Make permission changes apply instantly rather than requiring the user to disconnect from the share
A.Litvin at sam-solutions.com
Mon Apr 15 08:00:46 MDT 2013
Greetings to Samba community!
SaM Solutions is searching for a subcontractor who can solve our problem related to Samba.
In our software we are using Samba version 3.6.6 from current Debian testing (samba_3.6.6-5_amd64.deb). In most cases it works exactly like we expect, but we've got one problem with it.
Let me explain here, and I am sorry for brief description. I can provide a person interested with more information directly.
Samba share set up.
Local users and groups are provided with permissions to a share (either via group membership or the users directly).
Two users are connected to a share:
- User A is not a member of any group (apart from "users", which is not granted any access on shares) and has explicitly assigned rw permissions on a share.
- User B is a member of "Group" group, and the group has rw permissions on a share.
Now, in case we deny access for User A - the user loses access immediately. In case we switch from rw to ro - the user can read, but cannot write anymore. The same when change from ro to rw. All these changes are applied immediately and do not require session re-initialization (disconnect-connect). This is the desired behavior, and everything is OK.
In case User B is removed from "Group" group, the rw access persists until the user disconnects from the share, and then tries to connect again. The same if we move User B to a group with ro access or vice versa. The desired behavior is the same as in Case 1. I.e. changes in user's group membership should be immediately reflected in the access permissions without a need to disconnect and reconnect.
We have observed the desired behavior in some products available in the market and therefor consider is possible.
The one dealing with local users and groups only is implemented in QNAP NAS software (http://sourceforge.net/p/qosgpl/wiki/Home/).
Another NAS vendor - Synology - was able to extend this to reflect changes in AD group membership (http://sourceforge.net/projects/dsgpl/files/Synology%20NAS%20GPL%20Source/2636branch/).
We have tried to analyze their patches, but realized that with little knowledge of Samba codebase it will take much time for our team to get it working. This made us think of asking anyone from the community to implement the desired behavior for us.
Ideally we would like to mimic Synology behavior - when the permissions changes apply instantly to a user account when the group membership is changed in AD as well as locally. But for the time being, and in case that's too difficult to implement or requires too much time, we'd agree to the one QNAP has - reflecting local group membership changes.
Surely we are going to pay for this job. We need this done as soon as possible, and don't expect it to be of much difficulty to a person with deep knowledge of Samba code as long as the patches are available, and the job is basically in analyzing and applying the necessary patch.
In case you are interested, please contact me any time. Preferably by email.
Thanks in advance.
E-mail: a.litvin at sam-solutions.com<mailto:a.litvin at sam-solutions.net>
Minsk office, Belarus (+03 GMT)
Value of Talent. Delivered.
More information about the samba-technical