samba - Apr 2019 - chown: changing ownership of 'test': Invalid argument

Hi All,

I have a very weird issue on one of my servers. I think I might just be
missing something quite obviously... I will post the config files at the
bottom

I have a brand new Debian server running as an LXC container
> root at ho-vpn-ctx-ac01:~# lsb_release -a
> No LSB modules are available.
> Distributor ID:    Debian
> Description:    Debian GNU/Linux 9.8 (stretch)
> Release:    9.8
> Codename:    stretch
> root at ho-vpn-ctx-ac01:~# uname -a
> Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35 (Wed, 13 Mar
> 2019 08:24:42 +0100) x86_64 GNU/Linux
> root at ho-vpn-ctx-ac01:~#
>
I am running said server as a domain member using the latest packages in
Louis' 4.9 branch
> root at ho-vpn-ctx-ac01:~# net -V
> Version 4.9.6-Debian
> root at ho-vpn-ctx-ac01:~# net ads testjoin
> Join is OK
>
The join seems to be good, nsswitch is working
> root at ho-vpn-ctx-ac01:~# wbinfo -i ianc
> ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> root at ho-vpn-ctx-ac01:~# getent passwd ianc
> ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
>
 Yet when I try to change the ownership of a file to a domain user, it
fails with "Invalid argument"
> root at ho-vpn-ctx-ac01:~# chown -v ianc test
> chown: changing ownership of 'test': Invalid argument
> failed to change ownership of 'test' from root to ianc
> root at ho-vpn-ctx-ac01:~# chown -v jeadmin test
> changed ownership of 'test' from root to jeadmin
> root at ho-vpn-ctx-ac01:~# getent passwd jeadmin
> jeadmin:x:1000:27::/home/jeadmin:/bin/bash
>
It works however when changing to a local user. So it looks like the issue
might be in samba. This is the first time I have had this problem after
quite a few other servers (a mix between CentOS, Debian and Ubuntu) has
already been joined to the domain using the exact same smb.conf.

On a side note, I am also unable to log into the server using domain
credentials, which I am currently attributing to the same cause.

Can you guys maybe point me in the right direction where I might start to
troubleshoot further?

Kind regards
Ian

Configs:

root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf
[global]
   workgroup = JEOFFICE
   realm = JEOFFICE.JACKLIN.CO.ZA
   security = ADS
   template homedir = /home/%D/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
#   winbind offline logon = true
   winbind enum groups = true

   netbios name = ho-vpn-ctx-ac01

   log file = /var/log/samba/%m.log
   log level = 1

   # Default ID mapping configuration for local BUILTIN accounts
   # and groups on a domain member. The default (*) domain:
   # - must not overlap with any domain ID mapping configuration!
   # - must use an read-write-enabled back end, such as tdb.
   idmap config * : backend = tdb
   idmap config * : range = 70001-80000
   idmap config JEOFFICE : backend = rid
   idmap config JEOFFICE : range = 3200000-3300000

   winbind nss info = template
root at ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Hai Ian, 

Can you run my setup debugger..  

https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Anonimize where needed and post output. 

Because when i run this, it works fine. 
chown -v username test-own.txt
changed ownership of 'test-own.txt' from root to username 
And yes, this user only exist in AD. 

Check if attr and acl are installed also. 

And if the smb.conf below is complete then your missing: 
    # For ACL support on member servers with shares
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes


The difference between you and me, in smb.conf as far i can tell now. 

Me backend AD. You RID.
Me 
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    winbind refresh tickets = yes

You ( only secrets ) 

I've just tested these versions because today my vpn needed the upgrades of
samba also.
I've tested and upgraded from 4.8.9 upto 4.8.11, 4.9.6 and 4.10.2 

It still might be a bug, but i need more info. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ian 
> Coetzee via samba
> Verzonden: woensdag 10 april 2019 9:04
> Aan: Samba List
> Onderwerp: [Samba] chown: changing ownership of 'test': 
> Invalid argument
> 
> Hi All,
> 
> I have a very weird issue on one of my servers. I think I 
> might just be
> missing something quite obviously... I will post the config 
> files at the
> bottom
> 
> I have a brand new Debian server running as an LXC container
> 
> > root at ho-vpn-ctx-ac01:~# lsb_release -a
> > No LSB modules are available.
> > Distributor ID:    Debian
> > Description:    Debian GNU/Linux 9.8 (stretch)
> > Release:    9.8
> > Codename:    stretch
> > root at ho-vpn-ctx-ac01:~# uname -a
> > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35 
> (Wed, 13 Mar
> > 2019 08:24:42 +0100) x86_64 GNU/Linux
> > root at ho-vpn-ctx-ac01:~#
> >
> 
> I am running said server as a domain member using the latest 
> packages in
> Louis' 4.9 branch
> 
> > root at ho-vpn-ctx-ac01:~# net -V
> > Version 4.9.6-Debian
> > root at ho-vpn-ctx-ac01:~# net ads testjoin
> > Join is OK
> >
> 
> The join seems to be good, nsswitch is working
> 
> > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc
> > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > root at ho-vpn-ctx-ac01:~# getent passwd ianc
> > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> >
> 
>  Yet when I try to change the ownership of a file to a domain user, it
> fails with "Invalid argument"
> 
> > root at ho-vpn-ctx-ac01:~# chown -v ianc test
> > chown: changing ownership of 'test': Invalid argument
> > failed to change ownership of 'test' from root to ianc
> > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test
> > changed ownership of 'test' from root to jeadmin
> > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin
> > jeadmin:x:1000:27::/home/jeadmin:/bin/bash
> >
> 
> It works however when changing to a local user. So it looks 
> like the issue
> might be in samba. This is the first time I have had this 
> problem after
> quite a few other servers (a mix between CentOS, Debian and 
> Ubuntu) has
> already been joined to the domain using the exact same smb.conf.
> 
> On a side note, I am also unable to log into the server using domain
> credentials, which I am currently attributing to the same cause.
> 
> Can you guys maybe point me in the right direction where I 
> might start to
> troubleshoot further?
> 
> Kind regards
> Ian
> 
> Configs:
> 
> root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf
> [global]
>    workgroup = JEOFFICE
>    realm = JEOFFICE.JACKLIN.CO.ZA
>    security = ADS
>    template homedir = /home/%D/%U
>    template shell = /bin/bash
>    kerberos method = secrets only
>    winbind use default domain = true
> #   winbind offline logon = true
>    winbind enum groups = true
> 
>    netbios name = ho-vpn-ctx-ac01
> 
>    log file = /var/log/samba/%m.log
>    log level = 1
> 
>    # Default ID mapping configuration for local BUILTIN accounts
>    # and groups on a domain member. The default (*) domain:
>    # - must not overlap with any domain ID mapping configuration!
>    # - must use an read-write-enabled back end, such as tdb.
>    idmap config * : backend = tdb
>    idmap config * : range = 70001-80000
>    idmap config JEOFFICE : backend = rid
>    idmap config JEOFFICE : range = 3200000-3300000
> 
>    winbind nss info = template
> root at ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Wed, 10 Apr 2019 09:04:06 +0200
Ian Coetzee via samba <samba at lists.samba.org> wrote:
> Hi All,
> 
> I have a very weird issue on one of my servers. I think I might just
> be missing something quite obviously... I will post the config files
> at the bottom
> 
> I have a brand new Debian server running as an LXC container
> I am running said server as a domain member using the latest packages
> in Louis' 4.9 branch
> 
> The join seems to be good, nsswitch is working
> 
> > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc
> > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > root at ho-vpn-ctx-ac01:~# getent passwd ianc
> > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> >  
> 
>  Yet when I try to change the ownership of a file to a domain user, it
> fails with "Invalid argument"
> 
> > root at ho-vpn-ctx-ac01:~# chown -v ianc test
> > chown: changing ownership of 'test': Invalid argument
> > failed to change ownership of 'test' from root to ianc
This is very strange, the 'getent' command above shows that the OS
knows who 'ianc' is, so why can file ownership not be changed ?
> > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test
> > changed ownership of 'test' from root to jeadmin
> > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin
> > jeadmin:x:1000:27::/home/jeadmin:/bin/bash
> >  
> 
> It works however when changing to a local user. So it looks like the
> issue might be in samba. This is the first time I have had this
> problem after quite a few other servers (a mix between CentOS, Debian
> and Ubuntu) has already been joined to the domain using the exact
> same smb.conf.
> 
> On a side note, I am also unable to log into the server using domain
> credentials, which I am currently attributing to the same cause.
Possibly, but it could just be down to you not having this line
in /etc/pam.d/common-session

session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022

Without that line, the users homedir will not get created and the login
will fail.
> 
> root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf
> [global]
>    workgroup = JEOFFICE
>    realm = JEOFFICE.JACKLIN.CO.ZA
>    security = ADS
>    template shell = /bin/bash
>    winbind use default domain = true
>    log file = /var/log/samba/%m.log
>    log level = 1 
>    idmap config * : backend = tdb
>    idmap config * : range = 70001-80000
>    idmap config JEOFFICE : backend = rid
>    idmap config JEOFFICE : range = 3200000-3300000
> 
If you notice, I have shorted your smb.conf, it is effectively the same
as what you have now, I have just removed the default lines.

There are numerous lines I would add, but they do not really have
anything to do with your problem.

A last thought, do you have any users in AD that also occur
in /etc/passwd ?

Rowland

Hi Louis,

Thank you. I will add those line and test. Will revert shortly

As requested. The output:

root at ho-vpn-ctx-ac01:~# cat /tmp/samba-debug-info.txt
> Collected config  --- 2019-04-10-08:12 -----------
>
> Hostname: ho-vpn-ctx-ac01
> DNS Domain: jeoffice.jacklin.co.za
> FQDN: ho-vpn-ctx-ac01.jeoffice.jacklin.co.za
> ipaddress: 10.10.18.50 10.10.11.50
>
> -----------
>
> Samba is running as a Unix domain member
>
> -----------
>        Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
> NAME="Debian GNU/Linux"
> VERSION_ID="9"
> VERSION="9 (stretch)"
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 9.8 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group
> default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host
> 44: native0 at if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
>     link/ether 00:c1:2a:15:5c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
>     inet 10.10.18.50/24 brd 10.10.18.255 scope global native0
>     inet6 fe80::2c1:2aff:fe15:5cfe/64 scope link
> 46: dmz0 at if47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue
> state UP group default qlen 1000
>     link/ether 00:c1:b1:ea:6c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
>     inet 10.10.11.50/24 brd 10.10.11.255 scope global dmz0
>     inet6 fe80::2c1:b1ff:feea:6cfe/64 scope link
>
> -----------
>        Checking file: /etc/hosts
>
> 127.0.0.1    localhost
> ::1        localhost ip6-localhost ip6-loopback
> ff02::1        ip6-allnodes
> ff02::2        ip6-allrouters
> # --- BEGIN PVE ---
> 10.10.18.50 ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ho-vpn-ctx-ac01
> # --- END PVE ---
>
> -----------
>
>        Checking file: /etc/resolv.conf
>
> # --- BEGIN PVE ---
> search jeoffice.jacklin.co.za
> nameserver 10.10.10.4
> # --- END PVE ---
>
> -----------
>
>        Checking file: /etc/krb5.conf
>
> [libdefaults]
>     default_realm = JEOFFICE.JACKLIN.CO.ZA
>
> # The following krb5.conf variables are only for MIT Kerberos.
>     kdc_timesync = 1
>     ccache_type = 4
>     forwardable = true
>     proxiable = true
>
> # The following encryption type specification will be used by MIT Kerberos
> # if uncommented.  In general, the defaults in the MIT Kerberos code are
> # correct and overriding these specifications only serves to disable new
> # encryption types as they are added, creating interoperability problems.
> #
> # The only time when you might need to uncomment these lines and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know about (such
as
> # old versions of Sun Java).
>
> #    default_tgs_enctypes = des3-hmac-sha1
> #    default_tkt_enctypes = des3-hmac-sha1
> #    permitted_enctypes = des3-hmac-sha1
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
>     fcc-mit-ticketflags = true
>
> [realms]
>     ATHENA.MIT.EDU = {
>         kdc = kerberos.mit.edu
>         kdc = kerberos-1.mit.edu
>         kdc = kerberos-2.mit.edu:88
>         admin_server = kerberos.mit.edu
>         default_domain = mit.edu
>     }
>     ZONE.MIT.EDU = {
>         kdc = casio.mit.edu
>         kdc = seiko.mit.edu
>         admin_server = casio.mit.edu
>     }
>     CSAIL.MIT.EDU = {
>         admin_server = kerberos.csail.mit.edu
>         default_domain = csail.mit.edu
>     }
>     IHTFP.ORG = {
>         kdc = kerberos.ihtfp.org
>         admin_server = kerberos.ihtfp.org
>     }
>     1TS.ORG = {
>         kdc = kerberos.1ts.org
>         admin_server = kerberos.1ts.org
>     }
>     ANDREW.CMU.EDU = {
>         admin_server = kerberos.andrew.cmu.edu
>         default_domain = andrew.cmu.edu
>     }
>         CS.CMU.EDU = {
>                 kdc = kerberos-1.srv.cs.cmu.edu
>                 kdc = kerberos-2.srv.cs.cmu.edu
>                 kdc = kerberos-3.srv.cs.cmu.edu
>                 admin_server = kerberos.cs.cmu.edu
>         }
>     DEMENTIA.ORG = {
>         kdc = kerberos.dementix.org
>         kdc = kerberos2.dementix.org
>         admin_server = kerberos.dementix.org
>     }
>     stanford.edu = {
>         kdc = krb5auth1.stanford.edu
>         kdc = krb5auth2.stanford.edu
>         kdc = krb5auth3.stanford.edu
>         master_kdc = krb5auth1.stanford.edu
>         admin_server = krb5-admin.stanford.edu
>         default_domain = stanford.edu
>     }
>         UTORONTO.CA = {
>                 kdc = kerberos1.utoronto.ca
>                 kdc = kerberos2.utoronto.ca
>                 kdc = kerberos3.utoronto.ca
>                 admin_server = kerberos1.utoronto.ca
>                 default_domain = utoronto.ca
>     }
>
> [domain_realm]
>     .mit.edu = ATHENA.MIT.EDU
>     mit.edu = ATHENA.MIT.EDU
>     .media.mit.edu = MEDIA-LAB.MIT.EDU
>     media.mit.edu = MEDIA-LAB.MIT.EDU
>     .csail.mit.edu = CSAIL.MIT.EDU
>     csail.mit.edu = CSAIL.MIT.EDU
>     .whoi.edu = ATHENA.MIT.EDU
>     whoi.edu = ATHENA.MIT.EDU
>     .stanford.edu = stanford.edu
>     .slac.stanford.edu = SLAC.STANFORD.EDU
>         .toronto.edu = UTORONTO.CA
>         .utoronto.ca = UTORONTO.CA
>
> -----------
>
>        Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> -----------
>
>        Checking file: /etc/samba/smb.conf
>
> [global]
>    workgroup = JEOFFICE
>    realm = JEOFFICE.JACKLIN.CO.ZA
>    security = ADS
>    template homedir = /home/%D/%U
>    template shell = /bin/bash
>    kerberos method = secrets only
>    winbind use default domain = true
> #   winbind offline logon = true
>    winbind enum groups = true
>
>    netbios name = ho-vpn-ctx-ac01
>
>    log file = /var/log/samba/%m.log
>    log level = 1
>
>    # Default ID mapping configuration for local BUILTIN accounts
>    # and groups on a domain member. The default (*) domain:
>    # - must not overlap with any domain ID mapping configuration!
>    # - must use an read-write-enabled back end, such as tdb.
>    idmap config * : backend = tdb
>    idmap config * : range = 70001-80000
>    idmap config JEOFFICE : backend = rid
>    idmap config JEOFFICE : range = 3200000-3300000
>
>    winbind nss info = template
>
> -----------
>
> Running as Unix domain member and no user.map detected.
>
> -----------
>
> Installed packages:
> ii  acl                            2.2.52-3+b1
> amd64        Access control list utilities
> ii  attr                           1:2.4.47-2+b2
> amd64        Utilities for manipulating filesystem extended attributes
> ii  krb5-config                    2.6
> all          Configuration files for Kerberos Version 5
> ii  krb5-locales                   1.15-1+deb9u1
> all          internationalization support for MIT Kerberos
> ii  krb5-user                      1.15-1+deb9u1
> amd64        basic programs to authenticate using MIT Kerberos
> ii  libacl1:amd64                  2.2.52-3+b1
> amd64        Access control list shared library
> ii  libacl1-dev                    2.2.52-3+b1
> amd64        Access control list static libraries and headers
> ii  libattr1:amd64                 1:2.4.47-2+b2
> amd64        Extended attribute shared library
> ii  libattr1-dev:amd64             1:2.4.47-2+b2
> amd64        Extended attribute static libraries and headers
> ii  libgssapi-krb5-2:amd64         1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-3:amd64                1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries
> ii  libkrb5support0:amd64          1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries - Support library
> ii  libnss-winbind:amd64           2:4.9.6+nmu-1.0debian1
> amd64        Samba nameservice integration plugins
> ii  libpam-winbind:amd64           2:4.9.6+nmu-1.0debian1
> amd64        Windows domain authentication integration plugin
> ii  libwbclient0:amd64             2:4.9.6+nmu-1.0debian1
> amd64        Samba winbind client library
> ii  python-samba                   2:4.9.6+nmu-1.0debian1
> amd64        Python bindings for Samba
> ii  samba                          2:4.9.6+nmu-1.0debian1
> amd64        SMB/CIFS file, print, and login server for Unix
> ii  samba-common                   2:4.9.6+nmu-1.0debian1
> all          common files used by both the Samba server and client
> ii  samba-common-bin               2:4.9.6+nmu-1.0debian1
> amd64        Samba common files used by both the server and the client
> ii  samba-dsdb-modules:amd64       2:4.9.6+nmu-1.0debian1
> amd64        Samba Directory Services Database
> ii  samba-libs:amd64               2:4.9.6+nmu-1.0debian1
> amd64        Samba core libraries
> ii  samba-vfs-modules:amd64        2:4.9.6+nmu-1.0debian1
> amd64        Samba Virtual FileSystem plugins
> ii  winbind                        2:4.9.6+nmu-1.0debian1
> amd64        service to resolve user and group information from Windows NT
> servers
>
> -----------
>

On Wed, 10 Apr 2019 at 09:37, L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> Hai Ian,
>
> Can you run my setup debugger..
>
>
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> Anonimize where needed and post output.
>
> Because when i run this, it works fine.
> chown -v username test-own.txt
> changed ownership of 'test-own.txt' from root to username
> And yes, this user only exist in AD.
>
> Check if attr and acl are installed also.
>
> And if the smb.conf below is complete then your missing:
>     # For ACL support on member servers with shares
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
>
> The difference between you and me, in smb.conf as far i can tell now.
>
> Me backend AD. You RID.
> Me
>     kerberos method = secrets and keytab
>     dedicated keytab file = /etc/krb5.keytab
>     winbind refresh tickets = yes
>
> You ( only secrets )
>
> I've just tested these versions because today my vpn needed the
upgrades
> of samba also.
> I've tested and upgraded from 4.8.9 upto 4.8.11, 4.9.6 and 4.10.2
>
> It still might be a bug, but i need more info.
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ian
> > Coetzee via samba
> > Verzonden: woensdag 10 april 2019 9:04
> > Aan: Samba List
> > Onderwerp: [Samba] chown: changing ownership of 'test':
> > Invalid argument
> >
> > Hi All,
> >
> > I have a very weird issue on one of my servers. I think I
> > might just be
> > missing something quite obviously... I will post the config
> > files at the
> > bottom
> >
> > I have a brand new Debian server running as an LXC container
> >
> > > root at ho-vpn-ctx-ac01:~# lsb_release -a
> > > No LSB modules are available.
> > > Distributor ID:    Debian
> > > Description:    Debian GNU/Linux 9.8 (stretch)
> > > Release:    9.8
> > > Codename:    stretch
> > > root at ho-vpn-ctx-ac01:~# uname -a
> > > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35
> > (Wed, 13 Mar
> > > 2019 08:24:42 +0100) x86_64 GNU/Linux
> > > root at ho-vpn-ctx-ac01:~#
> > >
> >
> > I am running said server as a domain member using the latest
> > packages in
> > Louis' 4.9 branch
> >
> > > root at ho-vpn-ctx-ac01:~# net -V
> > > Version 4.9.6-Debian
> > > root at ho-vpn-ctx-ac01:~# net ads testjoin
> > > Join is OK
> > >
> >
> > The join seems to be good, nsswitch is working
> >
> > > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc
> > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > > root at ho-vpn-ctx-ac01:~# getent passwd ianc
> > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > >
> >
> >  Yet when I try to change the ownership of a file to a domain user, it
> > fails with "Invalid argument"
> >
> > > root at ho-vpn-ctx-ac01:~# chown -v ianc test
> > > chown: changing ownership of 'test': Invalid argument
> > > failed to change ownership of 'test' from root to ianc
> > > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test
> > > changed ownership of 'test' from root to jeadmin
> > > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin
> > > jeadmin:x:1000:27::/home/jeadmin:/bin/bash
> > >
> >
> > It works however when changing to a local user. So it looks
> > like the issue
> > might be in samba. This is the first time I have had this
> > problem after
> > quite a few other servers (a mix between CentOS, Debian and
> > Ubuntu) has
> > already been joined to the domain using the exact same smb.conf.
> >
> > On a side note, I am also unable to log into the server using domain
> > credentials, which I am currently attributing to the same cause.
> >
> > Can you guys maybe point me in the right direction where I
> > might start to
> > troubleshoot further?
> >
> > Kind regards
> > Ian
> >
> > Configs:
> >
> > root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf
> > [global]
> >    workgroup = JEOFFICE
> >    realm = JEOFFICE.JACKLIN.CO.ZA
> >    security = ADS
> >    template homedir = /home/%D/%U
> >    template shell = /bin/bash
> >    kerberos method = secrets only
> >    winbind use default domain = true
> > #   winbind offline logon = true
> >    winbind enum groups = true
> >
> >    netbios name = ho-vpn-ctx-ac01
> >
> >    log file = /var/log/samba/%m.log
> >    log level = 1
> >
> >    # Default ID mapping configuration for local BUILTIN accounts
> >    # and groups on a domain member. The default (*) domain:
> >    # - must not overlap with any domain ID mapping configuration!
> >    # - must use an read-write-enabled back end, such as tdb.
> >    idmap config * : backend = tdb
> >    idmap config * : range = 70001-80000
> >    idmap config JEOFFICE : backend = rid
> >    idmap config JEOFFICE : range = 3200000-3300000
> >
> >    winbind nss info = template
> > root at ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
> > installed, try:
> > # `info libc "Name Service Switch"' for information
about this file.
> >
> > passwd:         compat winbind
> > group:          compat winbind
> > shadow:         compat
> > gshadow:        files
> >
> > hosts:          files dns
> > networks:       files
> >
> > protocols:      db files
> > services:       db files
> > ethers:         db files
> > rpc:            db files
> >
> > netgroup:       nis
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi Rowland,

Please see my replies inline.

On Wed, 10 Apr 2019 at 09:58, Rowland Penny via samba <samba at
lists.samba.org>
wrote:
> On Wed, 10 Apr 2019 09:04:06 +0200
> Ian Coetzee via samba <samba at lists.samba.org> wrote:
>
> > Hi All,
> >
> > I have a very weird issue on one of my servers. I think I might just
> > be missing something quite obviously... I will post the config files
> > at the bottom
> >
> > I have a brand new Debian server running as an LXC container
> > I am running said server as a domain member using the latest packages
> > in Louis' 4.9 branch
> >
> > The join seems to be good, nsswitch is working
> >
> > > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc
> > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > > root at ho-vpn-ctx-ac01:~# getent passwd ianc
> > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > >
> >
> >  Yet when I try to change the ownership of a file to a domain user, it
> > fails with "Invalid argument"
> >
> > > root at ho-vpn-ctx-ac01:~# chown -v ianc test
> > > chown: changing ownership of 'test': Invalid argument
> > > failed to change ownership of 'test' from root to ianc
>
> This is very strange, the 'getent' command above shows that the OS
> knows who 'ianc' is, so why can file ownership not be changed ?
>
My thoughts exactly

> > > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test
> > > changed ownership of 'test' from root to jeadmin
> > > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin
> > > jeadmin:x:1000:27::/home/jeadmin:/bin/bash
> > >
> >
> > It works however when changing to a local user. So it looks like the
> > issue might be in samba. This is the first time I have had this
> > problem after quite a few other servers (a mix between CentOS, Debian
> > and Ubuntu) has already been joined to the domain using the exact
> > same smb.conf.
> >
> > On a side note, I am also unable to log into the server using domain
> > credentials, which I am currently attributing to the same cause.
>
> Possibly, but it could just be down to you not having this line
> in /etc/pam.d/common-session
>
> session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
>
I normally add this line through pam-auth-update and a custom file under
/usr/share/pam-configs/

root at ho-vpn-ctx-ac01:~# cat
/usr/share/pam-configs/mkhomedir
> Name: Create home directory on login
> Default: no
> Priority: 0
> Session-Type: Additional
> Session-Interactive-Only: yes
> Session:
>     optional            pam_mkhomedir.so skel=/etc/skel/ umask=0022

> Without that line, the users homedir will not get created and the login
> will fail.
>
This has bitten me more than once already :)

>
> >
> > root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf
> > [global]
> >    workgroup = JEOFFICE
> >    realm = JEOFFICE.JACKLIN.CO.ZA
> >    security = ADS
> >    template shell = /bin/bash
> >    winbind use default domain = true
> >    log file = /var/log/samba/%m.log
> >    log level = 1
> >    idmap config * : backend = tdb
> >    idmap config * : range = 70001-80000
> >    idmap config JEOFFICE : backend = rid
> >    idmap config JEOFFICE : range = 3200000-3300000
> >
>
> If you notice, I have shorted your smb.conf, it is effectively the same
> as what you have now, I have just removed the default lines.
>
Thanks. I will update my smb.conf template accordingly.

>
> There are numerous lines I would add, but they do not really have
> anything to do with your problem.
>
> A last thought, do you have any users in AD that also occur
> in /etc/passwd ?
>
The only user I have is the jeadmin user which is the domain admin as well
as a local admin user.

Should I try renaming the local user?

>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Ok i've comment in between de debug logs. 
 
Check my comments and add the needed info. 
 

Van: Ian Coetzee [mailto:samba at iancoetzee.za.net] 
Verzonden: woensdag 10 april 2019 10:17
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] chown: changing ownership of 'test': Invalid
argument



Hi Louis,


Thank you. I will add those line and test. Will revert shortly



As requested. The output:


root at ho-vpn-ctx-ac01:~# cat /tmp/samba-debug-info.txt
Collected config  --- 2019-04-10-08:12 -----------

Hostname: ho-vpn-ctx-ac01
DNS Domain: jeoffice.jacklin.co.za
FQDN: ho-vpn-ctx-ac01.jeoffice.jacklin.co.za
ipaddress: 10.10.18.50 10.10.11.50 

Ok 2 ipadresses, and the primary is .10.50 ? for sure?  
#To MySelf, add routing checks in debugger. 
 
-----------

Samba is running as a Unix domain member

-----------
       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 9.8 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8
scope host lo
    inet6 ::1/128 scope host 
44: native0 at if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
    link/ether 00:c1:2a:15:5c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet MailScanner warning: numerical links are often malicious:
10.10.18.50/24 brd 10.10.18.255 scope global native0
    inet6 fe80::2c1:2aff:fe15:5cfe/64 scope link 
46: dmz0 at if47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
    link/ether 00:c1:b1:ea:6c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet MailScanner warning: numerical links are often malicious:
10.10.11.50/24 brd 10.10.11.255 scope global dmz0
    inet6 fe80::2c1:b1ff:feea:6cfe/64 scope link 

-----------
       Checking file: /etc/hosts

127.0.0.1    localhost
::1        localhost ip6-localhost ip6-loopback
ff02::1        ip6-allnodes
ff02::2        ip6-allrouters
# --- BEGIN PVE ---
10.10.18.50 ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ho-vpn-ctx-ac01
# --- END PVE ---

Here run, to and check both PTR records.  
dig -x 10.10.18.50
dig -x 10.10.11.50 

Then check both A records with there FQDN 
#To Self, add A/PTR check when multiple ips are detected on hostname -I  

-----------

       Checking file: /etc/resolv.conf

# --- BEGIN PVE ---
search jeoffice.jacklin.co.za
nameserver 10.10.10.4
# --- END PVE ---
To make sure, the 10.10.10.4 is your DC? or is this a DNS proxy. 
 
#To Self, add PTR check on nameserver ip, add domain check of this is a DC. 
 
-----------

       Checking file: /etc/krb5.conf

[libdefaults]
    default_realm = JEOFFICE.JACKLIN.CO.ZA

# The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#    default_tgs_enctypes = des3-hmac-sha1
#    default_tkt_enctypes = des3-hmac-sha1
#    permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
    fcc-mit-ticketflags = true

[realms]
    ATHENA.MIT.EDU = {
        kdc = kerberos.mit.edu
        kdc = kerberos-1.mit.edu
        kdc = kerberos-2.mit.edu:88
        admin_server = kerberos.mit.edu
        default_domain = mit.edu
    }
    ZONE.MIT.EDU = {
        kdc = casio.mit.edu
        kdc = seiko.mit.edu
        admin_server = casio.mit.edu
    }
    CSAIL.MIT.EDU = {
        admin_server = kerberos.csail.mit.edu
        default_domain = csail.mit.edu
    }
    IHTFP.ORG = {
        kdc = kerberos.ihtfp.org
        admin_server = kerberos.ihtfp.org
    }
    1TS.ORG = {
        kdc = kerberos.1ts.org
        admin_server = kerberos.1ts.org
    }
    ANDREW.CMU.EDU = {
        admin_server = kerberos.andrew.cmu.edu
        default_domain = andrew.cmu.edu
    }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
    DEMENTIA.ORG = {
        kdc = kerberos.dementix.org
        kdc = kerberos2.dementix.org
        admin_server = kerberos.dementix.org
    }
    stanford.edu = {
        kdc = krb5auth1.stanford.edu
        kdc = krb5auth2.stanford.edu
        kdc = krb5auth3.stanford.edu
        master_kdc = krb5auth1.stanford.edu
        admin_server = krb5-admin.stanford.edu
        default_domain = stanford.edu
    }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
    }

[domain_realm]
    .mit.edu = ATHENA.MIT.EDU
    mit.edu = ATHENA.MIT.EDU
    .media.mit.edu = MEDIA-LAB.MIT.EDU
    media.mit.edu = MEDIA-LAB.MIT.EDU
    .csail.mit.edu = CSAIL.MIT.EDU
    csail.mit.edu = CSAIL.MIT.EDU
    .whoi.edu = ATHENA.MIT.EDU
    whoi.edu = ATHENA.MIT.EDU
    .stanford.edu = stanford.edu
    .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat winbind
group:          compat winbind 
 
#to Self, Buster changes compat to file. 
 
shadow:         compat
gshadow:        files 
 

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

       Checking file: /etc/samba/smb.conf

[global]
   workgroup = JEOFFICE
   realm = JEOFFICE.JACKLIN.CO.ZA
   security = ADS
   template homedir = /home/%D/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
#   winbind offline logon = true
   winbind enum groups = true 
You can set the enu user and group  = false. 
handy for testing yes, but it slows down your server.  

   netbios name = ho-vpn-ctx-ac01

   log file = /var/log/samba/%m.log
   log level = 1

   # Default ID mapping configuration for local BUILTIN accounts
   # and groups on a domain member. The default (*) domain:
   # - must not overlap with any domain ID mapping configuration!
   # - must use an read-write-enabled back end, such as tdb.
   idmap config * : backend = tdb
   idmap config * : range = 70001-80000
   idmap config JEOFFICE : backend = rid
   idmap config JEOFFICE : range = 3200000-3300000

   winbind nss info = template
 
-----------

Running as Unix domain member and no user.map detected.
 
-----------

Installed packages:
ii  acl                            2.2.52-3+b1                    amd64       
Access control list utilities
ii  attr                           1:2.4.47-2+b2                  amd64       
Utilities for manipulating filesystem extended attributes
ii  krb5-config                    2.6                            all         
Configuration files for Kerberos Version 5
ii  krb5-locales                   1.15-1+deb9u1                  all         
internationalization support for MIT Kerberos
ii  krb5-user                      1.15-1+deb9u1                  amd64       
basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                  2.2.52-3+b1                    amd64       
Access control list shared library
ii  libacl1-dev                    2.2.52-3+b1                    amd64       
Access control list static libraries and headers
ii  libattr1:amd64                 1:2.4.47-2+b2                  amd64       
Extended attribute shared library
ii  libattr1-dev:amd64             1:2.4.47-2+b2                  amd64       
Extended attribute static libraries and headers
ii  libgssapi-krb5-2:amd64         1.15-1+deb9u1                  amd64       
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                1.15-1+deb9u1                  amd64       
MIT Kerberos runtime libraries
ii  libkrb5support0:amd64          1.15-1+deb9u1                  amd64       
MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64           2:4.9.6+nmu-1.0debian1         amd64       
Samba nameservice integration plugins
ii  libpam-winbind:amd64           2:4.9.6+nmu-1.0debian1         amd64       
Windows domain authentication integration plugin
ii  libwbclient0:amd64             2:4.9.6+nmu-1.0debian1         amd64       
Samba winbind client library
ii  python-samba                   2:4.9.6+nmu-1.0debian1         amd64       
Python bindings for Samba
ii  samba                          2:4.9.6+nmu-1.0debian1         amd64       
SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.9.6+nmu-1.0debian1         all         
common files used by both the Samba server and client
ii  samba-common-bin               2:4.9.6+nmu-1.0debian1         amd64       
Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.9.6+nmu-1.0debian1         amd64       
Samba Directory Services Database
ii  samba-libs:amd64               2:4.9.6+nmu-1.0debian1         amd64       
Samba core libraries
ii  samba-vfs-modules:amd64        2:4.9.6+nmu-1.0debian1         amd64       
Samba Virtual FileSystem plugins
ii  winbind                        2:4.9.6+nmu-1.0debian1         amd64       
service to resolve user and group information from Windows NT servers
 
#To Self, Workin on now, change/fix some detecton on packages. 
# in case of a auth-only setup, (no smbd ) 
 
-----------
that looks fine, execpt, smb.conf, your only using the server for
authentication, no shares? 
then we can reduce the install a bit. 
for example, my "auth only" vpn server only had this installed for
samba. 
Here i login with SSO on a NFSv4 (kerberized)  mounted home dir and all i use (
not shown the nfs packages )
 
Installed packages:
ii  acl                                   2.2.52-3+b1                   
amd64        Access control list utilities
ii  krb5-config                           2.6                           
all          Configuration files for Kerberos Version 5
ii  krb5-locales                          1.15-1+deb9u1                 
all          internationalization support for MIT Kerberos
ii  krb5-user                             1.15-1+deb9u1                 
amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                         2.2.52-3+b1                   
amd64        Access control list shared library
ii  libattr1:amd64                        1:2.4.47-2+b2                 
amd64        Extended attribute shared library
ii  libgssapi-krb5-2:amd64                1.15-1+deb9u1                 
amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                       1.15-1+deb9u1                 
amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                 1.15-1+deb9u1                 
amd64        MIT Kerberos runtime libraries - Support library
ii  libpam-krb5:amd64                     4.7-4                         
amd64        PAM module for MIT Kerberos
ii  nfs4-acl-tools                        0.3.3-3                       
amd64        Commandline and GUI ACL utilities for the NFSv4 client
ii  python3-xattr                         0.9.1-1                       
amd64        module for manipulating filesystem extended attributes - Python 3
ii  xattr                                 0.9.1-1                       
amd64        tool for manipulating filesystem extended attributes
ii  libnss-winbind:amd64                  2:4.10.2+nmu-1debian1         
amd64        Samba nameservice integration plugins
ii  libwbclient0:amd64                    2:4.10.2+nmu-1debian1         
amd64        Samba winbind client library
ii  winbind                               2:4.10.2+nmu-1debian1         
amd64        service to resolve user and group information from Windows NT
servers





On Wed, 10 Apr 2019 at 09:37, L.P.H. van Belle via samba <samba at
lists.samba.org> wrote:

Hai Ian, 

Can you run my setup debugger..  

https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Anonimize where needed and post output. 

Because when i run this, it works fine. 
chown -v username test-own.txt
changed ownership of 'test-own.txt' from root to username 
And yes, this user only exist in AD. 

Check if attr and acl are installed also. 

And if the smb.conf below is complete then your missing: 
    # For ACL support on member servers with shares
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes


The difference between you and me, in smb.conf as far i can tell now. 

Me backend AD. You RID.
Me 
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    winbind refresh tickets = yes

You ( only secrets ) 

I've just tested these versions because today my vpn needed the upgrades of
samba also.
I've tested and upgraded from 4.8.9 upto 4.8.11, 4.9.6 and 4.10.2 

It still might be a bug, but i need more info. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ian 
> Coetzee via samba
> Verzonden: woensdag 10 april 2019 9:04
> Aan: Samba List
> Onderwerp: [Samba] chown: changing ownership of 'test': 
> Invalid argument
> 
> Hi All,
> 
> I have a very weird issue on one of my servers. I think I 
> might just be
> missing something quite obviously... I will post the config 
> files at the
> bottom
> 
> I have a brand new Debian server running as an LXC container
> 
> > root at ho-vpn-ctx-ac01:~# lsb_release -a
> > No LSB modules are available.
> > Distributor ID:    Debian
> > Description:    Debian GNU/Linux 9.8 (stretch)
> > Release:    9.8
> > Codename:    stretch
> > root at ho-vpn-ctx-ac01:~# uname -a
> > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35 
> (Wed, 13 Mar
> > 2019 08:24:42 +0100) x86_64 GNU/Linux
> > root at ho-vpn-ctx-ac01:~#
> >
> 
> I am running said server as a domain member using the latest 
> packages in
> Louis' 4.9 branch
> 
> > root at ho-vpn-ctx-ac01:~# net -V
> > Version 4.9.6-Debian
> > root at ho-vpn-ctx-ac01:~# net ads testjoin
> > Join is OK
> >
> 
> The join seems to be good, nsswitch is working
> 
> > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc
> > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > root at ho-vpn-ctx-ac01:~# getent passwd ianc
> > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> >
> 
>  Yet when I try to change the ownership of a file to a domain user, it
> fails with "Invalid argument"
> 
> > root at ho-vpn-ctx-ac01:~# chown -v ianc test
> > chown: changing ownership of 'test': Invalid argument
> > failed to change ownership of 'test' from root to ianc
> > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test
> > changed ownership of 'test' from root to jeadmin
> > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin
> > jeadmin:x:1000:27::/home/jeadmin:/bin/bash
> >
> 
> It works however when changing to a local user. So it looks 
> like the issue
> might be in samba. This is the first time I have had this 
> problem after
> quite a few other servers (a mix between CentOS, Debian and 
> Ubuntu) has
> already been joined to the domain using the exact same smb.conf.
> 
> On a side note, I am also unable to log into the server using domain
> credentials, which I am currently attributing to the same cause.
> 
> Can you guys maybe point me in the right direction where I 
> might start to
> troubleshoot further?
> 
> Kind regards
> Ian
> 
> Configs:
> 
> root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf
> [global]
>    workgroup = JEOFFICE
>    realm = JEOFFICE.JACKLIN.CO.ZA
>    security = ADS
>    template homedir = /home/%D/%U
>    template shell = /bin/bash
>    kerberos method = secrets only
>    winbind use default domain = true
> #   winbind offline logon = true
>    winbind enum groups = true
> 
>    netbios name = ho-vpn-ctx-ac01
> 
>    log file = /var/log/samba/%m.log
>    log level = 1
> 
>    # Default ID mapping configuration for local BUILTIN accounts
>    # and groups on a domain member. The default (*) domain:
>    # - must not overlap with any domain ID mapping configuration!
>    # - must use an read-write-enabled back end, such as tdb.
>    idmap config * : backend = tdb
>    idmap config * : range = 70001-80000
>    idmap config JEOFFICE : backend = rid
>    idmap config JEOFFICE : range = 3200000-3300000
> 
>    winbind nss info = template
> root at ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

I forgot, post also: 
 
cat /etc/idmapd.conf
( im adding it in the debug-collector atm ) 
 
There might be a mis in detecting the Domain or Local-Realm. 
I suggest, add this :  
 
Domain = jeoffice.jacklin.co.za
Local-Realm = JEOFFICE.JACKLIN.CO.ZA
 
see if that helps. 
 
Greetz, 
 
Louis

Van: Ian Coetzee [mailto:samba at iancoetzee.za.net] 
Verzonden: woensdag 10 april 2019 10:17
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] chown: changing ownership of 'test': Invalid
argument



Hi Louis,


Thank you. I will add those line and test. Will revert shortly



As requested. The output:


root at ho-vpn-ctx-ac01:~# cat /tmp/samba-debug-info.txt
Collected config  --- 2019-04-10-08:12 -----------

Hostname: ho-vpn-ctx-ac01
DNS Domain: jeoffice.jacklin.co.za
FQDN: ho-vpn-ctx-ac01.jeoffice.jacklin.co.za
ipaddress: 10.10.18.50 10.10.11.50 

-----------

Samba is running as a Unix domain member

-----------
       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 9.8 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8
scope host lo
    inet6 ::1/128 scope host 
44: native0 at if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
    link/ether 00:c1:2a:15:5c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet MailScanner warning: numerical links are often malicious:
10.10.18.50/24 brd 10.10.18.255 scope global native0
    inet6 fe80::2c1:2aff:fe15:5cfe/64 scope link 
46: dmz0 at if47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
    link/ether 00:c1:b1:ea:6c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet MailScanner warning: numerical links are often malicious:
10.10.11.50/24 brd 10.10.11.255 scope global dmz0
    inet6 fe80::2c1:b1ff:feea:6cfe/64 scope link 

-----------
       Checking file: /etc/hosts

127.0.0.1    localhost
::1        localhost ip6-localhost ip6-loopback
ff02::1        ip6-allnodes
ff02::2        ip6-allrouters
# --- BEGIN PVE ---
10.10.18.50 ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ho-vpn-ctx-ac01
# --- END PVE ---

-----------

       Checking file: /etc/resolv.conf

# --- BEGIN PVE ---
search jeoffice.jacklin.co.za
nameserver 10.10.10.4
# --- END PVE ---

-----------

       Checking file: /etc/krb5.conf

[libdefaults]
    default_realm = JEOFFICE.JACKLIN.CO.ZA

# The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#    default_tgs_enctypes = des3-hmac-sha1
#    default_tkt_enctypes = des3-hmac-sha1
#    permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
    fcc-mit-ticketflags = true

[realms]
    ATHENA.MIT.EDU = {
        kdc = kerberos.mit.edu
        kdc = kerberos-1.mit.edu
        kdc = kerberos-2.mit.edu:88
        admin_server = kerberos.mit.edu
        default_domain = mit.edu
    }
    ZONE.MIT.EDU = {
        kdc = casio.mit.edu
        kdc = seiko.mit.edu
        admin_server = casio.mit.edu
    }
    CSAIL.MIT.EDU = {
        admin_server = kerberos.csail.mit.edu
        default_domain = csail.mit.edu
    }
    IHTFP.ORG = {
        kdc = kerberos.ihtfp.org
        admin_server = kerberos.ihtfp.org
    }
    1TS.ORG = {
        kdc = kerberos.1ts.org
        admin_server = kerberos.1ts.org
    }
    ANDREW.CMU.EDU = {
        admin_server = kerberos.andrew.cmu.edu
        default_domain = andrew.cmu.edu
    }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
    DEMENTIA.ORG = {
        kdc = kerberos.dementix.org
        kdc = kerberos2.dementix.org
        admin_server = kerberos.dementix.org
    }
    stanford.edu = {
        kdc = krb5auth1.stanford.edu
        kdc = krb5auth2.stanford.edu
        kdc = krb5auth3.stanford.edu
        master_kdc = krb5auth1.stanford.edu
        admin_server = krb5-admin.stanford.edu
        default_domain = stanford.edu
    }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
    }

[domain_realm]
    .mit.edu = ATHENA.MIT.EDU
    mit.edu = ATHENA.MIT.EDU
    .media.mit.edu = MEDIA-LAB.MIT.EDU
    media.mit.edu = MEDIA-LAB.MIT.EDU
    .csail.mit.edu = CSAIL.MIT.EDU
    csail.mit.edu = CSAIL.MIT.EDU
    .whoi.edu = ATHENA.MIT.EDU
    whoi.edu = ATHENA.MIT.EDU
    .stanford.edu = stanford.edu
    .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

       Checking file: /etc/samba/smb.conf

[global]
   workgroup = JEOFFICE
   realm = JEOFFICE.JACKLIN.CO.ZA
   security = ADS
   template homedir = /home/%D/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
#   winbind offline logon = true
   winbind enum groups = true

   netbios name = ho-vpn-ctx-ac01

   log file = /var/log/samba/%m.log
   log level = 1

   # Default ID mapping configuration for local BUILTIN accounts
   # and groups on a domain member. The default (*) domain:
   # - must not overlap with any domain ID mapping configuration!
   # - must use an read-write-enabled back end, such as tdb.
   idmap config * : backend = tdb
   idmap config * : range = 70001-80000
   idmap config JEOFFICE : backend = rid
   idmap config JEOFFICE : range = 3200000-3300000

   winbind nss info = template

-----------

Running as Unix domain member and no user.map detected.

-----------

Installed packages:
ii  acl                            2.2.52-3+b1                    amd64       
Access control list utilities
ii  attr                           1:2.4.47-2+b2                  amd64       
Utilities for manipulating filesystem extended attributes
ii  krb5-config                    2.6                            all         
Configuration files for Kerberos Version 5
ii  krb5-locales                   1.15-1+deb9u1                  all         
internationalization support for MIT Kerberos
ii  krb5-user                      1.15-1+deb9u1                  amd64       
basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                  2.2.52-3+b1                    amd64       
Access control list shared library
ii  libacl1-dev                    2.2.52-3+b1                    amd64       
Access control list static libraries and headers
ii  libattr1:amd64                 1:2.4.47-2+b2                  amd64       
Extended attribute shared library
ii  libattr1-dev:amd64             1:2.4.47-2+b2                  amd64       
Extended attribute static libraries and headers
ii  libgssapi-krb5-2:amd64         1.15-1+deb9u1                  amd64       
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                1.15-1+deb9u1                  amd64       
MIT Kerberos runtime libraries
ii  libkrb5support0:amd64          1.15-1+deb9u1                  amd64       
MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64           2:4.9.6+nmu-1.0debian1         amd64       
Samba nameservice integration plugins
ii  libpam-winbind:amd64           2:4.9.6+nmu-1.0debian1         amd64       
Windows domain authentication integration plugin
ii  libwbclient0:amd64             2:4.9.6+nmu-1.0debian1         amd64       
Samba winbind client library
ii  python-samba                   2:4.9.6+nmu-1.0debian1         amd64       
Python bindings for Samba
ii  samba                          2:4.9.6+nmu-1.0debian1         amd64       
SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.9.6+nmu-1.0debian1         all         
common files used by both the Samba server and client
ii  samba-common-bin               2:4.9.6+nmu-1.0debian1         amd64       
Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.9.6+nmu-1.0debian1         amd64       
Samba Directory Services Database
ii  samba-libs:amd64               2:4.9.6+nmu-1.0debian1         amd64       
Samba core libraries
ii  samba-vfs-modules:amd64        2:4.9.6+nmu-1.0debian1         amd64       
Samba Virtual FileSystem plugins
ii  winbind                        2:4.9.6+nmu-1.0debian1         amd64       
service to resolve user and group information from Windows NT servers

-----------





On Wed, 10 Apr 2019 at 09:37, L.P.H. van Belle via samba <samba at
lists.samba.org> wrote:

Hai Ian, 

Can you run my setup debugger..  

https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Anonimize where needed and post output. 

Because when i run this, it works fine. 
chown -v username test-own.txt
changed ownership of 'test-own.txt' from root to username 
And yes, this user only exist in AD. 

Check if attr and acl are installed also. 

And if the smb.conf below is complete then your missing: 
    # For ACL support on member servers with shares
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes


The difference between you and me, in smb.conf as far i can tell now. 

Me backend AD. You RID.
Me 
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    winbind refresh tickets = yes

You ( only secrets ) 

I've just tested these versions because today my vpn needed the upgrades of
samba also.
I've tested and upgraded from 4.8.9 upto 4.8.11, 4.9.6 and 4.10.2 

It still might be a bug, but i need more info. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ian 
> Coetzee via samba
> Verzonden: woensdag 10 april 2019 9:04
> Aan: Samba List
> Onderwerp: [Samba] chown: changing ownership of 'test': 
> Invalid argument
> 
> Hi All,
> 
> I have a very weird issue on one of my servers. I think I 
> might just be
> missing something quite obviously... I will post the config 
> files at the
> bottom
> 
> I have a brand new Debian server running as an LXC container
> 
> > root at ho-vpn-ctx-ac01:~# lsb_release -a
> > No LSB modules are available.
> > Distributor ID:    Debian
> > Description:    Debian GNU/Linux 9.8 (stretch)
> > Release:    9.8
> > Codename:    stretch
> > root at ho-vpn-ctx-ac01:~# uname -a
> > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35 
> (Wed, 13 Mar
> > 2019 08:24:42 +0100) x86_64 GNU/Linux
> > root at ho-vpn-ctx-ac01:~#
> >
> 
> I am running said server as a domain member using the latest 
> packages in
> Louis' 4.9 branch
> 
> > root at ho-vpn-ctx-ac01:~# net -V
> > Version 4.9.6-Debian
> > root at ho-vpn-ctx-ac01:~# net ads testjoin
> > Join is OK
> >
> 
> The join seems to be good, nsswitch is working
> 
> > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc
> > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > root at ho-vpn-ctx-ac01:~# getent passwd ianc
> > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> >
> 
>  Yet when I try to change the ownership of a file to a domain user, it
> fails with "Invalid argument"
> 
> > root at ho-vpn-ctx-ac01:~# chown -v ianc test
> > chown: changing ownership of 'test': Invalid argument
> > failed to change ownership of 'test' from root to ianc
> > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test
> > changed ownership of 'test' from root to jeadmin
> > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin
> > jeadmin:x:1000:27::/home/jeadmin:/bin/bash
> >
> 
> It works however when changing to a local user. So it looks 
> like the issue
> might be in samba. This is the first time I have had this 
> problem after
> quite a few other servers (a mix between CentOS, Debian and 
> Ubuntu) has
> already been joined to the domain using the exact same smb.conf.
> 
> On a side note, I am also unable to log into the server using domain
> credentials, which I am currently attributing to the same cause.
> 
> Can you guys maybe point me in the right direction where I 
> might start to
> troubleshoot further?
> 
> Kind regards
> Ian
> 
> Configs:
> 
> root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf
> [global]
>    workgroup = JEOFFICE
>    realm = JEOFFICE.JACKLIN.CO.ZA
>    security = ADS
>    template homedir = /home/%D/%U
>    template shell = /bin/bash
>    kerberos method = secrets only
>    winbind use default domain = true
> #   winbind offline logon = true
>    winbind enum groups = true
> 
>    netbios name = ho-vpn-ctx-ac01
> 
>    log file = /var/log/samba/%m.log
>    log level = 1
> 
>    # Default ID mapping configuration for local BUILTIN accounts
>    # and groups on a domain member. The default (*) domain:
>    # - must not overlap with any domain ID mapping configuration!
>    # - must use an read-write-enabled back end, such as tdb.
>    idmap config * : backend = tdb
>    idmap config * : range = 70001-80000
>    idmap config JEOFFICE : backend = rid
>    idmap config JEOFFICE : range = 3200000-3300000
> 
>    winbind nss info = template
> root at ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba