samba - Aug 2018 - Can't write to a samba share mounted as an AD user

If I’m not confused though, I believe pisymbol CAN get a mount. 

It’s just that the mount has read-only access despite the file ownership and
modes being set to give full read-write?

-E
> On Aug 2, 2018, at 8:56 AM, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> 
> On Thu, 2 Aug 2018 11:17:47 -0400
> pisymbol <pisymbol at gmail.com <mailto:pisymbol at gmail.com>>
wrote:
> 
>> On Thu, Aug 2, 2018 at 11:11 AM, Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>> 
>>> On Thu, 2 Aug 2018 11:02:45 -0400
>>> pisymbol <pisymbol at gmail.com> wrote:
>>> 
>>>> Whoops! Replying to all!
>>>> 
>>>> On Thu, Aug 2, 2018 at 10:55 AM, Rowland Penny via samba <
>>>> samba at lists.samba.org> wrote:
>>>> 
>>>>> On Thu, 2 Aug 2018 10:43:26 -0400
>>>>> pisymbol via samba <samba at lists.samba.org> wrote:
>>>>> 
>>>>>> Full disclosure: This is an exported share on a QNAP
NAS
>>>>>> device.
>>>>> 
>>>>> Even fuller disclosure ;-)
>>>>> You haven't given us enough info
>>>>> 
>>>> 
>>>> I can facilitate though.
>>>> 
>>>> 
>>>>> What version of Samba is the QNAP NAS using ?
>>>>> 
>>>> 
>>>> 4.4.16
>>>> 
>>>> What is in smb.conf ?
>>>>> 
>>>> 
>>>> A lot of stuff as you can imagine.
>>> 
>>> Yes and it will remain imaginary until you post it
>>> 
>> 
>> [admin at outerdrive ~]# cat /etc/config/smb.conf
>> [global]
>> realm = ACME.COM
>> passdb backend = smbpasswd
>> workgroup = ACME
>> security = ADS       #### NOTE: I had to change this to ADS to get
>> this toaster oven to join AD
>> server string >> encrypt passwords = Yes
>> username level = 0
>> map to guest = Bad User
>> null passwords = yes
>> max log size = 10
>> socket options = TCP_NODELAY SO_KEEPALIVE
>> os level = 20
>> preferred master = no
>> dns proxy = No
>> smb passwd file=/etc/config/smbpasswd
>> username map = /etc/config/smbusers
>> guest account = guest
>> directory mask = 0777
>> create mask = 0777
>> oplocks = yes
>> locking = yes
>> disable spoolss = no
>> load printers = yes
>> veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network
>> Trash Folder/Temporary
>> Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/. at
__qini/.Qsync/. at upload_cache/.qsync/.qsync_sn/. at qsys/.streams/.digest/
>> delete veto files = yes
>> map archive = no
>> map system = no
>> map hidden = no
>> map read only = no
>> deadtime = 10
>> server role = auto
>> use sendfile = yes
>> unix extensions = no
>> store dos attributes = yes
>> client ntlmv2 auth = yes
>> dos filetime resolution = no
>> follow symlinks = yes
>> wide links = yes
>> force unknown acl user = yes
>> template homedir = /share/homes/DOMAIN=%D/%U
>> inherit acls = yes
>> domain logons = no
>> min receivefile size = 256
>> case sensitive = auto
>> domain master = auto
>> local master = no
>> enhance acl v1 = yes
>> remove everyone = yes
>> conn log = no
>> kernel oplocks = no
>> min protocol = LANMAN1
>> smb2 leases = yes
>> durable handles = yes
>> kernel share modes = no
>> posix locking = no
>> lock directory = /share/CACHEDEV1_DATA/.samba/lock
>> state directory = /share/CACHEDEV1_DATA/.samba/state
>> cache directory = /share/CACHEDEV1_DATA/.samba/cache
>> printcap cache time = 0
>> acl allow execute always = yes
>> server signing = disabled
>> aio read size = 1
>> aio write size = 0
>> streams_depot:delete_lost = yes
>> streams_depot:check_valid = no
>> fruit:nfs_aces = no
>> fruit:veto_appledouble = no
>> winbind expand groups = 1
>> pid directory = /var/lock
>> printcap name = /etc/printcap
>> printing = cups
>> show add printer wizard = no
>> host msdfs = yes
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> wins support = no
>> name resolve order = host bcast
>> max protocol = SMB2_10
>> vfs objects =  shadow_copy2 acl_xattr catia fruit qnap_macea
>> streams_depot aio_pthread
>> 
>> [Multimedia]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/Multimedia
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = no
>> qbox = no
>> public = yes
>> invalid users = "guest"
>> read list = @"everyone"
>> write list = "admin"
>> valid users = "root",@"everyone","admin"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Multimedia/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/Multimedia
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> strict allocate = yes
>> streams_depot:check_valid = yes
>> mangled names = yes
>> 
>> [Download]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/Download
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = no
>> qbox = no
>> public = yes
>> invalid users = "guest"
>> read list >> write list = "admin"
>> valid users = "root","admin"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Download/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/Download
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> strict allocate = yes
>> streams_depot:check_valid = yes
>> mangled names = yes
>> 
>> [Web]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/Web
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = no
>> qbox = no
>> public = yes
>> invalid users = "guest"
>> read list >> write list = "admin"
>> valid users = "root","admin"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Web/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/Web
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> strict allocate = yes
>> streams_depot:check_valid = yes
>> mangled names = yes
>> 
>> [Public]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/Public
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = yes
>> qbox = no
>> public = yes
>> invalid users = "guest"
>> read list = @"everyone"
>> write list = "admin",@"ACME\Users"
>> valid users =
"root",@"everyone","admin",@"ACME\Users"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Public/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/Public
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> strict allocate = yes
>> streams_depot:check_valid = yes
>> mangled names = yes
>> 
>> [homes]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/homes
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = no
>> qbox = no
>> public = yes
>> invalid users >> read list >> write list =
"admin"
>> valid users = "root","admin"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/homes/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/homes
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> mangled names = yes
>> 
>> [printers]
>> use client driver = yes
>> writable = no
>> browsable = no
>> printable = yes
>> guest ok = yes
>> path = /var/spool/smb
>> 
>> [home]
>> comment = Home
>> path = %H
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> inherit permissions = yes
>> invalid users = guest
>> writable = yes
>> read list = "%u"
>> write list = "%u"
>> valid users = "%u"
>> root preexec = /sbin/create_home -u '%q'
>> shadow:snapdir
>> = /share/CACHEDEV1_DATA/homes/../_.share/homes/.snapshot
>> shadow:basedir = %H shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> 
> Was this NAS a 'standalone server' at some point ?
> 
> It certainly looks like it to me, two things point that way, one you
> are using the deprecated 'smbpasswd' 'passdb backend' and
the other is
> that you have no authentication lines in smb.conf. Without
> authentication, the only user who could connect, would be the guest
> user, but you have explicitly denied this with 'invalid users >
"guest"'
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>

On Thu, Aug 2, 2018 at 1:11 PM, Eric Altman via samba <samba at
lists.samba.org
> wrote:
>
> It’s just that the mount has read-only access despite the file ownership
> and modes being set to give full read-write?
>
>
That is almost correct (I can create empty files via touch) which has me
baffled.

-aps (Alex)

Are the default ACLs set on the share in question? 'getfacl .’ In the root
of the share.

Sounds like files are being created by a user with the proper permissions but
then are being assigned permissions as part of the creation process that denies
write access.

Also, I don’t know what qnap_macea does exactly… the ‘ea’ strikes me as
obviously handling extended attributes. I’m used to stacking ‘vfs_fruit’ into
‘vfs_streams_xattr’ instead.

I’ve also found streams_depot to be incredibly buggy with permissions in the
past. Can you check to see that the ‘shareroot/.streams’ exists and has not been
over-written with the same permissions as the smb users for the share?

I’m sure there is more. That is a very complex smb.conf

-E
 
> On Aug 2, 2018, at 10:16 AM, pisymbol <pisymbol at gmail.com> wrote:
> 
> 
> 
> On Thu, Aug 2, 2018 at 1:11 PM, Eric Altman via samba <samba at
lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> 
> It’s just that the mount has read-only access despite the file ownership
and modes being set to give full read-write?
> 
> 
> That is almost correct (I can create empty files via touch) which has me
baffled.
> 
> -aps (Alex)

On Thu, 2 Aug 2018 13:16:26 -0400
pisymbol via samba <samba at lists.samba.org> wrote:
> On Thu, Aug 2, 2018 at 1:11 PM, Eric Altman via samba
> <samba at lists.samba.org
> > wrote:
> 
> >
> > It’s just that the mount has read-only access despite the file
> > ownership and modes being set to give full read-write?
> >
> >
> That is almost correct (I can create empty files via touch) which has
> me baffled.
> 
> -aps (Alex)
You do not have any lines like this in your smb.conf:

    winbind nss info = rfc2307
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : range = 10000-999999

So, unless you are using sssd (and if you are, this is the wrong place
to ask for help), you do not anyway to authenticate your AD users on
the NAS. Yes, you may be able to read files on the NAS, but you will not
be able to write to them, this is because Samba has no idea who your
users are and 'guest' access is turned off.

You also shouldn't have a NAS administrator, you should only have a
Domain Administrator.

I think what you are trying to say is that, you have purchased this NAS
and most of the [global] part of the smb.conf is what it came with, if
this is true, then QNAP are you listening, your standard smb.conf is
rubbish. It contains deprecated settings (smbpasswd), default lines and
lines that do not need to be there, it is as if they just took the
output of 'man smbconf', removed most of the text, just leaving the
parameters, threw away some of the parameters and set others to
defaults or things they shouldn't be set to.

I think (and I could be wrong, but I don't think so) it was meant to
be a 'standalone server', but you now want it to be a Unix domain
member, if so, you need to make a lot of changes to your smb.conf.

Rowland