Tobias Hachmer
2024-Jan-04 10:23 UTC
[Samba] Samba not get updated list of user group membership
Hello and a Happy New Year to all, we have a Samba 3-Node CTDB Cluster running Standalone Samba with LDAP Backend. Samba Version: 99:4.18.9-9debian11 OS: Debian 11 Since a quite of time samba doesn't get the updated group list for a user. We add a user to an existing LDAP Group to grant access to an existing share. The passwd database gets updated via nslcd, but samba doesn't show all groups. Here's an example: Samba Log when the new user added to the group want to access the share: --- Jan 04 11:09:12 smb-002 smbd[1269695]: [2024/01/04 11:09:12.924665, 0] ../../source3/smbd/smb2_service.c:117(chdir_current_service) Jan 04 11:09:12 smb-002 smbd[1269695]: chdir_current_service: vfs_ChDir(/srv/samba/shares/EXAMPLE_SHARE) failed: Permission denied. Current token: uid=38923, gid=20000, 12 groups: 2086 2235 2241 2289 2332 2552 5505 5585 5619 5625 27 2117 --- If I run id with the uid number I get all groups, which are more than samba shows in the log: --- ~# id 38923 uid=38923(xxx) gid=20000(xxx) groups=27(xxx),2086(xxx),2117(xxx),2235(xxx),2241(xxx),2289(xxx),2332(xxx),2552(xxx),5505(xxx),5585(xxx),5587(xxx),5619(xxx),5625(xxx),20000(xxx) --- The group id in question is "5587", which is shown by id but not in the samba log. Our configuration is here: https://pastebin.com/NUQHLqrT I have invalidated the nscd group table, restarted the CTDB Cluster, restarted nslcd ... Any help really appreciated. Thanks and regards Tobias -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2894 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20240104/8e0fbbf1/smime.bin>
Rowland Penny
2024-Jan-04 11:13 UTC
[Samba] Samba not get updated list of user group membership
On Thu, 4 Jan 2024 11:23:50 +0100 Tobias Hachmer via samba <samba at lists.samba.org> wrote:> Hello and a Happy New Year to all, > > we have a Samba 3-Node CTDB Cluster running Standalone Samba with > LDAP Backend. > > Samba Version: 99:4.18.9-9debian11 > OS: Debian 11 > > Since a quite of time samba doesn't get the updated group list for a > user. We add a user to an existing LDAP Group to grant access to an > existing share. The passwd database gets updated via nslcd, but samba > doesn't show all groups. Here's an example: > > Samba Log when the new user added to the group want to access the > share: --- > Jan 04 11:09:12 smb-002 smbd[1269695]: [2024/01/04 11:09:12.924665, > 0] ../../source3/smbd/smb2_service.c:117(chdir_current_service) > Jan 04 11:09:12 smb-002 smbd[1269695]: chdir_current_service: > vfs_ChDir(/srv/samba/shares/EXAMPLE_SHARE) failed: Permission denied. > Current token: uid=38923, gid=20000, 12 groups: 2086 2235 2241 2289 > 2332 2552 5505 5585 5619 5625 27 2117 > --- > > If I run id with the uid number I get all groups, which are more than > samba shows in the log: > --- > ~# id 38923 > uid=38923(xxx) gid=20000(xxx) > groups=27(xxx),2086(xxx),2117(xxx),2235(xxx),2241(xxx),2289(xxx),2332(xxx),2552(xxx),5505(xxx),5585(xxx),5587(xxx),5619(xxx),5625(xxx),20000(xxx) > --- > > The group id in question is "5587", which is shown by id but not in > the samba log. > > Our configuration is here: https://pastebin.com/NUQHLqrT > > I have invalidated the nscd group table, restarted the CTDB Cluster, > restarted nslcd ... > > Any help really appreciated. > > Thanks and regards > TobiasNot an expert on CTDB by any means, but running Samba in the way you are is the next thing to running an NT4-style domain and will probably require SMBv1, which is turned off by default. You may also need to run winbind to get group membership. Rowland