|
Next: Bug#500501: More detailed analysis
|
| Author |
Message |
External
Since: Nov 19, 2009
Posts: 4
|
(Msg. 1) Posted: Thu Nov 19, 2009 10:25 am
Post subject: [Samba] Samba + LDAP: Changing user's group
Archived from groups: linux>samba (more info?)
|
|
|
Hello fellas. I'm facing this problem today:
My Samba PDC is using LDAP as a backend, and its working really good. The
problem comes when I change the groups on one of the users. System shows the
change correctly by using 'getent group' and if I log as that user the
behavior correct when trying the new group permissions.
Samba, however, doesn't seem to get those changes immediately (it syncs
hours later, totally random amount of time). I've tried disabling NSCD but
no luck. I've read somewhere that restarting Samba service forces Samba to
refresh the users credentials, but thats not possible to do everytime a user
needs a change in his groups. I'm wondering if there is some way to refresh
Samba cached credentials.
Has anyone experienced this before?
P.D: Where is Samba caching the users information/credentials/password/etc
anyway?
--
View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp2642...7p26421
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba |
|
| Back to top |
|
 | |
External
Since: May 16, 2007
Posts: 18
|
(Msg. 2) Posted: Thu Nov 19, 2009 10:25 am
Post subject: Re: [Samba] Samba + LDAP: Changing user's group [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
There are various TDB that cache info (maybe under /var/samba/locks)
If you run "testparm -v" there may be some timeout or cache variables you
could adjust.
Does it matter if you have mapped the unix group to a Windows group? In my
environment we set up group mappings for the key groups (like Domain
Administrators) but we have a lot of unix groups that we don't explicitly
map to Windows groups.
-----Original Message-----
From: samba-bounces.TakeThisOut@lists.samba.org [mailto:samba-bounces@lists.samba.org]
On Behalf Of davefu
Sent: Thursday, November 19, 2009 7:29 AM
To: samba.TakeThisOut@lists.samba.org
Subject: [Samba] Samba + LDAP: Changing user's group
Hello fellas. I'm facing this problem today:
My Samba PDC is using LDAP as a backend, and its working really good. The
problem comes when I change the groups on one of the users. System shows the
change correctly by using 'getent group' and if I log as that user the
behavior correct when trying the new group permissions.
Samba, however, doesn't seem to get those changes immediately (it syncs
hours later, totally random amount of time). I've tried disabling NSCD but
no luck. I've read somewhere that restarting Samba service forces Samba to
refresh the users credentials, but thats not possible to do everytime a user
needs a change in his groups. I'm wondering if there is some way to refresh
Samba cached credentials.
Has anyone experienced this before?
P.D: Where is Samba caching the users information/credentials/password/etc
anyway?
--
View this message in context:
http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p2
6421317.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba |
|
| Back to top |
|
| |
External
Since: Nov 19, 2009
Posts: 4
|
(Msg. 3) Posted: Fri Nov 20, 2009 1:25 pm
Post subject: Re: [Samba] Samba + LDAP: Changing user's group [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Thanks for the reply.
Think I'll have a look at the smb.conf.
Im not really sure about the answer to your question. For each domain, I
have 2 "sambaGroupMapping" (domainUsersDOMAIN & domainAdminsDOMAIN both SSID
ending in 513 and 512), and all the posix groups I want, to keep certain
order between user groups, admin groups, etc. which will come in use when
setting ACLs on the shared resources.
Thanks again.
Gaiseric Vandal wrote:
>
> There are various TDB that cache info (maybe under /var/samba/locks)
>
> If you run "testparm -v" there may be some timeout or cache variables you
> could adjust.
>
> Does it matter if you have mapped the unix group to a Windows group? In
> my
> environment we set up group mappings for the key groups (like Domain
> Administrators) but we have a lot of unix groups that we don't explicitly
> map to Windows groups.
>
>
> -----Original Message-----
> From: samba-bounces.DeleteThis@lists.samba.org [mailto:samba-bounces@lists.samba.org]
> On Behalf Of davefu
> Sent: Thursday, November 19, 2009 7:29 AM
> To: samba.DeleteThis@lists.samba.org
> Subject: [Samba] Samba + LDAP: Changing user's group
>
>
> Hello fellas. I'm facing this problem today:
>
> My Samba PDC is using LDAP as a backend, and its working really good. The
> problem comes when I change the groups on one of the users. System shows
> the
> change correctly by using 'getent group' and if I log as that user the
> behavior correct when trying the new group permissions.
>
> Samba, however, doesn't seem to get those changes immediately (it syncs
> hours later, totally random amount of time). I've tried disabling NSCD but
> no luck. I've read somewhere that restarting Samba service forces Samba to
> refresh the users credentials, but thats not possible to do everytime a
> user
> needs a change in his groups. I'm wondering if there is some way to
> refresh
> Samba cached credentials.
>
> Has anyone experienced this before?
>
> P.D: Where is Samba caching the users information/credentials/password/etc
> anyway?
>
>
> --
> View this message in context:
> http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p2
> 6421317.html
> Sent from the Samba - General mailing list archive at Nabble.com.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp2642...7p26428
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba |
|
| Back to top |
|
| |
External
Since: Nov 30, 2009
Posts: 1
|
(Msg. 4) Posted: Mon Nov 30, 2009 8:25 am
Post subject: Re: [Samba] Samba + LDAP: Changing user's group [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Thu, Nov 19, 2009 at 7:28 PM, davefu <davefury.DeleteThis@gmail.com> wrote:
>
> Hello fellas. I'm facing this problem today:
>
> My Samba PDC is using LDAP as a backend, and its working really good. The
> problem comes when I change the groups on one of the users. System shows
> the
> change correctly by using 'getent group' and if I log as that user the
> behavior correct when trying the new group permissions.
>
>
OK.
> Samba, however, doesn't seem to get those changes immediately (it syncs
> hours later, totally random amount of time). I've tried disabling NSCD but
> no luck. I've read somewhere that restarting Samba service forces Samba to
> refresh the users credentials, but thats not possible to do everytime a
> user
> needs a change in his groups. I'm wondering if there is some way to refresh
> Samba cached credentials.
>
>
Do you mean that you have other samba server (as file server) running and
uses LDAP as its backend? When you change the group(s), the changing doesn't
affect this file server immediately? If this is the case, I used to reload
nscd to refresh its cache, since start-stop or restart nscd brings no effect
at all.
Hope it can help - and pardon my language.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba |
|
| Back to top |
|
| |
External
Since: Nov 30, 2009
Posts: 1
|
(Msg. 5) Posted: Mon Nov 30, 2009 9:25 am
Post subject: Re: [Samba] Serious grief with a Samba connection [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
OK, back at work
On the Sun box:
The suggested commands did not work as suggested, but I did find the proper options for this system
"smbd -V" says 2.2.8a
"testparm -x" says lots of stuff including "encrypt passwords = yes"
I will talk with the network guys about NTLM
----- sato x <garasi9 DeleteThis @gmail.com> wrote:
> On Wed, Nov 25, 2009 at 3:21 PM, Gaiseric Vandal <gaiseric.vandal DeleteThis @gmail.com> wrote:
>
> My guess is that they may have required NTLMv2 or something thing
> similar on the Win machines. If these machines are part of an Active
> Directory domain, it would be relatively easy for this to be done.
>
> http://www.dennek.com/2009/03/system-error-1240-the-account-is-not-
> authorized-to-login-from-this-station/
>
> You can use gpedit.msc on XP to check your security settings.
>
>
> "smbd -v" would tell you the samba version.
> "testparm -v | more " would let you check the various settings.
>
>
> Are you the sys admin for the solaris box?
>
>
>
> On 11/25/09 14:52, Dan White wrote:
>> The server is on a Sun box (uname says SunOS 5. I do not know what
>> version of samba is running
>>
>> For the last year and a half, I have made a daily connection from a
>> Windows XP box with the following command:
>>
>> new use G: \\server\volume /USER:userid password
>>
>> This makes a "G" network drive that serves the purpose.
>>
>> About a month ago, network folks upstream from us spewed a bunch of
>> policy updates that caused serious trouble. The worst being mine.
>>
>> Now, if I try the same command on an XP box, the command executes
>> successfully, the G-drive appears and then blinks to say
>> "Disconnected Network Drive"
>>
>> Because some of our team use them, I tried from a Windows 2000 box.
>> The same command responds with :
>>
>> System Error 1240 has occurred. The account is not authorized to log
>> in from this station"
>>
>> I checked the smb.conf file and found that the samba server is
>> configured for encrypted passwords. This error makes no sense.
>>
>> The local network folks are convinced this is a Unix problem.
>>
>> Any clues out there for this clueless one ?
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba |
|
| Back to top |
|
| |
External
Since: Nov 19, 2009
Posts: 4
|
(Msg. 6) Posted: Tue Dec 01, 2009 2:25 pm
Post subject: Re: [Samba] Samba + LDAP: Changing user's group [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Hi, thanks for answering.
I have only 1 Samba server. When I mentioned changes on groups, I meant on
LDAP server. LDAP is used on both system and samba environments. When
changing groups on users, those changes are instant on the system
environment, but not on Samba.
- I create a new "Folder A", with full permissions for "Group A"
- "User B" (belonging to group B), logs via SSH to the server, and can't
access the "Folder A".
- "User B" logs via Samba using his Windows desktop machine, and can't
access the "Folder A" (previously configured inside a Samba Resource).
- Now I add "User B" to "Group A" via LDAP. He belongs now to "Group A" and
"Group B".
- Getent group | grep "User B" shows correctly both groups on the user.
- "User B" correctly access "Folder A", write files, etc via console, ssh,
or any kind of regular system authentication (since system is using pam
libraries, configured to use LDAP as backend).
- "User B" still can't access "Folder A" in any way. Samba has cached "User
B" credentials, and haven't checked LDAP again for a while. The only option
is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP
info about that user again.
Hope this little story explains my problem better.
Sorry for my english.
Thanks!
However,
sato x wrote:
>
> On Thu, Nov 19, 2009 at 7:28 PM, davefu <davefury.DeleteThis@gmail.com> wrote:
>
>>
>> Hello fellas. I'm facing this problem today:
>>
>> My Samba PDC is using LDAP as a backend, and its working really good. The
>> problem comes when I change the groups on one of the users. System shows
>> the
>> change correctly by using 'getent group' and if I log as that user the
>> behavior correct when trying the new group permissions.
>>
>>
> OK.
>
>
>> Samba, however, doesn't seem to get those changes immediately (it syncs
>> hours later, totally random amount of time). I've tried disabling NSCD
>> but
>> no luck. I've read somewhere that restarting Samba service forces Samba
>> to
>> refresh the users credentials, but thats not possible to do everytime a
>> user
>> needs a change in his groups. I'm wondering if there is some way to
>> refresh
>> Samba cached credentials.
>>
>>
> Do you mean that you have other samba server (as file server) running and
> uses LDAP as its backend? When you change the group(s), the changing
> doesn't
> affect this file server immediately? If this is the case, I used to reload
> nscd to refresh its cache, since start-stop or restart nscd brings no
> effect
> at all.
>
> Hope it can help - and pardon my language.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp2642...7p26573
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba |
|
| Back to top |
|
| |
External
Since: Mar 14, 2008
Posts: 2
|
(Msg. 7) Posted: Wed Dec 02, 2009 2:25 pm
Post subject: Re: [Samba] Samba + LDAP: Changing user's group [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I'm having this same problem, but it's new. Using 3.4.2 Debian packages,
recently upgraded. I never had any type of LDAP group caching problem until
the last 2 weeks. I added a user to an LDAP group as normal because they
needed access to a new share. Cleared the nscd caches as normal. The service
definition uses
force group = +groupName
valid users = @admins, @groupName
write list = @admins, @groupName
All of the people previously in @groupName retain access to the share. The
person I just added cannot access it. getent, groups, etc all return the
correct group membership. If I add the account explicitly to valid users &
write list, it works as soon as I do an smbd reload.
Did some behavior change or have we stumbled on a new bug?
Wes
On Monday 30 November 2009 07:29:33 am davefu wrote:
>
> Hi, thanks for answering.
>
> I have only 1 Samba server. When I mentioned changes on groups, I meant on
> LDAP server. LDAP is used on both system and samba environments. When
> changing groups on users, those changes are instant on the system
> environment, but not on Samba.
>
> - I create a new "Folder A", with full permissions for "Group A"
> - "User B" (belonging to group B), logs via SSH to the server, and can't
> access the "Folder A".
> - "User B" logs via Samba using his Windows desktop machine, and can't
> access the "Folder A" (previously configured inside a Samba Resource).
> - Now I add "User B" to "Group A" via LDAP. He belongs now to "Group A" and
> "Group B".
> - Getent group | grep "User B" shows correctly both groups on the user.
> - "User B" correctly access "Folder A", write files, etc via console, ssh,
> or any kind of regular system authentication (since system is using pam
> libraries, configured to use LDAP as backend).
> - "User B" still can't access "Folder A" in any way. Samba has cached "User
> B" credentials, and haven't checked LDAP again for a while. The only option
> is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP
> info about that user again.
>
> Hope this little story explains my problem better.
> Sorry for my english.
>
> Thanks!
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba |
|
| Back to top |
|
| |
External
Since: Nov 19, 2009
Posts: 4
|
(Msg. 8) Posted: Mon Dec 21, 2009 11:37 am
Post subject: Re: [Samba] Samba + LDAP: Changing user's group [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Bump
Wes Deviers wrote:
>
> I'm having this same problem, but it's new. Using 3.4.2 Debian packages,
> recently upgraded. I never had any type of LDAP group caching problem
> until
> the last 2 weeks. I added a user to an LDAP group as normal because they
> needed access to a new share. Cleared the nscd caches as normal. The
> service
> definition uses
>
> force group = +groupName
> valid users = @admins, @groupName
> write list = @admins, @groupName
>
> All of the people previously in @groupName retain access to the share.
> The
> person I just added cannot access it. getent, groups, etc all return the
> correct group membership. If I add the account explicitly to valid users
> &
> write list, it works as soon as I do an smbd reload.
>
> Did some behavior change or have we stumbled on a new bug?
>
> Wes
>
>
>
> On Monday 30 November 2009 07:29:33 am davefu wrote:
>>
>> Hi, thanks for answering.
>>
>> I have only 1 Samba server. When I mentioned changes on groups, I meant
>> on
>> LDAP server. LDAP is used on both system and samba environments. When
>> changing groups on users, those changes are instant on the system
>> environment, but not on Samba.
>>
>> - I create a new "Folder A", with full permissions for "Group A"
>> - "User B" (belonging to group B), logs via SSH to the server, and can't
>> access the "Folder A".
>> - "User B" logs via Samba using his Windows desktop machine, and can't
>> access the "Folder A" (previously configured inside a Samba Resource).
>> - Now I add "User B" to "Group A" via LDAP. He belongs now to "Group A"
>> and
>> "Group B".
>> - Getent group | grep "User B" shows correctly both groups on the user.
>> - "User B" correctly access "Folder A", write files, etc via console,
>> ssh,
>> or any kind of regular system authentication (since system is using pam
>> libraries, configured to use LDAP as backend).
>> - "User B" still can't access "Folder A" in any way. Samba has cached
>> "User
>> B" credentials, and haven't checked LDAP again for a while. The only
>> option
>> is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP
>> info about that user again.
>>
>> Hope this little story explains my problem better.
>> Sorry for my english.
>>
>> Thanks!
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp2642...7p26870
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba |
|
| Back to top |
|
| |
| Related Topics: | [Samba] changing the primary group of a user - Im having a strange problem... I have a few users created (few = 100) with gid = to uid. Like this: dlanger:x:1229:1229::/home/dlanger:/bin/false jbranca:x:1230:1230::/home/jbranca:/bin/false cdobenau:x:1231:1231::/home/cdobenau:/bin/false..
[Samba] remote groups as members of a samba ldap group - I've gotten Samba+LDAP working on one network, and trust relationship established with a remote AD network. I've also got my samba groups as members of the AD groups (eg, Samba "users" is a member of AD "users", with the ACL stuff wor...
[Samba] [Samba PDC + LDAP] How to set user password never .. - Hi Everybody, Target is to set Samba PDC server with ldap backend. Environment used : Samba 3.0.20 Samba ldap tools 0.9.1-1 I can add user but pasword gets expired frequently, So my question is how can i set Password Never Expires..
[Samba] samba, ldap changing password - HEllo I have a samba 3 with ldap working as a PDC,my mail server also using LDAP database as a authentication. Do you know any web application, script (working with apache) that allow users to change their ldap passwords (smaba passwords and passwd ..
[Samba] LDAP Group mapping - I noticed that after I moved from tdbsam to ldapsam for my passdb backend, the group mappings had disappeared. After reading the docs, I found that this information is stored in LDAP (makes sense). The problem is the HOWTO Collection only says that it is... |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
Hot
Bloated Email? DetachPipe for Outlook
Mac
Linux
Games
PDA
Mobile
FAQ
Search
Profile
Private Messages
Log in
Linux Forums
RSS