Darren Campbell
2010-Sep-22 05:51 UTC
[Samba] Changing group membership doesn't grant access when expected
Hi everyone, Just trying to find a definitive answer on a problem I have been trying to address for a few months now. I've sifted through the list archives and the closest thing I could find was something about credential caching and it didn't seem to work. What we're trying to do seems simple / normal / common enough that I'm surprised it doesn't just work. We have a "mgnt" share with some excel spreadsheets inside and we just want to allow certain users access to the share to be able to update/rename/delete/add files. We also want to be able to allow new users access to the share. Here's where we have been having some trouble. We were working off the theory that we could create an OS group, change the owner of the shared directory to a member of the OS group, change the group of the shared directory to the OS group and then manage access by adding/removing users from the OS group. For example, There's a unix group "mgmt_files". We add users to the group with "usermod -a -G mgmt_files username". Here's the folder permissions from "ls -ld": ls -ld /srv/server/mgnt drwxrwsr-x 7 kristie mgmt_files 4096 2010-08-09 15:07 /srv/server/mgnt Now this mostly works fine except when we add a new user to the OS group mgmt_files, the new users do not get write access to the folder pointed to by the "mgnt" share (or /srv/server/mgnt) until the user logs off Winxp and logs back in again, or we kill -15 the pid of the user's samba daemon. Kill would work find except that the user might have other files open at the time and it causes disruption/corruption with those files. This causes Outlook to stop working as normal because we have the .pst files hosted on the samba server. What I was hoping for was that we could just add users to the OS group and samba would seamlessly pickup/acknowledge the change and allow the new user access. i.e. we add a new user say "john" to mgmt_files membership: kristie,mike,joann,simonel and thus mgmt_files membership becomes: kristie,mike,joann,simonel,john However, John has to log off and back on again to be able to update files in the "mgnt" share. I am hoping someone could point/lead me in the right direction with this or at least let me know whether seamless access-control possible. I've also checked "testparm -v" to see if there are any default options to change that might help. I read somewhere about "change notify timeout". We are using samba Version 3.0.28a. If the version is definitely an issue, I could not find a bug report anywhere explaining what is going on. If someone knows better, please let me know. Here's the global section of our smb.cnf produced with "testparm -s" minus the other irrelevant service defs. [global] workgroup = XXXXXXX server string = XXXXXXXX add user script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false %u add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false %u logon script = logon.cmd logon path = \\%N\profiles\%U logon drive = H: logon home = \\home\%U\winprofile domain logons = Yes os level = 65 domain master = Yes default service = netlogon [mgnt] path = /srv/server/mgnt read only = No force create mode = 0660 force directory mode = 02775 Regards, Darren Campbell This email contains confidential information intended only for the person named above. If you are not the intended recipient, any use, disclosure, copying or distribution of this transmission is prohibited. If you have received this message in error, please notify us immediately by return email and delete the original email and any attachments. Corporate Fleet Control provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered.
Rodolfo Barbosa
2010-Sep-22 18:20 UTC
[Samba] RES: Changing group membership doesn't grant access when expected
Campbell, Here we have the same issue. I have searched for a solution for two years and we didn't find any solution. Now join in to your thread I would link to ask the folks on the list about another problem that I have after start using samba 3.2.5 (on a Debian GNU/Linux with ldap password backend) the group permission doesn't work on windows machines. We have crate a group called "RH" and we gave full read/write permission to this group on a Windows file server folder and in to a Linux file server folder. On the Linux server the members of "RH" group can read and write files but on the Windows server they can't. Anyone has the solution or an workaround for this issue? Thanks' -- Rodolfo Barbosa Lunar Consultoria barbosa.rodolfo at lunarconsultoria.com.br CEL: +55 (35) 9132-0764> -----Mensagem original----- > De: samba-bounces at lists.samba.org [mailto:samba- > bounces at lists.samba.org] Em nome de Darren Campbell > Enviada em: quarta-feira, 22 de setembro de 2010 02:51 > Para: samba at lists.samba.org > Assunto: [Samba] Changing group membership doesn't > grant access when expected > > Hi everyone, > > > > Just trying to find a definitive answer on a problem I > have been trying to > address for a few months now. I've sifted through the > list archives and the > closest thing I could find was something about > credential caching and it > didn't seem to work. > > > > What we're trying to do seems simple / normal / common > enough that I'm > surprised it doesn't just work. > > > > We have a "mgnt" share with some excel spreadsheets > inside and we just want > to allow certain users access to the share to be able > to > update/rename/delete/add files. > > > > We also want to be able to allow new users access to > the share. > > > > Here's where we have been having some trouble. We were > working off the > theory that we could create an OS group, change the > owner of the shared > directory to a member of the OS group, change the group > of the shared > directory to the OS group and then manage access by > adding/removing users > from the OS group. > > > > For example, > > > > There's a unix group "mgmt_files". We add users to the > group with "usermod > -a -G mgmt_files username". > > > > Here's the folder permissions from "ls -ld": > > > > ls -ld /srv/server/mgnt > > drwxrwsr-x 7 kristie mgmt_files 4096 2010-08-09 15:07 > /srv/server/mgnt > > > > > > Now this mostly works fine except when we add a new > user to the OS group > mgmt_files, the new users do not get write access to > the folder pointed to > by the "mgnt" share (or /srv/server/mgnt) until the > user logs off Winxp and > logs back in again, or we kill -15 the pid of the > user's samba daemon. > > > > Kill would work find except that the user might have > other files open at the > time and it causes disruption/corruption with those > files. This causes > Outlook to stop working as normal because we have the > .pst files hosted on > the samba server. > > > > What I was hoping for was that we could just add users > to the OS group and > samba would seamlessly pickup/acknowledge the change > and allow the new user > access. > > > > i.e. we add a new user say "john" to > > mgmt_files membership: kristie,mike,joann,simonel > > and thus mgmt_files membership becomes: > kristie,mike,joann,simonel,john > > > > However, John has to log off and back on again to be > able to update files in > the "mgnt" share. > > > > I am hoping someone could point/lead me in the right > direction with this or > at least let me know whether seamless access-control > possible. > > > > I've also checked "testparm -v" to see if there are any > default options to > change that might help. I read somewhere about "change > notify timeout". > > > > We are using samba Version 3.0.28a. If the version is > definitely an issue, I > could not find a bug report anywhere explaining what is > going on. If someone > knows better, please let me know. > > > > Here's the global section of our smb.cnf produced with > "testparm -s" minus > the other irrelevant service defs. > > > > [global] > > workgroup = XXXXXXX > > server string = XXXXXXXX > > add user script = /usr/sbin/useradd -d > /var/lib/nobody -g 100 -s > /bin/false %u > > add machine script = /usr/sbin/useradd -d > /var/lib/nobody -g 100 -s > /bin/false %u > > logon script = logon.cmd > > logon path = \\%N\profiles\%U > > logon drive = H: > > logon home = \\home\%U\winprofile > > domain logons = Yes > > os level = 65 > > domain master = Yes > > default service = netlogon > > > > [mgnt] > > path = /srv/server/mgnt > > read only = No > > force create mode = 0660 > > force directory mode = 02775 > > > > > > > > Regards, > > > Darren Campbell > > > This email contains confidential information intended > only for the person named above. If you are not the > intended recipient, any use, disclosure, copying or > distribution of this transmission is prohibited. If you > have received this message in error, please notify us > immediately by return email and delete the original > email and any attachments. Corporate Fleet Control > provides no guarantee that this transmission is free of > virus or that it has not been intercepted or altered. > -- > To unsubscribe from this list go to the following URL > and read the > instructions: > https://lists.samba.org/mailman/options/samba