SID> (to get the AD groups' SIDs my account is a member of)
Just to clarify that this does not appear to be an issue with my domain controller -- when I removed the group from my account and ran: net user /domain <username> on my Windows laptop it returned all groups associated with my account and this particular group was not present in the results of that command.
Is there another cache file somewhere that is keeping this old group membership data around? Is there a config file directive that I can change to make it either 1. Not keep AD user and group cache (tried it in the GUI, didn't make a difference) or 2. make the cache update more frequently?
Thanks in advance for any assistance.