Ian Coetzee
2019-Apr-10 07:04 UTC
[Samba] chown: changing ownership of 'test': Invalid argument
Hi All, I have a very weird issue on one of my servers. I think I might just be missing something quite obviously... I will post the config files at the bottom I have a brand new Debian server running as an LXC container> root at ho-vpn-ctx-ac01:~# lsb_release -a > No LSB modules are available. > Distributor ID: Debian > Description: Debian GNU/Linux 9.8 (stretch) > Release: 9.8 > Codename: stretch > root at ho-vpn-ctx-ac01:~# uname -a > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35 (Wed, 13 Mar > 2019 08:24:42 +0100) x86_64 GNU/Linux > root at ho-vpn-ctx-ac01:~# >I am running said server as a domain member using the latest packages in Louis' 4.9 branch> root at ho-vpn-ctx-ac01:~# net -V > Version 4.9.6-Debian > root at ho-vpn-ctx-ac01:~# net ads testjoin > Join is OK >The join seems to be good, nsswitch is working> root at ho-vpn-ctx-ac01:~# wbinfo -i ianc > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > root at ho-vpn-ctx-ac01:~# getent passwd ianc > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash >Yet when I try to change the ownership of a file to a domain user, it fails with "Invalid argument"> root at ho-vpn-ctx-ac01:~# chown -v ianc test > chown: changing ownership of 'test': Invalid argument > failed to change ownership of 'test' from root to ianc > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test > changed ownership of 'test' from root to jeadmin > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin > jeadmin:x:1000:27::/home/jeadmin:/bin/bash >It works however when changing to a local user. So it looks like the issue might be in samba. This is the first time I have had this problem after quite a few other servers (a mix between CentOS, Debian and Ubuntu) has already been joined to the domain using the exact same smb.conf. On a side note, I am also unable to log into the server using domain credentials, which I am currently attributing to the same cause. Can you guys maybe point me in the right direction where I might start to troubleshoot further? Kind regards Ian Configs: root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf [global] workgroup = JEOFFICE realm = JEOFFICE.JACKLIN.CO.ZA security = ADS template homedir = /home/%D/%U template shell = /bin/bash kerberos method = secrets only winbind use default domain = true # winbind offline logon = true winbind enum groups = true netbios name = ho-vpn-ctx-ac01 log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use an read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 70001-80000 idmap config JEOFFICE : backend = rid idmap config JEOFFICE : range = 3200000-3300000 winbind nss info = template root at ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
L.P.H. van Belle
2019-Apr-10 07:37 UTC
[Samba] chown: changing ownership of 'test': Invalid argument
Hai Ian, Can you run my setup debugger.. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Anonimize where needed and post output. Because when i run this, it works fine. chown -v username test-own.txt changed ownership of 'test-own.txt' from root to username And yes, this user only exist in AD. Check if attr and acl are installed also. And if the smb.conf below is complete then your missing: # For ACL support on member servers with shares vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes The difference between you and me, in smb.conf as far i can tell now. Me backend AD. You RID. Me kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind refresh tickets = yes You ( only secrets ) I've just tested these versions because today my vpn needed the upgrades of samba also. I've tested and upgraded from 4.8.9 upto 4.8.11, 4.9.6 and 4.10.2 It still might be a bug, but i need more info. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ian > Coetzee via samba > Verzonden: woensdag 10 april 2019 9:04 > Aan: Samba List > Onderwerp: [Samba] chown: changing ownership of 'test': > Invalid argument > > Hi All, > > I have a very weird issue on one of my servers. I think I > might just be > missing something quite obviously... I will post the config > files at the > bottom > > I have a brand new Debian server running as an LXC container > > > root at ho-vpn-ctx-ac01:~# lsb_release -a > > No LSB modules are available. > > Distributor ID: Debian > > Description: Debian GNU/Linux 9.8 (stretch) > > Release: 9.8 > > Codename: stretch > > root at ho-vpn-ctx-ac01:~# uname -a > > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35 > (Wed, 13 Mar > > 2019 08:24:42 +0100) x86_64 GNU/Linux > > root at ho-vpn-ctx-ac01:~# > > > > I am running said server as a domain member using the latest > packages in > Louis' 4.9 branch > > > root at ho-vpn-ctx-ac01:~# net -V > > Version 4.9.6-Debian > > root at ho-vpn-ctx-ac01:~# net ads testjoin > > Join is OK > > > > The join seems to be good, nsswitch is working > > > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > root at ho-vpn-ctx-ac01:~# getent passwd ianc > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > > > Yet when I try to change the ownership of a file to a domain user, it > fails with "Invalid argument" > > > root at ho-vpn-ctx-ac01:~# chown -v ianc test > > chown: changing ownership of 'test': Invalid argument > > failed to change ownership of 'test' from root to ianc > > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test > > changed ownership of 'test' from root to jeadmin > > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin > > jeadmin:x:1000:27::/home/jeadmin:/bin/bash > > > > It works however when changing to a local user. So it looks > like the issue > might be in samba. This is the first time I have had this > problem after > quite a few other servers (a mix between CentOS, Debian and > Ubuntu) has > already been joined to the domain using the exact same smb.conf. > > On a side note, I am also unable to log into the server using domain > credentials, which I am currently attributing to the same cause. > > Can you guys maybe point me in the right direction where I > might start to > troubleshoot further? > > Kind regards > Ian > > Configs: > > root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf > [global] > workgroup = JEOFFICE > realm = JEOFFICE.JACKLIN.CO.ZA > security = ADS > template homedir = /home/%D/%U > template shell = /bin/bash > kerberos method = secrets only > winbind use default domain = true > # winbind offline logon = true > winbind enum groups = true > > netbios name = ho-vpn-ctx-ac01 > > log file = /var/log/samba/%m.log > log level = 1 > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use an read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 70001-80000 > idmap config JEOFFICE : backend = rid > idmap config JEOFFICE : range = 3200000-3300000 > > winbind nss info = template > root at ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2019-Apr-10 07:58 UTC
[Samba] chown: changing ownership of 'test': Invalid argument
On Wed, 10 Apr 2019 09:04:06 +0200 Ian Coetzee via samba <samba at lists.samba.org> wrote:> Hi All, > > I have a very weird issue on one of my servers. I think I might just > be missing something quite obviously... I will post the config files > at the bottom > > I have a brand new Debian server running as an LXC container > I am running said server as a domain member using the latest packages > in Louis' 4.9 branch > > The join seems to be good, nsswitch is working > > > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > root at ho-vpn-ctx-ac01:~# getent passwd ianc > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > > > Yet when I try to change the ownership of a file to a domain user, it > fails with "Invalid argument" > > > root at ho-vpn-ctx-ac01:~# chown -v ianc test > > chown: changing ownership of 'test': Invalid argument > > failed to change ownership of 'test' from root to iancThis is very strange, the 'getent' command above shows that the OS knows who 'ianc' is, so why can file ownership not be changed ?> > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test > > changed ownership of 'test' from root to jeadmin > > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin > > jeadmin:x:1000:27::/home/jeadmin:/bin/bash > > > > It works however when changing to a local user. So it looks like the > issue might be in samba. This is the first time I have had this > problem after quite a few other servers (a mix between CentOS, Debian > and Ubuntu) has already been joined to the domain using the exact > same smb.conf. > > On a side note, I am also unable to log into the server using domain > credentials, which I am currently attributing to the same cause.Possibly, but it could just be down to you not having this line in /etc/pam.d/common-session session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 Without that line, the users homedir will not get created and the login will fail.> > root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf > [global] > workgroup = JEOFFICE > realm = JEOFFICE.JACKLIN.CO.ZA > security = ADS > template shell = /bin/bash > winbind use default domain = true > log file = /var/log/samba/%m.log > log level = 1 > idmap config * : backend = tdb > idmap config * : range = 70001-80000 > idmap config JEOFFICE : backend = rid > idmap config JEOFFICE : range = 3200000-3300000 >If you notice, I have shorted your smb.conf, it is effectively the same as what you have now, I have just removed the default lines. There are numerous lines I would add, but they do not really have anything to do with your problem. A last thought, do you have any users in AD that also occur in /etc/passwd ? Rowland
Ian Coetzee
2019-Apr-10 08:17 UTC
[Samba] chown: changing ownership of 'test': Invalid argument
Hi Louis, Thank you. I will add those line and test. Will revert shortly As requested. The output: root at ho-vpn-ctx-ac01:~# cat /tmp/samba-debug-info.txt> Collected config --- 2019-04-10-08:12 ----------- > > Hostname: ho-vpn-ctx-ac01 > DNS Domain: jeoffice.jacklin.co.za > FQDN: ho-vpn-ctx-ac01.jeoffice.jacklin.co.za > ipaddress: 10.10.18.50 10.10.11.50 > > ----------- > > Samba is running as a Unix domain member > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 9 (stretch)" > NAME="Debian GNU/Linux" > VERSION_ID="9" > VERSION="9 (stretch)" > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 9.8 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group > default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 44: native0 at if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > noqueue state UP group default qlen 1000 > link/ether 00:c1:2a:15:5c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0 > inet 10.10.18.50/24 brd 10.10.18.255 scope global native0 > inet6 fe80::2c1:2aff:fe15:5cfe/64 scope link > 46: dmz0 at if47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue > state UP group default qlen 1000 > link/ether 00:c1:b1:ea:6c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0 > inet 10.10.11.50/24 brd 10.10.11.255 scope global dmz0 > inet6 fe80::2c1:b1ff:feea:6cfe/64 scope link > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > # --- BEGIN PVE --- > 10.10.18.50 ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ho-vpn-ctx-ac01 > # --- END PVE --- > > ----------- > > Checking file: /etc/resolv.conf > > # --- BEGIN PVE --- > search jeoffice.jacklin.co.za > nameserver 10.10.10.4 > # --- END PVE --- > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = JEOFFICE.JACKLIN.CO.ZA > > # The following krb5.conf variables are only for MIT Kerberos. > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > # The following encryption type specification will be used by MIT Kerberos > # if uncommented. In general, the defaults in the MIT Kerberos code are > # correct and overriding these specifications only serves to disable new > # encryption types as they are added, creating interoperability problems. > # > # The only time when you might need to uncomment these lines and change > # the enctypes is if you have local software that will break on ticket > # caches containing ticket encryption types it doesn't know about (such as > # old versions of Sun Java). > > # default_tgs_enctypes = des3-hmac-sha1 > # default_tkt_enctypes = des3-hmac-sha1 > # permitted_enctypes = des3-hmac-sha1 > > # The following libdefaults parameters are only for Heimdal Kerberos. > fcc-mit-ticketflags = true > > [realms] > ATHENA.MIT.EDU = { > kdc = kerberos.mit.edu > kdc = kerberos-1.mit.edu > kdc = kerberos-2.mit.edu:88 > admin_server = kerberos.mit.edu > default_domain = mit.edu > } > ZONE.MIT.EDU = { > kdc = casio.mit.edu > kdc = seiko.mit.edu > admin_server = casio.mit.edu > } > CSAIL.MIT.EDU = { > admin_server = kerberos.csail.mit.edu > default_domain = csail.mit.edu > } > IHTFP.ORG = { > kdc = kerberos.ihtfp.org > admin_server = kerberos.ihtfp.org > } > 1TS.ORG = { > kdc = kerberos.1ts.org > admin_server = kerberos.1ts.org > } > ANDREW.CMU.EDU = { > admin_server = kerberos.andrew.cmu.edu > default_domain = andrew.cmu.edu > } > CS.CMU.EDU = { > kdc = kerberos-1.srv.cs.cmu.edu > kdc = kerberos-2.srv.cs.cmu.edu > kdc = kerberos-3.srv.cs.cmu.edu > admin_server = kerberos.cs.cmu.edu > } > DEMENTIA.ORG = { > kdc = kerberos.dementix.org > kdc = kerberos2.dementix.org > admin_server = kerberos.dementix.org > } > stanford.edu = { > kdc = krb5auth1.stanford.edu > kdc = krb5auth2.stanford.edu > kdc = krb5auth3.stanford.edu > master_kdc = krb5auth1.stanford.edu > admin_server = krb5-admin.stanford.edu > default_domain = stanford.edu > } > UTORONTO.CA = { > kdc = kerberos1.utoronto.ca > kdc = kerberos2.utoronto.ca > kdc = kerberos3.utoronto.ca > admin_server = kerberos1.utoronto.ca > default_domain = utoronto.ca > } > > [domain_realm] > .mit.edu = ATHENA.MIT.EDU > mit.edu = ATHENA.MIT.EDU > .media.mit.edu = MEDIA-LAB.MIT.EDU > media.mit.edu = MEDIA-LAB.MIT.EDU > .csail.mit.edu = CSAIL.MIT.EDU > csail.mit.edu = CSAIL.MIT.EDU > .whoi.edu = ATHENA.MIT.EDU > whoi.edu = ATHENA.MIT.EDU > .stanford.edu = stanford.edu > .slac.stanford.edu = SLAC.STANFORD.EDU > .toronto.edu = UTORONTO.CA > .utoronto.ca = UTORONTO.CA > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > [global] > workgroup = JEOFFICE > realm = JEOFFICE.JACKLIN.CO.ZA > security = ADS > template homedir = /home/%D/%U > template shell = /bin/bash > kerberos method = secrets only > winbind use default domain = true > # winbind offline logon = true > winbind enum groups = true > > netbios name = ho-vpn-ctx-ac01 > > log file = /var/log/samba/%m.log > log level = 1 > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use an read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 70001-80000 > idmap config JEOFFICE : backend = rid > idmap config JEOFFICE : range = 3200000-3300000 > > winbind nss info = template > > ----------- > > Running as Unix domain member and no user.map detected. > > ----------- > > Installed packages: > ii acl 2.2.52-3+b1 > amd64 Access control list utilities > ii attr 1:2.4.47-2+b2 > amd64 Utilities for manipulating filesystem extended attributes > ii krb5-config 2.6 > all Configuration files for Kerberos Version 5 > ii krb5-locales 1.15-1+deb9u1 > all internationalization support for MIT Kerberos > ii krb5-user 1.15-1+deb9u1 > amd64 basic programs to authenticate using MIT Kerberos > ii libacl1:amd64 2.2.52-3+b1 > amd64 Access control list shared library > ii libacl1-dev 2.2.52-3+b1 > amd64 Access control list static libraries and headers > ii libattr1:amd64 1:2.4.47-2+b2 > amd64 Extended attribute shared library > ii libattr1-dev:amd64 1:2.4.47-2+b2 > amd64 Extended attribute static libraries and headers > ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 > amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:amd64 1.15-1+deb9u1 > amd64 MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.15-1+deb9u1 > amd64 MIT Kerberos runtime libraries - Support library > ii libnss-winbind:amd64 2:4.9.6+nmu-1.0debian1 > amd64 Samba nameservice integration plugins > ii libpam-winbind:amd64 2:4.9.6+nmu-1.0debian1 > amd64 Windows domain authentication integration plugin > ii libwbclient0:amd64 2:4.9.6+nmu-1.0debian1 > amd64 Samba winbind client library > ii python-samba 2:4.9.6+nmu-1.0debian1 > amd64 Python bindings for Samba > ii samba 2:4.9.6+nmu-1.0debian1 > amd64 SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.9.6+nmu-1.0debian1 > all common files used by both the Samba server and client > ii samba-common-bin 2:4.9.6+nmu-1.0debian1 > amd64 Samba common files used by both the server and the client > ii samba-dsdb-modules:amd64 2:4.9.6+nmu-1.0debian1 > amd64 Samba Directory Services Database > ii samba-libs:amd64 2:4.9.6+nmu-1.0debian1 > amd64 Samba core libraries > ii samba-vfs-modules:amd64 2:4.9.6+nmu-1.0debian1 > amd64 Samba Virtual FileSystem plugins > ii winbind 2:4.9.6+nmu-1.0debian1 > amd64 service to resolve user and group information from Windows NT > servers > > ----------- >On Wed, 10 Apr 2019 at 09:37, L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> Hai Ian, > > Can you run my setup debugger.. > > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > Anonimize where needed and post output. > > Because when i run this, it works fine. > chown -v username test-own.txt > changed ownership of 'test-own.txt' from root to username > And yes, this user only exist in AD. > > Check if attr and acl are installed also. > > And if the smb.conf below is complete then your missing: > # For ACL support on member servers with shares > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > > The difference between you and me, in smb.conf as far i can tell now. > > Me backend AD. You RID. > Me > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > winbind refresh tickets = yes > > You ( only secrets ) > > I've just tested these versions because today my vpn needed the upgrades > of samba also. > I've tested and upgraded from 4.8.9 upto 4.8.11, 4.9.6 and 4.10.2 > > It still might be a bug, but i need more info. > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ian > > Coetzee via samba > > Verzonden: woensdag 10 april 2019 9:04 > > Aan: Samba List > > Onderwerp: [Samba] chown: changing ownership of 'test': > > Invalid argument > > > > Hi All, > > > > I have a very weird issue on one of my servers. I think I > > might just be > > missing something quite obviously... I will post the config > > files at the > > bottom > > > > I have a brand new Debian server running as an LXC container > > > > > root at ho-vpn-ctx-ac01:~# lsb_release -a > > > No LSB modules are available. > > > Distributor ID: Debian > > > Description: Debian GNU/Linux 9.8 (stretch) > > > Release: 9.8 > > > Codename: stretch > > > root at ho-vpn-ctx-ac01:~# uname -a > > > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35 > > (Wed, 13 Mar > > > 2019 08:24:42 +0100) x86_64 GNU/Linux > > > root at ho-vpn-ctx-ac01:~# > > > > > > > I am running said server as a domain member using the latest > > packages in > > Louis' 4.9 branch > > > > > root at ho-vpn-ctx-ac01:~# net -V > > > Version 4.9.6-Debian > > > root at ho-vpn-ctx-ac01:~# net ads testjoin > > > Join is OK > > > > > > > The join seems to be good, nsswitch is working > > > > > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc > > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > > root at ho-vpn-ctx-ac01:~# getent passwd ianc > > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > > > > > > Yet when I try to change the ownership of a file to a domain user, it > > fails with "Invalid argument" > > > > > root at ho-vpn-ctx-ac01:~# chown -v ianc test > > > chown: changing ownership of 'test': Invalid argument > > > failed to change ownership of 'test' from root to ianc > > > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test > > > changed ownership of 'test' from root to jeadmin > > > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin > > > jeadmin:x:1000:27::/home/jeadmin:/bin/bash > > > > > > > It works however when changing to a local user. So it looks > > like the issue > > might be in samba. This is the first time I have had this > > problem after > > quite a few other servers (a mix between CentOS, Debian and > > Ubuntu) has > > already been joined to the domain using the exact same smb.conf. > > > > On a side note, I am also unable to log into the server using domain > > credentials, which I am currently attributing to the same cause. > > > > Can you guys maybe point me in the right direction where I > > might start to > > troubleshoot further? > > > > Kind regards > > Ian > > > > Configs: > > > > root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf > > [global] > > workgroup = JEOFFICE > > realm = JEOFFICE.JACKLIN.CO.ZA > > security = ADS > > template homedir = /home/%D/%U > > template shell = /bin/bash > > kerberos method = secrets only > > winbind use default domain = true > > # winbind offline logon = true > > winbind enum groups = true > > > > netbios name = ho-vpn-ctx-ac01 > > > > log file = /var/log/samba/%m.log > > log level = 1 > > > > # Default ID mapping configuration for local BUILTIN accounts > > # and groups on a domain member. The default (*) domain: > > # - must not overlap with any domain ID mapping configuration! > > # - must use an read-write-enabled back end, such as tdb. > > idmap config * : backend = tdb > > idmap config * : range = 70001-80000 > > idmap config JEOFFICE : backend = rid > > idmap config JEOFFICE : range = 3200000-3300000 > > > > winbind nss info = template > > root at ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages > > installed, try: > > # `info libc "Name Service Switch"' for information about this file. > > > > passwd: compat winbind > > group: compat winbind > > shadow: compat > > gshadow: files > > > > hosts: files dns > > networks: files > > > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > > > netgroup: nis > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Ian Coetzee
2019-Apr-10 08:25 UTC
[Samba] chown: changing ownership of 'test': Invalid argument
Hi Rowland, Please see my replies inline. On Wed, 10 Apr 2019 at 09:58, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Wed, 10 Apr 2019 09:04:06 +0200 > Ian Coetzee via samba <samba at lists.samba.org> wrote: > > > Hi All, > > > > I have a very weird issue on one of my servers. I think I might just > > be missing something quite obviously... I will post the config files > > at the bottom > > > > I have a brand new Debian server running as an LXC container > > I am running said server as a domain member using the latest packages > > in Louis' 4.9 branch > > > > The join seems to be good, nsswitch is working > > > > > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc > > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > > root at ho-vpn-ctx-ac01:~# getent passwd ianc > > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > > > > > > Yet when I try to change the ownership of a file to a domain user, it > > fails with "Invalid argument" > > > > > root at ho-vpn-ctx-ac01:~# chown -v ianc test > > > chown: changing ownership of 'test': Invalid argument > > > failed to change ownership of 'test' from root to ianc > > This is very strange, the 'getent' command above shows that the OS > knows who 'ianc' is, so why can file ownership not be changed ? >My thoughts exactly> > > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test > > > changed ownership of 'test' from root to jeadmin > > > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin > > > jeadmin:x:1000:27::/home/jeadmin:/bin/bash > > > > > > > It works however when changing to a local user. So it looks like the > > issue might be in samba. This is the first time I have had this > > problem after quite a few other servers (a mix between CentOS, Debian > > and Ubuntu) has already been joined to the domain using the exact > > same smb.conf. > > > > On a side note, I am also unable to log into the server using domain > > credentials, which I am currently attributing to the same cause. > > Possibly, but it could just be down to you not having this line > in /etc/pam.d/common-session >> session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 >I normally add this line through pam-auth-update and a custom file under /usr/share/pam-configs/ root at ho-vpn-ctx-ac01:~# cat /usr/share/pam-configs/mkhomedir> Name: Create home directory on login > Default: no > Priority: 0 > Session-Type: Additional > Session-Interactive-Only: yes > Session: > optional pam_mkhomedir.so skel=/etc/skel/ umask=0022> Without that line, the users homedir will not get created and the login > will fail. >This has bitten me more than once already :)> > > > > root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf > > [global] > > workgroup = JEOFFICE > > realm = JEOFFICE.JACKLIN.CO.ZA > > security = ADS > > template shell = /bin/bash > > winbind use default domain = true > > log file = /var/log/samba/%m.log > > log level = 1 > > idmap config * : backend = tdb > > idmap config * : range = 70001-80000 > > idmap config JEOFFICE : backend = rid > > idmap config JEOFFICE : range = 3200000-3300000 > > > > If you notice, I have shorted your smb.conf, it is effectively the same > as what you have now, I have just removed the default lines. >Thanks. I will update my smb.conf template accordingly.> > There are numerous lines I would add, but they do not really have > anything to do with your problem. > > A last thought, do you have any users in AD that also occur > in /etc/passwd ? >The only user I have is the jeadmin user which is the domain admin as well as a local admin user. Should I try renaming the local user?> > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2019-Apr-10 09:10 UTC
[Samba] chown: changing ownership of 'test': Invalid argument
Ok i've comment in between de debug logs. Check my comments and add the needed info. Van: Ian Coetzee [mailto:samba at iancoetzee.za.net] Verzonden: woensdag 10 april 2019 10:17 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] chown: changing ownership of 'test': Invalid argument Hi Louis, Thank you. I will add those line and test. Will revert shortly As requested. The output: root at ho-vpn-ctx-ac01:~# cat /tmp/samba-debug-info.txt Collected config --- 2019-04-10-08:12 ----------- Hostname: ho-vpn-ctx-ac01 DNS Domain: jeoffice.jacklin.co.za FQDN: ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ipaddress: 10.10.18.50 10.10.11.50 Ok 2 ipadresses, and the primary is .10.50 ? for sure? #To MySelf, add routing checks in debugger. ----------- Samba is running as a Unix domain member ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 9.8 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 44: native0 at if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:c1:2a:15:5c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet MailScanner warning: numerical links are often malicious: 10.10.18.50/24 brd 10.10.18.255 scope global native0 inet6 fe80::2c1:2aff:fe15:5cfe/64 scope link 46: dmz0 at if47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:c1:b1:ea:6c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet MailScanner warning: numerical links are often malicious: 10.10.11.50/24 brd 10.10.11.255 scope global dmz0 inet6 fe80::2c1:b1ff:feea:6cfe/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters # --- BEGIN PVE --- 10.10.18.50 ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ho-vpn-ctx-ac01 # --- END PVE --- Here run, to and check both PTR records. dig -x 10.10.18.50 dig -x 10.10.11.50 Then check both A records with there FQDN #To Self, add A/PTR check when multiple ips are detected on hostname -I ----------- Checking file: /etc/resolv.conf # --- BEGIN PVE --- search jeoffice.jacklin.co.za nameserver 10.10.10.4 # --- END PVE --- To make sure, the 10.10.10.4 is your DC? or is this a DNS proxy. #To Self, add PTR check on nameserver ip, add domain check of this is a DC. ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = JEOFFICE.JACKLIN.CO.ZA # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # The only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } CSAIL.MIT.EDU = { admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } ANDREW.CMU.EDU = { admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos-1.srv.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu kdc = kerberos-3.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind #to Self, Buster changes compat to file. shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] workgroup = JEOFFICE realm = JEOFFICE.JACKLIN.CO.ZA security = ADS template homedir = /home/%D/%U template shell = /bin/bash kerberos method = secrets only winbind use default domain = true # winbind offline logon = true winbind enum groups = true You can set the enu user and group = false. handy for testing yes, but it slows down your server. netbios name = ho-vpn-ctx-ac01 log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use an read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 70001-80000 idmap config JEOFFICE : backend = rid idmap config JEOFFICE : range = 3200000-3300000 winbind nss info = template ----------- Running as Unix domain member and no user.map detected. ----------- Installed packages: ii acl 2.2.52-3+b1 amd64 Access control list utilities ii attr 1:2.4.47-2+b2 amd64 Utilities for manipulating filesystem extended attributes ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library ii libacl1-dev 2.2.52-3+b1 amd64 Access control list static libraries and headers ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library ii libattr1-dev:amd64 1:2.4.47-2+b2 amd64 Extended attribute static libraries and headers ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba nameservice integration plugins ii libpam-winbind:amd64 2:4.9.6+nmu-1.0debian1 amd64 Windows domain authentication integration plugin ii libwbclient0:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba winbind client library ii python-samba 2:4.9.6+nmu-1.0debian1 amd64 Python bindings for Samba ii samba 2:4.9.6+nmu-1.0debian1 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.9.6+nmu-1.0debian1 all common files used by both the Samba server and client ii samba-common-bin 2:4.9.6+nmu-1.0debian1 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba Virtual FileSystem plugins ii winbind 2:4.9.6+nmu-1.0debian1 amd64 service to resolve user and group information from Windows NT servers #To Self, Workin on now, change/fix some detecton on packages. # in case of a auth-only setup, (no smbd ) ----------- that looks fine, execpt, smb.conf, your only using the server for authentication, no shares? then we can reduce the install a bit. for example, my "auth only" vpn server only had this installed for samba. Here i login with SSO on a NFSv4 (kerberized) mounted home dir and all i use ( not shown the nfs packages ) Installed packages: ii acl 2.2.52-3+b1 amd64 Access control list utilities ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library ii libpam-krb5:amd64 4.7-4 amd64 PAM module for MIT Kerberos ii nfs4-acl-tools 0.3.3-3 amd64 Commandline and GUI ACL utilities for the NFSv4 client ii python3-xattr 0.9.1-1 amd64 module for manipulating filesystem extended attributes - Python 3 ii xattr 0.9.1-1 amd64 tool for manipulating filesystem extended attributes ii libnss-winbind:amd64 2:4.10.2+nmu-1debian1 amd64 Samba nameservice integration plugins ii libwbclient0:amd64 2:4.10.2+nmu-1debian1 amd64 Samba winbind client library ii winbind 2:4.10.2+nmu-1debian1 amd64 service to resolve user and group information from Windows NT servers On Wed, 10 Apr 2019 at 09:37, L.P.H. van Belle via samba <samba at lists.samba.org> wrote: Hai Ian, Can you run my setup debugger.. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Anonimize where needed and post output. Because when i run this, it works fine. chown -v username test-own.txt changed ownership of 'test-own.txt' from root to username And yes, this user only exist in AD. Check if attr and acl are installed also. And if the smb.conf below is complete then your missing: # For ACL support on member servers with shares vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes The difference between you and me, in smb.conf as far i can tell now. Me backend AD. You RID. Me kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind refresh tickets = yes You ( only secrets ) I've just tested these versions because today my vpn needed the upgrades of samba also. I've tested and upgraded from 4.8.9 upto 4.8.11, 4.9.6 and 4.10.2 It still might be a bug, but i need more info. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ian > Coetzee via samba > Verzonden: woensdag 10 april 2019 9:04 > Aan: Samba List > Onderwerp: [Samba] chown: changing ownership of 'test': > Invalid argument > > Hi All, > > I have a very weird issue on one of my servers. I think I > might just be > missing something quite obviously... I will post the config > files at the > bottom > > I have a brand new Debian server running as an LXC container > > > root at ho-vpn-ctx-ac01:~# lsb_release -a > > No LSB modules are available. > > Distributor ID: Debian > > Description: Debian GNU/Linux 9.8 (stretch) > > Release: 9.8 > > Codename: stretch > > root at ho-vpn-ctx-ac01:~# uname -a > > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35 > (Wed, 13 Mar > > 2019 08:24:42 +0100) x86_64 GNU/Linux > > root at ho-vpn-ctx-ac01:~# > > > > I am running said server as a domain member using the latest > packages in > Louis' 4.9 branch > > > root at ho-vpn-ctx-ac01:~# net -V > > Version 4.9.6-Debian > > root at ho-vpn-ctx-ac01:~# net ads testjoin > > Join is OK > > > > The join seems to be good, nsswitch is working > > > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > root at ho-vpn-ctx-ac01:~# getent passwd ianc > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > > > Yet when I try to change the ownership of a file to a domain user, it > fails with "Invalid argument" > > > root at ho-vpn-ctx-ac01:~# chown -v ianc test > > chown: changing ownership of 'test': Invalid argument > > failed to change ownership of 'test' from root to ianc > > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test > > changed ownership of 'test' from root to jeadmin > > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin > > jeadmin:x:1000:27::/home/jeadmin:/bin/bash > > > > It works however when changing to a local user. So it looks > like the issue > might be in samba. This is the first time I have had this > problem after > quite a few other servers (a mix between CentOS, Debian and > Ubuntu) has > already been joined to the domain using the exact same smb.conf. > > On a side note, I am also unable to log into the server using domain > credentials, which I am currently attributing to the same cause. > > Can you guys maybe point me in the right direction where I > might start to > troubleshoot further? > > Kind regards > Ian > > Configs: > > root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf > [global] > workgroup = JEOFFICE > realm = JEOFFICE.JACKLIN.CO.ZA > security = ADS > template homedir = /home/%D/%U > template shell = /bin/bash > kerberos method = secrets only > winbind use default domain = true > # winbind offline logon = true > winbind enum groups = true > > netbios name = ho-vpn-ctx-ac01 > > log file = /var/log/samba/%m.log > log level = 1 > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use an read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 70001-80000 > idmap config JEOFFICE : backend = rid > idmap config JEOFFICE : range = 3200000-3300000 > > winbind nss info = template > root at ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2019-Apr-10 09:12 UTC
[Samba] chown: changing ownership of 'test': Invalid argument
I forgot, post also: cat /etc/idmapd.conf ( im adding it in the debug-collector atm ) There might be a mis in detecting the Domain or Local-Realm. I suggest, add this : Domain = jeoffice.jacklin.co.za Local-Realm = JEOFFICE.JACKLIN.CO.ZA see if that helps. Greetz, Louis Van: Ian Coetzee [mailto:samba at iancoetzee.za.net] Verzonden: woensdag 10 april 2019 10:17 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] chown: changing ownership of 'test': Invalid argument Hi Louis, Thank you. I will add those line and test. Will revert shortly As requested. The output: root at ho-vpn-ctx-ac01:~# cat /tmp/samba-debug-info.txt Collected config --- 2019-04-10-08:12 ----------- Hostname: ho-vpn-ctx-ac01 DNS Domain: jeoffice.jacklin.co.za FQDN: ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ipaddress: 10.10.18.50 10.10.11.50 ----------- Samba is running as a Unix domain member ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 9.8 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 44: native0 at if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:c1:2a:15:5c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet MailScanner warning: numerical links are often malicious: 10.10.18.50/24 brd 10.10.18.255 scope global native0 inet6 fe80::2c1:2aff:fe15:5cfe/64 scope link 46: dmz0 at if47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:c1:b1:ea:6c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet MailScanner warning: numerical links are often malicious: 10.10.11.50/24 brd 10.10.11.255 scope global dmz0 inet6 fe80::2c1:b1ff:feea:6cfe/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters # --- BEGIN PVE --- 10.10.18.50 ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ho-vpn-ctx-ac01 # --- END PVE --- ----------- Checking file: /etc/resolv.conf # --- BEGIN PVE --- search jeoffice.jacklin.co.za nameserver 10.10.10.4 # --- END PVE --- ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = JEOFFICE.JACKLIN.CO.ZA # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # The only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } CSAIL.MIT.EDU = { admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } ANDREW.CMU.EDU = { admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos-1.srv.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu kdc = kerberos-3.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] workgroup = JEOFFICE realm = JEOFFICE.JACKLIN.CO.ZA security = ADS template homedir = /home/%D/%U template shell = /bin/bash kerberos method = secrets only winbind use default domain = true # winbind offline logon = true winbind enum groups = true netbios name = ho-vpn-ctx-ac01 log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use an read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 70001-80000 idmap config JEOFFICE : backend = rid idmap config JEOFFICE : range = 3200000-3300000 winbind nss info = template ----------- Running as Unix domain member and no user.map detected. ----------- Installed packages: ii acl 2.2.52-3+b1 amd64 Access control list utilities ii attr 1:2.4.47-2+b2 amd64 Utilities for manipulating filesystem extended attributes ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library ii libacl1-dev 2.2.52-3+b1 amd64 Access control list static libraries and headers ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library ii libattr1-dev:amd64 1:2.4.47-2+b2 amd64 Extended attribute static libraries and headers ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba nameservice integration plugins ii libpam-winbind:amd64 2:4.9.6+nmu-1.0debian1 amd64 Windows domain authentication integration plugin ii libwbclient0:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba winbind client library ii python-samba 2:4.9.6+nmu-1.0debian1 amd64 Python bindings for Samba ii samba 2:4.9.6+nmu-1.0debian1 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.9.6+nmu-1.0debian1 all common files used by both the Samba server and client ii samba-common-bin 2:4.9.6+nmu-1.0debian1 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba Virtual FileSystem plugins ii winbind 2:4.9.6+nmu-1.0debian1 amd64 service to resolve user and group information from Windows NT servers ----------- On Wed, 10 Apr 2019 at 09:37, L.P.H. van Belle via samba <samba at lists.samba.org> wrote: Hai Ian, Can you run my setup debugger.. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Anonimize where needed and post output. Because when i run this, it works fine. chown -v username test-own.txt changed ownership of 'test-own.txt' from root to username And yes, this user only exist in AD. Check if attr and acl are installed also. And if the smb.conf below is complete then your missing: # For ACL support on member servers with shares vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes The difference between you and me, in smb.conf as far i can tell now. Me backend AD. You RID. Me kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind refresh tickets = yes You ( only secrets ) I've just tested these versions because today my vpn needed the upgrades of samba also. I've tested and upgraded from 4.8.9 upto 4.8.11, 4.9.6 and 4.10.2 It still might be a bug, but i need more info. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ian > Coetzee via samba > Verzonden: woensdag 10 april 2019 9:04 > Aan: Samba List > Onderwerp: [Samba] chown: changing ownership of 'test': > Invalid argument > > Hi All, > > I have a very weird issue on one of my servers. I think I > might just be > missing something quite obviously... I will post the config > files at the > bottom > > I have a brand new Debian server running as an LXC container > > > root at ho-vpn-ctx-ac01:~# lsb_release -a > > No LSB modules are available. > > Distributor ID: Debian > > Description: Debian GNU/Linux 9.8 (stretch) > > Release: 9.8 > > Codename: stretch > > root at ho-vpn-ctx-ac01:~# uname -a > > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35 > (Wed, 13 Mar > > 2019 08:24:42 +0100) x86_64 GNU/Linux > > root at ho-vpn-ctx-ac01:~# > > > > I am running said server as a domain member using the latest > packages in > Louis' 4.9 branch > > > root at ho-vpn-ctx-ac01:~# net -V > > Version 4.9.6-Debian > > root at ho-vpn-ctx-ac01:~# net ads testjoin > > Join is OK > > > > The join seems to be good, nsswitch is working > > > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > root at ho-vpn-ctx-ac01:~# getent passwd ianc > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > > > Yet when I try to change the ownership of a file to a domain user, it > fails with "Invalid argument" > > > root at ho-vpn-ctx-ac01:~# chown -v ianc test > > chown: changing ownership of 'test': Invalid argument > > failed to change ownership of 'test' from root to ianc > > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test > > changed ownership of 'test' from root to jeadmin > > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin > > jeadmin:x:1000:27::/home/jeadmin:/bin/bash > > > > It works however when changing to a local user. So it looks > like the issue > might be in samba. This is the first time I have had this > problem after > quite a few other servers (a mix between CentOS, Debian and > Ubuntu) has > already been joined to the domain using the exact same smb.conf. > > On a side note, I am also unable to log into the server using domain > credentials, which I am currently attributing to the same cause. > > Can you guys maybe point me in the right direction where I > might start to > troubleshoot further? > > Kind regards > Ian > > Configs: > > root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf > [global] > workgroup = JEOFFICE > realm = JEOFFICE.JACKLIN.CO.ZA > security = ADS > template homedir = /home/%D/%U > template shell = /bin/bash > kerberos method = secrets only > winbind use default domain = true > # winbind offline logon = true > winbind enum groups = true > > netbios name = ho-vpn-ctx-ac01 > > log file = /var/log/samba/%m.log > log level = 1 > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use an read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 70001-80000 > idmap config JEOFFICE : backend = rid > idmap config JEOFFICE : range = 3200000-3300000 > > winbind nss info = template > root at ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Maybe Matching Threads
- chown: changing ownership of 'test': Invalid argument
- chown: changing ownership of 'test': Invalid argument
- chown: changing ownership of 'test': Invalid argument
- chown: changing ownership of 'test': Invalid argument
- chown: changing ownership of 'test': Invalid argument