Samba + LDAP: Changing user's group
in [Samba]
|
From: Gaiseric Vandal on 19 Nov 2009 09:40 There are various TDB that cache info (maybe under /var/samba/locks) If you run "testparm -v" there may be some timeout or cache variables you could adjust. Does it matter if you have mapped the unix group to a Windows group? In my environment we set up group mappings for the key groups (like Domain Administrators) but we have a lot of unix groups that we don't explicitly map to Windows groups. -----Original Message----- From: samba-bounces(a)lists.samba.org [mailto:samba-bounces(a)lists.samba.org] On Behalf Of davefu Sent: Thursday, November 19, 2009 7:29 AM To: samba(a)lists.samba.org Subject: [Samba] Samba + LDAP: Changing user's group Hello fellas. I'm facing this problem today: My Samba PDC is using LDAP as a backend, and its working really good. The problem comes when I change the groups on one of the users. System shows the change correctly by using 'getent group' and if I log as that user the behavior correct when trying the new group permissions. Samba, however, doesn't seem to get those changes immediately (it syncs hours later, totally random amount of time). I've tried disabling NSCD but no luck. I've read somewhere that restarting Samba service forces Samba to refresh the users credentials, but thats not possible to do everytime a user needs a change in his groups. I'm wondering if there is some way to refresh Samba cached credentials. Has anyone experienced this before? P.D: Where is Samba caching the users information/credentials/password/etc anyway? -- View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p2 6421317.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: davefu on 20 Nov 2009 12:20 Thanks for the reply. Think I'll have a look at the smb.conf. Im not really sure about the answer to your question. For each domain, I have 2 "sambaGroupMapping" (domainUsersDOMAIN & domainAdminsDOMAIN both SSID ending in 513 and 512), and all the posix groups I want, to keep certain order between user groups, admin groups, etc. which will come in use when setting ACLs on the shared resources. Thanks again. Gaiseric Vandal wrote: > > There are various TDB that cache info (maybe under /var/samba/locks) > > If you run "testparm -v" there may be some timeout or cache variables you > could adjust. > > Does it matter if you have mapped the unix group to a Windows group? In > my > environment we set up group mappings for the key groups (like Domain > Administrators) but we have a lot of unix groups that we don't explicitly > map to Windows groups. > > > -----Original Message----- > From: samba-bounces(a)lists.samba.org [mailto:samba-bounces(a)lists.samba.org] > On Behalf Of davefu > Sent: Thursday, November 19, 2009 7:29 AM > To: samba(a)lists.samba.org > Subject: [Samba] Samba + LDAP: Changing user's group > > > Hello fellas. I'm facing this problem today: > > My Samba PDC is using LDAP as a backend, and its working really good. The > problem comes when I change the groups on one of the users. System shows > the > change correctly by using 'getent group' and if I log as that user the > behavior correct when trying the new group permissions. > > Samba, however, doesn't seem to get those changes immediately (it syncs > hours later, totally random amount of time). I've tried disabling NSCD but > no luck. I've read somewhere that restarting Samba service forces Samba to > refresh the users credentials, but thats not possible to do everytime a > user > needs a change in his groups. I'm wondering if there is some way to > refresh > Samba cached credentials. > > Has anyone experienced this before? > > P.D: Where is Samba caching the users information/credentials/password/etc > anyway? > > > -- > View this message in context: > http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p2 > 6421317.html > Sent from the Samba - General mailing list archive at Nabble.com. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p26428171.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: sato x on 30 Nov 2009 07:10 On Thu, Nov 19, 2009 at 7:28 PM, davefu <davefury(a)gmail.com> wrote: > > Hello fellas. I'm facing this problem today: > > My Samba PDC is using LDAP as a backend, and its working really good. The > problem comes when I change the groups on one of the users. System shows > the > change correctly by using 'getent group' and if I log as that user the > behavior correct when trying the new group permissions. > > OK. > Samba, however, doesn't seem to get those changes immediately (it syncs > hours later, totally random amount of time). I've tried disabling NSCD but > no luck. I've read somewhere that restarting Samba service forces Samba to > refresh the users credentials, but thats not possible to do everytime a > user > needs a change in his groups. I'm wondering if there is some way to refresh > Samba cached credentials. > > Do you mean that you have other samba server (as file server) running and uses LDAP as its backend? When you change the group(s), the changing doesn't affect this file server immediately? If this is the case, I used to reload nscd to refresh its cache, since start-stop or restart nscd brings no effect at all. Hope it can help - and pardon my language. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: davefu on 1 Dec 2009 11:10 Hi, thanks for answering. I have only 1 Samba server. When I mentioned changes on groups, I meant on LDAP server. LDAP is used on both system and samba environments. When changing groups on users, those changes are instant on the system environment, but not on Samba. - I create a new "Folder A", with full permissions for "Group A" - "User B" (belonging to group B), logs via SSH to the server, and can't access the "Folder A". - "User B" logs via Samba using his Windows desktop machine, and can't access the "Folder A" (previously configured inside a Samba Resource). - Now I add "User B" to "Group A" via LDAP. He belongs now to "Group A" and "Group B". - Getent group | grep "User B" shows correctly both groups on the user. - "User B" correctly access "Folder A", write files, etc via console, ssh, or any kind of regular system authentication (since system is using pam libraries, configured to use LDAP as backend). - "User B" still can't access "Folder A" in any way. Samba has cached "User B" credentials, and haven't checked LDAP again for a while. The only option is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP info about that user again. Hope this little story explains my problem better. Sorry for my english. Thanks! However, sato x wrote: > > On Thu, Nov 19, 2009 at 7:28 PM, davefu <davefury(a)gmail.com> wrote: > >> >> Hello fellas. I'm facing this problem today: >> >> My Samba PDC is using LDAP as a backend, and its working really good. The >> problem comes when I change the groups on one of the users. System shows >> the >> change correctly by using 'getent group' and if I log as that user the >> behavior correct when trying the new group permissions. >> >> > OK. > > >> Samba, however, doesn't seem to get those changes immediately (it syncs >> hours later, totally random amount of time). I've tried disabling NSCD >> but >> no luck. I've read somewhere that restarting Samba service forces Samba >> to >> refresh the users credentials, but thats not possible to do everytime a >> user >> needs a change in his groups. I'm wondering if there is some way to >> refresh >> Samba cached credentials. >> >> > Do you mean that you have other samba server (as file server) running and > uses LDAP as its backend? When you change the group(s), the changing > doesn't > affect this file server immediately? If this is the case, I used to reload > nscd to refresh its cache, since start-stop or restart nscd brings no > effect > at all. > > Hope it can help - and pardon my language. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p26573907.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Wes Deviers on 2 Dec 2009 13:50 I'm having this same problem, but it's new. Using 3.4.2 Debian packages, recently upgraded. I never had any type of LDAP group caching problem until the last 2 weeks. I added a user to an LDAP group as normal because they needed access to a new share. Cleared the nscd caches as normal. The service definition uses force group = +groupName valid users = @admins, @groupName write list = @admins, @groupName All of the people previously in @groupName retain access to the share. The person I just added cannot access it. getent, groups, etc all return the correct group membership. If I add the account explicitly to valid users & write list, it works as soon as I do an smbd reload. Did some behavior change or have we stumbled on a new bug? Wes On Monday 30 November 2009 07:29:33 am davefu wrote: > > Hi, thanks for answering. > > I have only 1 Samba server. When I mentioned changes on groups, I meant on > LDAP server. LDAP is used on both system and samba environments. When > changing groups on users, those changes are instant on the system > environment, but not on Samba. > > - I create a new "Folder A", with full permissions for "Group A" > - "User B" (belonging to group B), logs via SSH to the server, and can't > access the "Folder A". > - "User B" logs via Samba using his Windows desktop machine, and can't > access the "Folder A" (previously configured inside a Samba Resource). > - Now I add "User B" to "Group A" via LDAP. He belongs now to "Group A" and > "Group B". > - Getent group | grep "User B" shows correctly both groups on the user. > - "User B" correctly access "Folder A", write files, etc via console, ssh, > or any kind of regular system authentication (since system is using pam > libraries, configured to use LDAP as backend). > - "User B" still can't access "Folder A" in any way. Samba has cached "User > B" credentials, and haven't checked LDAP again for a while. The only option > is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP > info about that user again. > > Hope this little story explains my problem better. > Sorry for my english. > > Thanks! > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Next
|
Last
Pages: 1 2 Prev: [Samba] Samba + LDAP: Changing user's group Next: [Samba] Samba DC questions |