[Samba] Samba+LDAP with real-time share permissions

simo idra at samba.org
Fri Aug 31 13:31:18 GMT 2007


On Fri, 2007-08-31 at 10:16 -0300, Steve Scanavarro wrote:
> Hello everyone!
> I'm using samba with LDAP, and everything is working fine.
> But I'm having problems when I change something in the permissions on the
> share, for example, I have a share called "daily".
> In this share, the permissions are set to the LDAP group called Daily, where
> "steve" is a member.
> Well, when I log in, the share maps ok, but what I want to do is, when I
> remove the user steve from the LDAP group, his access will be denied in
> "real-time" (when remove from the group, stop been able to see anything in
> the drive).
> 
> *BUT*, it's not working, the user still have the permissions in the drive
> 'til logout/login again.

This is by design, privileges are set at connection time and never
changed.

> My question is, what if the user logout only in the weekends? In the
> meanwhile user 'steve' will still have access to the drive?
> In an experience here, he no longer has access only when I restart Samba,
> but when I do that, the other drives that are mapped stop working as well,
> and the user should logout/login again, and then the permissions are ok.
> (and it's not a good idea to restart samba everytime I change a permission
> isn't it? :)
> 
> Thanks in advance for any help/ideas!

You can use smbstatus to find out the pid of the specific smbd serving
that user and then send this process a shutdown command using
smbcontrol, this will disconnect the user and force his workstation to
reconnect all drives and perform a new authentication.

I think another way could be to simply change the main directory
permissions. Instead of adding and removing users to the Daily group,
simply deny it access to the directory setting its permissions to ---
(no r,w or x). This may be more practical and does not require
disconnections, nor constant manipulation of user memberships.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org



More information about the samba mailing list