[Samba] Delay of group membership modifications
Henry Jensen
hjensen at gmx.de
Wed Aug 5 09:15:10 MDT 2009
Hello,
We use samba 3.2.5 on Debian Lenny with LDAP backend (OpenLDAP 2.4.11).
Access to files and directories are granted via ACLs.
For example, we have a directory "projekt-my-test":
# getfacl projekt-my-test
# file: projekt-my-test/
# owner: root
# group: Domain\040Admins
user::rwx
group::rwx
group:projekt-my-test-rw:rwx
mask::rwx
other::---
So, I added a user to the group "projekt-my-test-rw" in the LDAP tree.
I could confirm with "getent group" that the user was now member of the group.
But when the user tried to access the directory, access was denied.
When I checked with "net RPC GROUP MEMBERS projekt-my-test-rw", the user was not
listed as a group member.
After I waited for about half an hour, the user suddenly could access the
directory. And really, when I checked now with the net RPC GROUP MEMBERS,
the user was listed as a member.
I did some research if samba does some caching regarding user and group information
from a LDAP server, but hadn't found anything.
So I wanted to ask the experts on the list: What is causing this delay of about
30 minutes of group membership modification in the LDAP database and the recognition by
Samba? And how can I prevent it, i. e. how can I force samba, to re-read/refresh group
information from LDAP (besides from a restart of the service)?
Regards,
Henry
More information about the samba
mailing list