samba - Mar 2024 - Linux Mint 21.3 client AD joined OK but no usb working

On 28-03-2024 19:53, Rowland Penny via samba wrote:
> On Thu, 28 Mar 2024 19:04:44 +0100
> Kees van Vloten via samba<samba at lists.samba.org>  wrote:
>
>> On 28-03-2024 18:53, Rowland Penny via samba wrote:
>>> On Thu, 28 Mar 2024 11:33:16 +0000
>>> Rowland Penny via samba<samba at lists.samba.org>  wrote:
>>>
>>>> On Wed, 27 Mar 2024 18:13:16 +0000
>>>> Rowland Penny via samba<samba at lists.samba.org>  wrote:
>>>>> Now thinking about apparmor, could this be stopping writing
to the
>>>>> drive ?
>>>>>
>>>> No, I removed apparmor and rebooted, no different.
>>>>
>>>> Tried to format the drive, but it seems to have gone read only,
so
>>>> used another drive and formatted that.
>>>>
>>>> When I insert the USB drive, it gets mounted on
>>>> /media/rowland/usbdrive1
>>>>
>>>> Checking the permissions on the path, shows this:
>>>>
>>>> rowland at devstation:~$ ls -ld /media/
>>>> drwxr-xr-x 4 root root 4096 Mar 27 17:15 /media/
>>>>
>>>> Anyone can traverse /media
>>>>
>>>> rowland at devstation:~$ ls -ld /media/rowland/
>>>> drwxr-x---+ 3 root root 4096 Mar 28 09:36 /media/rowland/
>>>>
>>>> There is an EA, so check that:
>>>>
>>>> rowland at devstation:~$ getfacl /media/rowland/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: media/rowland/
>>>> # owner: root
>>>> # group: root
>>>> user::rwx
>>>> user:rowland:r-x
>>>> group::---
>>>> mask::r-x
>>>> other::---
>>>>
>>>> Only 'root', members of the 'root' group and
'rowland' can traverse
>>>> /media/rowland
>>>>
>>>> rowland at devstation:~$ ls -ld /media/rowland/usbdrive1/
>>>> drwxr-xr-x 3 root root 4096 Mar 28 09:32
/media/rowland/usbdrive1/
>>>>
>>>> So 'rowland' can traverse to the 'usbdrive1'
directory, but only
>>>> 'root' can write to it.
>>>>
>>>> WHY ??????????
>>>>
>>>> It mounts the drive in a directory named after the user, it
allows
>>>> the user to get to the drive, but then denies the user the
ability
>>>> to write to the drive.
>>>>
>>>> Off to find out just what 'mounts' the drive and how.
>>>>
>>>> Rowland
>>>>
>>> It seems that it is udev and udisks2 that automatically mount the
>>> USB drive after it is plugged into a USB port.
>>> The problem is I stated earlier, whilst it is mounted under a
>>> directory with the users name, it is mounted rwx for root and r-x
>>> for the user (others), which, if you think about it, is probably
>>> correct for a removable drive. Whilst the user may have one ID on a
>>> computer, they may have another ID on a different computer.
>>> The only cure I can find is to change the owner of the USB drives
>>> directory, e.g. chown rowland /media/rowland/usbdrive1
>>>
>>> Rowland
>> I did not read the whole thread back, so perhaps this is long
>> obvious...
>>
>> If the user is a domain-user and the same id-mapping is used
>> everywhere, it should get the same UID/GID everywhere...
> Well yes, but udev & udisks2 are written from the point of view of a
> Linux computer where a user or group may not get the same IDs on
> different computers.
>
> I found this:
>
> https://wiki.archlinux.org/title/Udev#Allowing_regular_users_to_use_devices
>
> Which seems say that you can make it work for user writing, but it
> sounds like it works on a device by device basis.
>
> I haven't given up on this yet, there must be a way for domain users to
> write to a USB drive without manual intervention.
>
> Rowland
A local daemon will use /etc/nsswitch.conf to lookup UIDs and Winbind 
can supply them.

In addition I make (domain) users member of these local groups:

audio,video,dialout,cdrom,floppy,lpadmin,plugdev,bluetooth,netdev,pulse-access,users

Some users also want to be member of local-groups like: libvirt, kvm, 
docker, vboxusers

You can do this with: usermod -a -G <group> <domain-user>, this 
mechanism works much better than pam_group (which does not work for this 
purpose).

I do this when a domain-user logs in and the reverse when (s)he logs off 
with a script triggered by pam-session, a copy is already in the list 
archive somewhere.

- Kees.

>

On Thu, 28 Mar 2024 20:10:32 +0100
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> A local daemon will use /etc/nsswitch.conf to lookup UIDs and Winbind 
> can supply them.
> 
> In addition I make (domain) users member of these local groups:
> 
>
audio,video,dialout,cdrom,floppy,lpadmin,plugdev,bluetooth,netdev,pulse-access,users
> 
> Some users also want to be member of local-groups like: libvirt, kvm, 
> docker, vboxusers
> 
> You can do this with: usermod -a -G <group> <domain-user>, this
> mechanism works much better than pam_group (which does not work for
> this purpose).
It worked for myself:

SAMDOM\rowland at rpidc1:~ $ groups
domain users dialout cdrom floppy audio video plugdev scanner
BUILTIN\administrators BUILTIN\users domain admins denied rodc password
replication group rowland testgroup

It just didn't help with the problem
> 
> I do this when a domain-user logs in and the reverse when (s)he logs
> off with a script triggered by pam-session, a copy is already in the
> list archive somewhere.
Perhaps running a script when a usb drive is inserted might be the way
forward, but I haven't given up on either udev or udisks2 being able to
set the correct ownership

Rowland
> 
> - Kees.
> 
> 
> >