The Samba-Bugzilla – Bug 3423
Changing group users don't refresh until restart
Last modified: 2006-01-20 08:55:09 UTC
I have this:
GroupA: with User1 as member
GroupB: with User2 as member
ShareA: GroupA write, GroupB read
ShareB: GroupB write, GroupA read
then i change to this:
GroupA: with User2 as member
GroupB: with User1 as member
and the changes aren't reflected on "reality", until I restart samba
I forgoted, Im using LDAP as database backend, here the relevan part of my smb.conf file:
workgroup = IPLANTEST
netbios name = PDCIPLANTEST
server string = IplanTest Samba3 & OpenLDAP PDC Server
interfaces = eth0, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://localhost
enable privileges = yes
username map = /etc/samba/smbusers
log level = 3
syslog = 0
log file = /var/log/samba/%m.log
max log size = 1024
smb ports = 139
name resolve order = host wins bcast lmhosts
time server = yes
printing = cups
printcap name = CUPS
show add printer wizard = No
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
logon script = scripts\logon.bat
printcap cache time = 3
# ----| Disabled Roaming profiles |---- #
logon path =
logon drive = X:
logon home =
domain logons = Yes
domain master = Yes
preferred master = Yes
wins support = Yes
ldap suffix = dc=iplantest,dc=com,dc=ar
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Administrator,dc=iplantest,dc=com,dc=ar
idmap backend = ldap:ldap://localhost
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = Yes
Manipulated group membership is reflected in your token after you logoff and logon again, correct?
yes, but not allways, but I cannot tell every single user that ask me for access to a share, that restart session.
This is just the way Windows works. If you want groups re-evalutated you must log on again. This is not a bug.
Ok!, Tanks for your time