Hello fellas. I'm facing this problem today: My Samba PDC is using LDAP as a backend, and its working really good. The problem comes when I change the groups on one of the users. System shows the change correctly by using 'getent group' and if I log as that user the behavior correct when trying the new group permissions. Samba, however, doesn't seem to get those changes immediately (it syncs hours later, totally random amount of time). I've tried disabling NSCD but no luck. I've read somewhere that restarting Samba service forces Samba to refresh the users credentials, but thats not possible to do everytime a user needs a change in his groups. I'm wondering if there is some way to refresh Samba cached credentials. Has anyone experienced this before? P.D: Where is Samba caching the users information/credentials/password/etc anyway? -- View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p26421317.html Sent from the Samba - General mailing list archive at Nabble.com.
There are various TDB that cache info (maybe under /var/samba/locks) If you run "testparm -v" there may be some timeout or cache variables you could adjust. Does it matter if you have mapped the unix group to a Windows group? In my environment we set up group mappings for the key groups (like Domain Administrators) but we have a lot of unix groups that we don't explicitly map to Windows groups. -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of davefu Sent: Thursday, November 19, 2009 7:29 AM To: samba at lists.samba.org Subject: [Samba] Samba + LDAP: Changing user's group Hello fellas. I'm facing this problem today: My Samba PDC is using LDAP as a backend, and its working really good. The problem comes when I change the groups on one of the users. System shows the change correctly by using 'getent group' and if I log as that user the behavior correct when trying the new group permissions. Samba, however, doesn't seem to get those changes immediately (it syncs hours later, totally random amount of time). I've tried disabling NSCD but no luck. I've read somewhere that restarting Samba service forces Samba to refresh the users credentials, but thats not possible to do everytime a user needs a change in his groups. I'm wondering if there is some way to refresh Samba cached credentials. Has anyone experienced this before? P.D: Where is Samba caching the users information/credentials/password/etc anyway? -- View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p2 6421317.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Thu, Nov 19, 2009 at 7:28 PM, davefu <davefury at gmail.com> wrote:> > Hello fellas. I'm facing this problem today: > > My Samba PDC is using LDAP as a backend, and its working really good. The > problem comes when I change the groups on one of the users. System shows > the > change correctly by using 'getent group' and if I log as that user the > behavior correct when trying the new group permissions. > >OK.> Samba, however, doesn't seem to get those changes immediately (it syncs > hours later, totally random amount of time). I've tried disabling NSCD but > no luck. I've read somewhere that restarting Samba service forces Samba to > refresh the users credentials, but thats not possible to do everytime a > user > needs a change in his groups. I'm wondering if there is some way to refresh > Samba cached credentials. > >Do you mean that you have other samba server (as file server) running and uses LDAP as its backend? When you change the group(s), the changing doesn't affect this file server immediately? If this is the case, I used to reload nscd to refresh its cache, since start-stop or restart nscd brings no effect at all. Hope it can help - and pardon my language.
OK, back at work On the Sun box: The suggested commands did not work as suggested, but I did find the proper options for this system "smbd -V" says 2.2.8a "testparm -x" says lots of stuff including "encrypt passwords = yes" I will talk with the network guys about NTLM ----- sato x <garasi9 at gmail.com> wrote:> On Wed, Nov 25, 2009 at 3:21 PM, Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote: > > My guess is that they may have required NTLMv2 or something thing > similar on the Win machines. If these machines are part of an Active > Directory domain, it would be relatively easy for this to be done. > > http://www.dennek.com/2009/03/system-error-1240-the-account-is-not- > authorized-to-login-from-this-station/ > > You can use gpedit.msc on XP to check your security settings. > > > "smbd -v" would tell you the samba version. > "testparm -v | more " would let you check the various settings. > > > Are you the sys admin for the solaris box? > > > > On 11/25/09 14:52, Dan White wrote: >> The server is on a Sun box (uname says SunOS 5.8) I do not know what >> version of samba is running >> >> For the last year and a half, I have made a daily connection from a >> Windows XP box with the following command: >> >> new use G: \\server\volume /USER:userid password >> >> This makes a "G" network drive that serves the purpose. >> >> About a month ago, network folks upstream from us spewed a bunch of >> policy updates that caused serious trouble. The worst being mine. >> >> Now, if I try the same command on an XP box, the command executes >> successfully, the G-drive appears and then blinks to say >> "Disconnected Network Drive" >> >> Because some of our team use them, I tried from a Windows 2000 box. >> The same command responds with : >> >> System Error 1240 has occurred. The account is not authorized to log >> in from this station" >> >> I checked the smb.conf file and found that the samba server is >> configured for encrypted passwords. This error makes no sense. >> >> The local network folks are convinced this is a Unix problem. >> >> Any clues out there for this clueless one ? >
On Mon, Nov 30, 2009 at 01:26:34PM +0000, Dan White wrote:> OK, back at work > > On the Sun box: > The suggested commands did not work as suggested, but I did find the proper options for this system > > "smbd -V" says 2.2.8a > "testparm -x" says lots of stuff including "encrypt passwords = yes" > > I will talk with the network guys about NTLMYou should also talk with your Solaris people about a newer Samba version :-) Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20091130/d235de2e/attachment.pgp>
----- Volker Lendecke <Volker.Lendecke at SerNet.DE> wrote:> On Mon, Nov 30, 2009 at 01:26:34PM +0000, Dan White wrote: > > OK, back at work > > > > On the Sun box: > > The suggested commands did not work as suggested, but I did find the proper options for this system > > > > "smbd -V" says 2.2.8a > > "testparm -x" says lots of stuff including "encrypt passwords = yes" > > > > I will talk with the network guys about NTLM > > You should also talk with your Solaris people about a newer > Samba version :-) > > VolkerYes, but this setup DID work up until a month ago. Iit would be nice to get it working agin with a minimum of change because it is part of a development environment. ?Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.? Bill Waterson (Calvin & Hobbes)