[Samba] smbldap-usermod timeout for Terminal Server

roland at roland-jarry.fr roland at roland-jarry.fr
Tue Jul 6 02:22:22 MDT 2010

When I modify a user account adding him to a customized group, there is a delay which can be up to 2 hours to take effect.
- the user account is already created with smbldap-useradd.
- the user account is modified later (with smbldap-usermod), adding him to a group which has the right "allow log on through terminal services properties" on the local security policy
The samba server act as a PDC.

I've tried a lot of things to bypass the delay : 
- restart of samba
- restart of openldap
- gpupdate /force on windows server
- modify the delay in GPO : group policy refresh interval for users and for computers
- purge of samba cache in /var/cache/samba
- purge of nscd cache in /var/cache nscd

If I give the right directly to the user on windows server, it take effect immediatly and I can log on Terminal Server.

The error message I have when the policy hasn't take yet effect  is "to log on this remote computer, you must be granted the allow log on through terminal services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of remote desktop users group ot another group that has this right, or if the remote desktop user group does not have this right, you must be granted this right manually".

It seem that there is a cache for groups.

What service can be responsible of this delay ? Terminal server, GPO, samba, ldap, some cache,... ?

Thank you for your help or advice
Roland JARRY

More information about the samba mailing list