[Samba] smbldap-usermod timeout for Terminal Server

roland at roland-jarry.fr roland at roland-jarry.fr
Mon Jul 15 06:56:34 MDT 2013


Following to this old post (Tue Jul 6 02:22:22 MDT 2010), here is the 
solution I found :
- stop nscd : /etc/init.d/nscd stop
- restart samb : /etc/init.d/samba restart
- start nscd : /etc/init.d/nscd start
...in this order !

> Hello,
> When I modify a user account adding him to a customized group, there 
> is a delay which can be up to 2 hours to take effect.
> - the user account is already created with smbldap-useradd.
> - the user account is modified later (with smbldap-usermod), adding 
> him to a group which has the right "allow log on through terminal 
> services properties" on the local security policy
> The samba server act as a PDC.

> I've tried a lot of things to bypass the delay :
> - restart of samba
> - restart of openldap
> - gpupdate /force on windows server
> - modify the delay in GPO : group policy refresh interval for users 
> and for computers
> - purge of samba cache in /var/cache/samba
> - purge of nscd cache in /var/cache nscd

> If I give the right directly to the user on windows server, it take 
> effect immediatly and I can log on Terminal Server.

> The error message I have when the policy hasn't take yet effect  is 
> "to log on this remote computer, you must be granted the allow log on 
> through terminal services right. By default, members of the Remote 
> Desktop Users group have this right. If you are not a member of remote 
> desktop users group ot another group that has this right, or if the 
> remote desktop user group does not have this right, you must be granted 
> this right manually".

> It seem that there is a cache for groups.

> What service can be responsible of this delay ? Terminal server, GPO, 
> samba, ldap, some cache,... ?

> Thank you for your help or advice
> ---
> Roland JARRY

More information about the samba mailing list