[Samba] Samba + LDAP: Changing user's group

davefu davefury at gmail.com
Mon Nov 30 05:29:33 MST 2009

Hi, thanks for answering.

I have only 1 Samba server. When I mentioned changes on groups, I meant on
LDAP server. LDAP is used on both system and samba environments. When
changing groups on users, those changes are instant on the system
environment, but not on Samba.

- I create a new "Folder A", with full permissions for "Group A"
- "User B" (belonging to group B), logs via SSH to the server, and can't
access the "Folder A".
- "User B" logs via Samba using his Windows desktop machine, and can't
access the "Folder A" (previously configured inside a Samba Resource).
- Now I add "User B" to "Group A" via LDAP. He belongs now to "Group A" and
"Group B".
- Getent group | grep "User B" shows correctly both groups on the user.
- "User B" correctly access "Folder A", write files, etc via console, ssh,
or any kind of regular system authentication (since system is using pam
libraries, configured to use LDAP as backend).
- "User B" still can't access "Folder A" in any way. Samba has cached "User
B" credentials, and haven't checked LDAP again for a while. The only option
is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP
info about that user again.

Hope this little story explains my problem better.
Sorry for my english.



sato x wrote:
> On Thu, Nov 19, 2009 at 7:28 PM, davefu <davefury at gmail.com> wrote:
>> Hello fellas. I'm facing this problem today:
>> My Samba PDC is using LDAP as a backend, and its working really good. The
>> problem comes when I change the groups on one of the users. System shows
>> the
>> change correctly by using 'getent group' and if I log as that user the
>> behavior correct when trying the new group permissions.
> OK.
>> Samba, however, doesn't seem to get those changes immediately (it syncs
>> hours later, totally random amount of time). I've tried disabling NSCD
>> but
>> no luck. I've read somewhere that restarting Samba service forces Samba
>> to
>> refresh the users credentials, but thats not possible to do everytime a
>> user
>> needs a change in his groups. I'm wondering if there is some way to
>> refresh
>> Samba cached credentials.
> Do you mean that you have other samba server (as file server) running and
> uses LDAP as its backend? When you change the group(s), the changing
> doesn't
> affect this file server immediately? If this is the case, I used to reload
> nscd to refresh its cache, since start-stop or restart nscd brings no
> effect
> at all.
> Hope it can help - and pardon my language.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p26573907.html
Sent from the Samba - General mailing list archive at Nabble.com.

More information about the samba mailing list