samba - Dec 2006 - Problem with LDAP groups and associated file permissions

Hi folks!

Our smb with LDAP PDC now seems to be nearly completed. Just now we found
out something very mysterious. We organized some directorys to be used by
specific domain groups. If we put a user into a group the user is allowed to
access the associated share. So far this works pretty nice.

If we remove the user from the domain group the user seems to keep all his
rights he got from his group membership we removed - even after loggin off
and on again and restarting smb and nmb. This seems to me a very strange
behaviour. Any ideas where we have to look?

Client OS: XP Pro SP 2
Server: openSuse 10.1 64 bit, Samba 3.0.22-13.18, openldap2 2.3.19-18.10,
smbldap-tools 0.9.1-11

Any hint would be nice.

Regards

Manuel

Have you confirmed that those group memberships have been truly revoked 
in LDAP?  Does OpenLDAP need to be reloaded/restarted?  Is the client 
actually contacting LDAP after you logged them out to find out it's new 
group memberships?
--
Michael Coburn

Manuel Graumann wrote:
> Hi folks!
>
> Our smb with LDAP PDC now seems to be nearly completed. Just now we found
> out something very mysterious. We organized some directorys to be used by
> specific domain groups. If we put a user into a group the user is allowed
to
> access the associated share. So far this works pretty nice.
>
> If we remove the user from the domain group the user seems to keep all his
> rights he got from his group membership we removed - even after loggin off
> and on again and restarting smb and nmb. This seems to me a very strange
> behaviour. Any ideas where we have to look?
>
> Client OS: XP Pro SP 2
> Server: openSuse 10.1 64 bit, Samba 3.0.22-13.18, openldap2 2.3.19-18.10,
> smbldap-tools 0.9.1-11
>
> Any hint would be nice.
>
> Regards
>
> Manuel
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Are you using some cache service such as nscd?
If so, try disable it and after lower the cache time to one more
accurate value for your environment.


On 12/14/06, Manuel Graumann <mgraumann@gc-heat.de>
wrote:
> Hi folks!
>
> Our smb with LDAP PDC now seems to be nearly completed. Just now we found
> out something very mysterious. We organized some directorys to be used by
> specific domain groups. If we put a user into a group the user is allowed
to
> access the associated share. So far this works pretty nice.
>
> If we remove the user from the domain group the user seems to keep all his
> rights he got from his group membership we removed - even after loggin off
> and on again and restarting smb and nmb. This seems to me a very strange
> behaviour. Any ideas where we have to look?
>
> Client OS: XP Pro SP 2
> Server: openSuse 10.1 64 bit, Samba 3.0.22-13.18, openldap2 2.3.19-18.10,
> smbldap-tools 0.9.1-11
>
> Any hint would be nice.
>
> Regards
>
> Manuel
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-- 
***
Cleber P. de Souza

Check the file permissions on the folder and files in question. If  
the folder is setup with world execute permissions, anybody can  
change into it - and any files created by the user in question will  
probably be owned by them - and so they'll still have access if they  
can change into the containing directory.

At least, that'd be the first thing I would look at.

Also try running commands like "groups <user>" to make sure that
your
unix backend agrees that they are no longer in the group.


On 15/12/2006, at 2:38 AM, Manuel Graumann wrote:
> Hi folks!
>
> Our smb with LDAP PDC now seems to be nearly completed. Just now we  
> found
> out something very mysterious. We organized some directorys to be  
> used by
> specific domain groups. If we put a user into a group the user is  
> allowed to
> access the associated share. So far this works pretty nice.
>
> If we remove the user from the domain group the user seems to keep  
> all his
> rights he got from his group membership we removed - even after  
> loggin off
> and on again and restarting smb and nmb. This seems to me a very  
> strange
> behaviour. Any ideas where we have to look?
>
> Client OS: XP Pro SP 2
> Server: openSuse 10.1 64 bit, Samba 3.0.22-13.18, openldap2  
> 2.3.19-18.10,
> smbldap-tools 0.9.1-11
>
> Any hint would be nice.
>
> Regards
>
> Manuel
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

--
Matt Skerritt
matt.skerritt@agrav.net