[Samba] Samba + LDAP: Changing user's group
Wes Deviers
wdevie at hrcsb.org
Wed Dec 2 11:09:24 MST 2009
I'm having this same problem, but it's new. Using 3.4.2 Debian packages,
recently upgraded. I never had any type of LDAP group caching problem until
the last 2 weeks. I added a user to an LDAP group as normal because they
needed access to a new share. Cleared the nscd caches as normal. The service
definition uses
force group = +groupName
valid users = @admins, @groupName
write list = @admins, @groupName
All of the people previously in @groupName retain access to the share. The
person I just added cannot access it. getent, groups, etc all return the
correct group membership. If I add the account explicitly to valid users &
write list, it works as soon as I do an smbd reload.
Did some behavior change or have we stumbled on a new bug?
Wes
On Monday 30 November 2009 07:29:33 am davefu wrote:
>
> Hi, thanks for answering.
>
> I have only 1 Samba server. When I mentioned changes on groups, I meant on
> LDAP server. LDAP is used on both system and samba environments. When
> changing groups on users, those changes are instant on the system
> environment, but not on Samba.
>
> - I create a new "Folder A", with full permissions for "Group A"
> - "User B" (belonging to group B), logs via SSH to the server, and can't
> access the "Folder A".
> - "User B" logs via Samba using his Windows desktop machine, and can't
> access the "Folder A" (previously configured inside a Samba Resource).
> - Now I add "User B" to "Group A" via LDAP. He belongs now to "Group A" and
> "Group B".
> - Getent group | grep "User B" shows correctly both groups on the user.
> - "User B" correctly access "Folder A", write files, etc via console, ssh,
> or any kind of regular system authentication (since system is using pam
> libraries, configured to use LDAP as backend).
> - "User B" still can't access "Folder A" in any way. Samba has cached "User
> B" credentials, and haven't checked LDAP again for a while. The only option
> is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP
> info about that user again.
>
> Hope this little story explains my problem better.
> Sorry for my english.
>
> Thanks!
>
>
More information about the samba
mailing list