Samba doesn't refresh group membership to grant user access

R

RonBA

Hi,
I'm looking to manage my samba share through groups, this way I just have to add or remove user from the proper group to grant access.
The problem is samba doesn't refresh group membership when it's launched, so if I add a user to the authorized group, it can't access the share, and if I remove a user from the authorized group, the user still got access.
I have to restart the service to get samba refreshing permission.
As you can imagine, it's not usable at all as it stops the connections to all users.
I'm using FreeBSD 14.0 p2 and samba 4.16.11
Here is my smb4.conf file:
Code: 
[global]
        server string = FBSD 14 server
        workgroup = WORKGROUP
        log file = /var/log/samba4/smb.log
        max log size = 50
        load printers = No
        disable netbios = Yes
        map to guest = Bad User
        security = USER
        server role = standalone server
        invalid users = nobody root
        read raw=yes
        write raw=yes
        strict sync = no
        sync always = no
        map acl inherit = yes
        server multi channel support = no

[share1]
    comment = Files Samba Network Share
    path = /hddpool1/share1
    valid users = @share1
    browsable = Yes
    inherit acls = Yes
    read only = No
    vfs objects = zfsacl
    nfs4:acedup = merge
    nfs4:mode = special
    nfs4:chown = yes

As I never used samba before, I'm not familiar with all available options, so maybe I misconfigured something.
Does anyone have any idea on how to solve this situation ?

Many thanks in advance
 
RonBA said:
The problem is samba doesn't refresh group membership when it's launched, so if I add a user to the authorized group, it can't access the share, and if I remove a user from the authorized group, the user still got access.
Click to expand...
If you modified the user's membership that user has to logoff and back in again for the changes to apply.
 
Oh, ok, thanks. I'm coming from OmniOS and got the habits to modify the permissions (ACLs) on the fly while user is connected without any problem.
It's especially useful when granting access to a new share to a user while he is connected to another share.
Is there a way to achieve this somehow and avoid a logoff/login ?
 
Changing the ACL is something else entirely. You were talking about adding/removing group membership from user accounts? Those changes only apply when the user logs in.
 
I'm searching for a way to get a similar way of granting share access through ACLs like I used to did with OmniOS.
What I've done is create a rw group and a ro group ACL for each share, as it's all my users need. Then I add each user to the proper group to grant them access.
This way I can instantaneously modify a user access on a specific share, without any impact on other shares he has mounted nor on the other users.
As I'm still using ZFS filesystem, I wanted to replicate this behavior on FreeBSD, so I created proper groups access ACLs on my share using setfacl and then just wanted to add my users to each group.

Maybe there is another way to do achieve this?
 
I'm still trying to find a way to get Samba refresh access when a permission is modified, even with only using the valid users parameter in the smb4.conf file.
It bugs me that removing user right, be it directly in "valid users" list or the local group declared in this list (using pw groupmod goupe_name -d user_name), doesn't remove the share access if the user is logged in.
Has anyone a solution for this ?
 
You must log in or register to reply here.
Back
Top