Steve Scanavarro
2007-Aug-31 13:17 UTC
[Samba] Samba+LDAP with real-time share permissions
Hello everyone! I'm using samba with LDAP, and everything is working fine. But I'm having problems when I change something in the permissions on the share, for example, I have a share called "daily". In this share, the permissions are set to the LDAP group called Daily, where "steve" is a member. Well, when I log in, the share maps ok, but what I want to do is, when I remove the user steve from the LDAP group, his access will be denied in "real-time" (when remove from the group, stop been able to see anything in the drive). *BUT*, it's not working, the user still have the permissions in the drive 'til logout/login again. My question is, what if the user logout only in the weekends? In the meanwhile user 'steve' will still have access to the drive? In an experience here, he no longer has access only when I restart Samba, but when I do that, the other drives that are mapped stop working as well, and the user should logout/login again, and then the permissions are ok. (and it's not a good idea to restart samba everytime I change a permission isn't it? :) Thanks in advance for any help/ideas! Best, Steve
On Fri, 2007-08-31 at 10:16 -0300, Steve Scanavarro wrote:> Hello everyone! > I'm using samba with LDAP, and everything is working fine. > But I'm having problems when I change something in the permissions on the > share, for example, I have a share called "daily". > In this share, the permissions are set to the LDAP group called Daily, where > "steve" is a member. > Well, when I log in, the share maps ok, but what I want to do is, when I > remove the user steve from the LDAP group, his access will be denied in > "real-time" (when remove from the group, stop been able to see anything in > the drive). > > *BUT*, it's not working, the user still have the permissions in the drive > 'til logout/login again.This is by design, privileges are set at connection time and never changed.> My question is, what if the user logout only in the weekends? In the > meanwhile user 'steve' will still have access to the drive? > In an experience here, he no longer has access only when I restart Samba, > but when I do that, the other drives that are mapped stop working as well, > and the user should logout/login again, and then the permissions are ok. > (and it's not a good idea to restart samba everytime I change a permission > isn't it? :) > > Thanks in advance for any help/ideas!You can use smbstatus to find out the pid of the specific smbd serving that user and then send this process a shutdown command using smbcontrol, this will disconnect the user and force his workstation to reconnect all drives and perform a new authentication. I think another way could be to simply change the main directory permissions. Instead of adding and removing users to the Daily group, simply deny it access to the directory setting its permissions to --- (no r,w or x). This may be more practical and does not require disconnections, nor constant manipulation of user memberships. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: idra@samba.org http://samba.org
Apparently Analagous Threads
- User/Group HWM ignored when converting idmap from tdb to LDAP
- create smbpasswd/tdbsam from ldapsam/LDAP query?
- Samba Deleted My Linux Home Directory ?
- idmap_ad Integration with Windows 2003 pre-R2
- Samba and winbind with LDAP IDMAP backend - user connects with Domain Admin permissions