[Samba] Samba + LDAP: Changing user's group

Wes Deviers wdevie at hrcsb.org
Wed Dec 2 11:09:24 MST 2009 

I'm having this same problem, but it's new.  Using 3.4.2 Debian packages, 
recently upgraded.  I never had any type of LDAP group caching problem until 
the last 2 weeks.  I added a user to an LDAP group as normal because they 
needed access to a new share.  Cleared the nscd caches as normal.  The service 
definition uses

force group = +groupName
valid users = @admins, @groupName
write list = @admins, @groupName

All of the people previously in @groupName retain access to the share.  The 
person I just added cannot access it.  getent, groups, etc all return the 
correct group membership.  If I add the account explicitly to valid users & 
write list, it works as soon as I do an smbd reload.  

Did some behavior change or have we stumbled on a new bug?

Wes



On Monday 30 November 2009 07:29:33 am davefu wrote:
> 
> Hi, thanks for answering.
> 
> I have only 1 Samba server. When I mentioned changes on groups, I meant on
> LDAP server. LDAP is used on both system and samba environments. When
> changing groups on users, those changes are instant on the system
> environment, but not on Samba.
> 
> - I create a new "Folder A", with full permissions for "Group A"
> - "User B" (belonging to group B), logs via SSH to the server, and can't
> access the "Folder A".
> - "User B" logs via Samba using his Windows desktop machine, and can't
> access the "Folder A" (previously configured inside a Samba Resource).
> - Now I add "User B" to "Group A" via LDAP. He belongs now to "Group A" and
> "Group B".
> - Getent group | grep "User B" shows correctly both groups on the user.
> - "User B" correctly access "Folder A", write files, etc via console, ssh,
> or any kind of regular system authentication (since system is using pam
> libraries, configured to use LDAP as backend).
> - "User B" still can't access "Folder A" in any way. Samba has cached "User
> B" credentials, and haven't checked LDAP again for a while. The only option
> is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP
> info about that user again.
> 
> Hope this little story explains my problem better.
> Sorry for my english.
> 
> Thanks!
> 
>

More information about the samba mailing list