Linux – Samba with ldapsam backend

linuxnetwork-sharesamba

I got problem with Samba server with LDAP authentication backend, Samba acts as PDC, but it is not important in this case. Problem is following:

On LDAP server I have two groups per share: read only (name), read write (name-rw)

Every share has setup:

[share]
valid users = @name
read users = @name
write users = @name-rw
force group = name

Problem is simple: When I add existing user into group, Samba throws following errors into log:

user 'username' (from session setup) not permitted to access this share (share)

Sometimes there were problems with unix group membership, but this resolved logout and login on client computer.

To fix this I have to do restart of Samba but that is not possible during the day and share is in such cases required as soon as possible. Especially now the problem persist and I was forced to append user to valid users because of this issue.

Tried to google, but failed, thank you very much for any possible help.

Best Answer

Have you tried just reloading Samba? Debian: /etc/init.d/samba reload or any: pkill -SIGHUP smbd, it won't drop any connection but will force samba to reload config.

Group membership is cached too by nscd, to reload its cache do:

nscd -i group

You may want to reaload shadow and passwd too... Restarting nscd won't make it forget cached entries.

Related Solutions

Linux – Samba PDC share slow with LDAP backend

Finally after months of look everywhere I read this article http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/24_locking_08.html

and started to play with oplock values. The Windows application did a lot of read write operations, each time changing permissions, when disabling the oplocks things started to going better.

Linux – Samba share for user groups with Ubuntu. A user can’t access files created by other users

I had to give up using ACLs via NFS. The mask is not working properly.

I use inotify now instead, with a little script launched at startup:

#!/bin/bash

# Directory name as argument. You MUST set it also down there before using it!

LOGFILE="/tmp/inotify-log.tmp"

inotifywait -mrq -e attrib,moved_to,create --format %w%f "$1" | while read FILE ; do
    # Ignore root FIXME you have to put here all possible root arguments
    if [ -d "$FILE" ] && [ $FILE == "/export/proyectos" ] || [ $FILE == "/export/proyectos/" ] ; then
        continue;
    fi
    # Get new permissions
    PERMISOS=$(stat -c %a "$FILE")
    if [ -d "$FILE" ] ; then
        if [ $PERMISOS -ne 2771 ] ; then
            NUEVOSPERMISOS=2771

        else
            NUEVOSPERMISOS=0
        fi
    else
        # Get permissions
        if [ ${#PERMISOS} -eq 3 ] ; then
            PERMISOS_ADICIONALES=0
            PERMISOS_USUARIO=${PERMISOS:0:1}
            PERMISOS_GRUPO=${PERMISOS:1:1}
            PERMISOS_OTROS=${PERMISOS:2:1}
        else
            PERMISOS_ADICIONALES=${PERMISOS:0:1}
            PERMISOS_USUARIO=${PERMISOS:1:1}
            PERMISOS_GRUPO=${PERMISOS:2:1}
            PERMISOS_OTROS=${PERMISOS:3:1}
        fi

        # Check permissions
        if [ $PERMISOS_USUARIO -ne $PERMISOS_GRUPO ] || [ 0 -ne $PERMISOS_OTROS ] ; then
            NUEVOSPERMISOS=${PERMISOS_ADICIONALES}${PERMISOS_USUARIO}${PERMISOS_USUARIO}0
        else
            NUEVOSPERMISOS=0
        fi

    fi

    # Set permissions
    if [ $NUEVOSPERMISOS -ne 0 ] ; then
        chmod $NUEVOSPERMISOS "$FILE"
                # Debug output
                OUTPUT="$(date) : $FILE ($PERMISOS -> $NUEVOSPERMISOS)"
                echo $OUTPUT >> $LOGFILE
    fi

done

The permissions are fixed now by this script, instead of fall back into ACLs via NFS.

Best Answer

Related Solutions

Linux – Samba PDC share slow with LDAP backend

Linux – Samba share for user groups with Ubuntu. A user can’t access files created by other users

Related Topic