samba - Jan 2023 - Files suddenly go readonly

Hi,

Running samba 4.10.16 on CentOS7. It's a fileserver but with a split
personality. For everything UNIX authentication is NIS (I know ;-) but for
samba we authenticate to AD and all users have the same uidNumber &
gidNumber as they do in NIS. This has been working fine but now I have some
users who suddenly lose write access to their files, sometimes. One user
has 2 workstations (1 works always, the other exhibits this issue so maybe
a patch on the workstation?). When this happens IF I give their files group
write permission they are good again. Does this ring a bell? I have a level
10 debug of an ACCESS_DENIED test but nothing in there looks obviously
wrong until the ACCESS_DENIED so I can't see why.

Tried to rebuild a newer samba version but CentOS seems to not like it.

Any thoughts?
Thanks,
Greg

-- 


Greg Dickie
just a guy
514-983-5400

On 18/01/2023 16:38, Greg Dickie via samba wrote:
> Hi,
> 
> Running samba 4.10.16 on CentOS7. It's a fileserver but with a split
> personality. For everything UNIX authentication is NIS (I know ;-) but for
> samba we authenticate to AD and all users have the same uidNumber &
> gidNumber as they do in NIS. 
The problem is, you shouldn't have any local users if you are running 
the computer as a domain member, Samba should be 'mapping' the AD users 
to Unix users.

Is it possible to see your smb.conf used on the Unix machines ?

This has been working fine but now I have some
> users who suddenly lose write access to their files, sometimes. One user
> has 2 workstations (1 works always, the other exhibits this issue so maybe
> a patch on the workstation?). When this happens IF I give their files group
> write permission they are good again. Does this ring a bell? I have a level
> 10 debug of an ACCESS_DENIED test but nothing in there looks obviously
> wrong until the ACCESS_DENIED so I can't see why.
Are they supposed to have 'user' permissions or just 'group' 
permissions, also are you using extended ACL's ?
> 
> Tried to rebuild a newer samba version but CentOS seems to not like it.
I noticed :-D
> 
> Any thoughts?
What on ? Life, the universe and everything ? If so the answer is '42'

Rowland

On 18.01.2023 17:38, Greg Dickie via samba wrote:
> Hi,
>
> Running samba 4.10.16 on CentOS7. It's a fileserver but with a split
> personality. For everything UNIX authentication is NIS (I know ;-) but for
> samba we authenticate to AD and all users have the same uidNumber &
> gidNumber as they do in NIS. This has been working fine but now I have some
> users who suddenly lose write access to their files, sometimes. One user
> has 2 workstations (1 works always, the other exhibits this issue so maybe
> a patch on the workstation?). When this happens IF I give their files group
> write permission they are good again. Does this ring a bell? I have a level
> 10 debug of an ACCESS_DENIED test but nothing in there looks obviously
> wrong until the ACCESS_DENIED so I can't see why.
>
> Tried to rebuild a newer samba version but CentOS seems to not like it.
>
> Any thoughts?
> Thanks,
> Greg
>
Hi Greg,

I had the same problem with a CentOS 7.9 box, same Samba version, just 
until a few days ago. I set up a new server with Debian Bookworm (OK 
Rowland, I know, it's not released yet), and Samba 4.17.4. Those 
problems are gone after migrating to the new server. Rowland pointed out 
some unnecessary lines in my smb.conf, for which I'm most grateful.

I'm using the rid backend in the old server, and the rid backend with 
the same ID ranges in the new server. I transferred most of the data 
files to the new server with rsync a couple of days ago. I made some 
minor adjustments with RSAT to the share permissions according to the 
current documentation and Rowland's suggestions, and that was really 
all. Everything is up and running without any problems at all. The 
coming weekend I'm going to move the user profiles to the new server.

In my case, the old server was really past EOL, which gave me an 
excellent opportunity to make the switch.

I have had several servers based on CentOS (still have a couple old 
ones), but the direction the RedHat world is going, is just deviating 
too much from mainstream Linux. About 4 years ago, I started to migrate 
servers to Debian, or install new ones for different purposes. IMHO 
Debian is middle ground between ultra conservatism (RedHat previously, 
now quirkiness), and bleeding edge (Archlinux). I have also tried to 
upgrade Samba in the CentOS boxes on several occasions (building from 
sources), but it's not worth the trouble. The amount of work is just too 
much. It doesn't make sense.

I hope this information can shed some light on your problems, and the 
background for a sensible remedy.

Best regards,

Peter