[Samba] Changing group membership doesn't grant access when expected

Darren Campbell d.campbell at corfleet.com.au
Tue Sep 21 23:51:17 MDT 2010

Hi everyone,


Just trying to find a definitive answer on a problem I have been trying to
address for a few months now. I've sifted through the list archives and the
closest thing I could find was something about credential caching and it
didn't seem to work.


What we're trying to do seems simple / normal / common enough that I'm
surprised it doesn't just work.


We have a  "mgnt" share with some excel spreadsheets inside and we just want
to allow certain users access to the share to be able to
update/rename/delete/add files.


We also want to be able to allow new users access to the share.


Here's where we have been having some trouble. We were working off the
theory that we could create an OS group, change the owner of the shared
directory to a member of the OS group, change the group of the shared
directory to the OS group and then manage access by adding/removing users
from the OS group.


For example,


There's a unix group "mgmt_files". We add users to the group with "usermod
-a -G mgmt_files username".


Here's the folder permissions from "ls -ld":


ls -ld /srv/server/mgnt

drwxrwsr-x 7 kristie mgmt_files 4096 2010-08-09 15:07 /srv/server/mgnt



Now this mostly works fine except when we add a new user to the OS group
mgmt_files, the new users do not get write access to the folder pointed to
by the "mgnt" share (or /srv/server/mgnt) until the user logs off Winxp and
logs back in again, or we kill -15 the pid of the user's samba daemon.


Kill would work find except that the user might have other files open at the
time and it causes disruption/corruption with those files. This causes
Outlook to stop working as normal because we have the .pst files hosted on
the samba server.


What I was hoping for was that we could just add users to the OS group and
samba would seamlessly pickup/acknowledge the change and allow the new user


i.e. we add a new user say "john" to

mgmt_files membership: kristie,mike,joann,simonel 

and thus mgmt_files membership becomes: kristie,mike,joann,simonel,john


However, John has to log off and back on again to be able to update files in
the "mgnt" share.


I am hoping someone could point/lead me in the right direction with this or
at least let me know whether seamless access-control possible.


I've also checked "testparm -v" to see if there are any default options to
change that might help. I read somewhere about "change notify timeout".


We are using samba Version 3.0.28a. If the version is definitely an issue, I
could not find a bug report anywhere explaining what is going on. If someone
knows better, please let me know.


Here's the global section of our smb.cnf produced with "testparm -s" minus
the other irrelevant service defs.



        workgroup = XXXXXXX

        server string = XXXXXXXX

        add user script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s
/bin/false %u

        add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s
/bin/false %u

        logon script = logon.cmd

        logon path = \\%N\profiles\%U

        logon drive = H:

        logon home = \\home\%U\winprofile

        domain logons = Yes

        os level = 65

        domain master = Yes

        default service = netlogon



        path = /srv/server/mgnt

        read only = No

        force create mode = 0660

        force directory mode = 02775





Darren Campbell

This email contains confidential information intended only for the person named above. If you are not the intended recipient, any use, disclosure, copying or distribution of this transmission is prohibited. If you have received this message in error, please notify us immediately by return email and delete the original email and any attachments. Corporate Fleet Control provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered.

More information about the samba mailing list