[Samba] LDAP authentication doesn't refresh

tony archibald tony at dutyfreestores.com.au
Sun Nov 27 18:48:18 MST 2011 

Hi - I have solved this or probably better put understand it better now.

the issues is that samba seems to open a service even when a user is denied
access to the shared directory represented by that service

So if user jtony who is not a member of group hamcity tries to access
/server/hamcity, jtony will be denied access.

But running >smbstatus shows that this service is now is connected, even
tho the user jtony cannot have access to it.


What then seems to be true is that while that service is open samba won't
recheck the users credentials for changes.


if you close the service

>./smbcontrol <pid> close-share hamcity


then smbd WILL ask for the users *nix credentials, when jtony tries to
connect again. If changes have taken place to group membership  then these
will be reflected in sambas response.


Thanks Tony





On 28 November 2011 11:19, tony archibald <tony at dutyfreestores.com.au>wrote:

> OS = RHEL 5
> samba version 3.4.15
> OpenLdap 2.3.43
>
>
> Hi I am struggling with this problem at the very end of deploying a
> samba/ldap solution (currently not doing an domain stuff) . It all seems to
> working except that when I modify a user by adding the user to a new group
> (unix group) this change is not reflected in samba shares. the opposite is
> also true.
>
>
> for example the directory listing is
> drwxrwx--- 2 root hamcity 4096 Nov 22 10:51 hamcity
>
> the share is defined in smb.conf
> as
> [hamcity]
> path = /export/hamcity
> users =  +hamcity
>
> I have a user jtony (initially not a member of the Group hamcity)
> I add jtony to the group hamcity with
> >smbldap-usermod -G +hamcity
> or using a the open source "LDAP Admin" tool
>
> at this point jtony cannot access the share \\server\hamcity
>
> but after I restart the smb service jtony now has access to
> \\server\hamcity.
>
> the big question I have is , "Is this behavior by design?" if not "how do
> I force samba to pick up changes in the LDAP directory without restarting
> the slapd service?"
>
> I hope some one can help, I have come so far with this and it hasn't been
> easy, id hate to have to give up on what seems like a great open source
> solution because of this one stumbling block.
> Hoping the issue is my ignorance
>
> regards Tony
>
>
>
>

More information about the samba mailing list