samba - Jun 2024 - Random permission denied and path not found errors

On Mon, 17 Jun 2024 19:47:04 +0200
Tamas Papp via samba <samba at lists.samba.org> wrote:
> 
> On 6/17/24 16:15, Rowland Penny via samba wrote:
> > Are your incus containers privileged ?
> 
> Yes.
> 
> > I should also point out that, from the Samba point of view, 4.15.13
> > is EOL.
> 
> 
> I can upgrade samba (ubuntu), but would only do if there is any
> relevant change/fix/improvement. The release notes are quite long and
> in many cases I am unsure about the meaning of the content.
> 
> Ubuntu 24.04 includes 4.19.5+dfsg-4ubuntu9.
There have been numerous fixes since 4.15.x , using the most recent
version of Samba possible is always a good idea.
> 
> > No idea because I haven't a clue how you are running Samba, for
all
> > I know, you could be running sssd on a Samba fileserver.
> >
> > Might be an idea if you post the output of 'testparm -s'
> 
> 
> Good point, I missed adding the configuration.
> 
> The windows server is a AD DC and samba is AD member:
> 
> 
> # Global parameters
> [global]
>  ?? ?kerberos method = secrets and keytab
>  ?? ?log file = /var/log/samba/log.%m
>  ?? ?logging = file
>  ?? ?map to guest = Bad User
>  ?? ?max log size = 1000
>  ?? ?obey pam restrictions = Yes
>  ?? ?pam password change = Yes
>  ?? ?panic action = /usr/share/samba/panic-action %d
>  ?? ?passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>  ?? ?passwd program = /usr/bin/passwd %u
>  ?? ?realm = SPECTRALSTUDIOS.LOCAL
>  ?? ?security = ADS
>  ?? ?server role = standalone server
>  ?? ?server string = %h server (Samba, Ubuntu)
>  ?? ?template homedir = /home/%U@%D
>  ?? ?template shell = /bin/bash
>  ?? ?unix password sync = Yes
>  ?? ?usershare allow guests = Yes
>  ?? ?winbind offline logon = Yes
>  ?? ?winbind refresh tickets = Yes
>  ?? ?workgroup = SPECTRALSTUDIOS
>  ?? ?idmap config * : range = 10000-999999
>  ?? ?idmap config spectralstudios : backend = rid
>  ?? ?idmap config spectralstudios : range = 2000000-2999999
>  ?? ?idmap config * : backend = tdb
> 
> [HUNY_asset]
>  ?? ?comment = HUNY/asset
>  ?? ?create mask = 0664
>  ?? ?directory mask = 02775
>  ?? ?force create mode = 0664
>  ?? ?force directory mode = 02775
>  ?? ?path = /data/Projects/HUNY/asset
>  ?? ?read only = No
>  ?? ?valid users = "@spectralstudios\domain users"
> 
> 
> There are more shares but the configuration is the same.
Hmm, did you take the standard Ubuntu smb.conf and then add to it ?
I ask this because you have numerous lines that do not really have a
place in Unix domain member smb.conf

I would definitely remove these lines:

 ?? ?obey pam restrictions = Yes
 ?? ?pam password change = Yes
 ?? ?passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
 ?? ?passwd program = /usr/bin/passwd %u
 ?? ?server role = standalone server
 ?? ?unix password sync = Yes

Unless you have 'guest ok = yes' or 'public = yes' set in a
share (if
so why ?) then I would remove this line:

 ?? ?map to guest = Bad User

Also if you are not going to be using usershares, I would remove this
line:

 ?? ?usershare allow guests = Yes

Turning to your share, add these lines to 'global':

  vfs objects = acl_xattr
  map acl inherit = Yes

then make your share look like this:

[HUNY_asset]
 ?? ?comment = HUNY/asset
 ?? ?read only = No

Then read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

On 6/17/24 20:18, Rowland Penny via samba wrote:
> There have been numerous fixes since 4.15.x , using the most recent
> version of Samba possible is always a good idea.

As usual, my concern with new releases that even though some fixes are 
included in general, with new features new bugs are added too.

Of course, if nobody comes up with a specific idea or suggestion, I will 
give it a try.


Is there anybody on the list, who is familiar with a similar use case: a 
VFX workload backend or a storage server with a (relatively) lot of 
files and parallel clients (read and write) and about 1-4 Gb/s traffic load?

I have never maintained Samba server in such an environment before and I 
have never met a similar issue before. I would like to make sure whether 
Samba is suitable to serve a specific workload like this.
> Hmm, did you take the standard Ubuntu smb.conf and then add to it ?

Yes, I did.

> I ask this because you have numerous lines that do not really have a
> place in Unix domain member smb.conf
>
> I would definitely remove these lines:
>
>   ?? ?obey pam restrictions = Yes
>   ?? ?pam password change = Yes
>   ?? ?passwd chat = *Enter\snew\s*\spassword:*  %n\n
*Retype\snew\s*\spassword:*  %n\n *password\supdated\ssuccessfully* .
>   ?? ?passwd program = /usr/bin/passwd %u
>   ?? ?server role = standalone server
>   ?? ?unix password sync = Yes
>
> Unless you have 'guest ok = yes' or 'public = yes' set in a
share (if
> so why ?) then I would remove this line:
>
>   ?? ?map to guest = Bad User
>
> Also if you are not going to be using usershares, I would remove this
> line:
>
>   ?? ?usershare allow guests = Yes

To my understanding, the above settings are unrelated to my problem. 
Correct me, if I'm wrong.
> Turning to your share, add these lines to 'global':
>
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>
> then make your share look like this:
>
> [HUNY_asset]
>   ?? ?comment = HUNY/asset
>   ?? ?read only = No

According to man page:

read only (S)

 ?????????? An inverted synonym is writeable.

Does it make any difference compared to 'writeable = yes'?

> Then read this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Since my FS backend is ZFS, my guess is that it should be vfs_zfsacl.

But actually don't really want to complicate the rights. I would like to 
use the standard posix mode right management. Is my assumption correct 
that in such a case I don't need the above ACL settings?

Currently, my problem solely related to the random permission denied and 
path not found errors which regularly come and go so I don't think, it's
really a right problem.


Thanks,


t

I have upgraded one of the servers to 4.20 from MJT's repository, however 
it's not the main one and has way lower traffic load.

I have also removed the entries that you suggested.

Besides this changes I started wondering two other workarounds.

1. Is it possible to add and authenticate a local user when the samba 
server is an AD member?
I would add a local user and render machines would map the share with that 
user.

2. Is there any option to cache AD users better?
My assumption is that the user id or gid does not resolve properly and 
that's the root cause.

Could you advice, please?


On June 17, 2024 20:20:49 Rowland Penny via samba <samba at
lists.samba.org>
wrote:
> On Mon, 17 Jun 2024 19:47:04 +0200
> Tamas Papp via samba <samba at lists.samba.org> wrote:
>
>>
>> On 6/17/24 16:15, Rowland Penny via samba wrote:
>>> Are your incus containers privileged ?
>>
>> Yes.
>>
>>> I should also point out that, from the Samba point of view, 4.15.13
>>> is EOL.
>>
>>
>> I can upgrade samba (ubuntu), but would only do if there is any
>> relevant change/fix/improvement. The release notes are quite long and
>> in many cases I am unsure about the meaning of the content.
>>
>> Ubuntu 24.04 includes 4.19.5+dfsg-4ubuntu9.
>
> There have been numerous fixes since 4.15.x , using the most recent
> version of Samba possible is always a good idea.
>
>>
>>> No idea because I haven't a clue how you are running Samba, for
all
>>> I know, you could be running sssd on a Samba fileserver.
>>>
>>> Might be an idea if you post the output of 'testparm -s'
>>
>>
>> Good point, I missed adding the configuration.
>>
>> The windows server is a AD DC and samba is AD member:
>>
>>
>> # Global parameters
>> [global]
>>    kerberos method = secrets and keytab
>>    log file = /var/log/samba/log.%m
>>    logging = file
>>    map to guest = Bad User
>>    max log size = 1000
>>    obey pam restrictions = Yes
>>    pam password change = Yes
>>    panic action = /usr/share/samba/panic-action %d
>>    passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>    passwd program = /usr/bin/passwd %u
>>    realm = SPECTRALSTUDIOS.LOCAL
>>    security = ADS
>>    server role = standalone server
>>    server string = %h server (Samba, Ubuntu)
>>    template homedir = /home/%U@%D
>>    template shell = /bin/bash
>>    unix password sync = Yes
>>    usershare allow guests = Yes
>>    winbind offline logon = Yes
>>    winbind refresh tickets = Yes
>>    workgroup = SPECTRALSTUDIOS
>>    idmap config * : range = 10000-999999
>>    idmap config spectralstudios : backend = rid
>>    idmap config spectralstudios : range = 2000000-2999999
>>    idmap config * : backend = tdb
>>
>> [HUNY_asset]
>>    comment = HUNY/asset
>>    create mask = 0664
>>    directory mask = 02775
>>    force create mode = 0664
>>    force directory mode = 02775
>>    path = /data/Projects/HUNY/asset
>>    read only = No
>>    valid users = "@spectralstudios\domain users"
>>
>>
>> There are more shares but the configuration is the same.
>
> Hmm, did you take the standard Ubuntu smb.conf and then add to it ?
> I ask this because you have numerous lines that do not really have a
> place in Unix domain member smb.conf
>
> I would definitely remove these lines:
>
>     obey pam restrictions = Yes
>     pam password change = Yes
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:*
>     %n\n *password\supdated\ssuccessfully* .
>     passwd program = /usr/bin/passwd %u
>     server role = standalone server
>     unix password sync = Yes
>
> Unless you have 'guest ok = yes' or 'public = yes' set in a
share (if
> so why ?) then I would remove this line:
>
>     map to guest = Bad User
>
> Also if you are not going to be using usershares, I would remove this
> line:
>
>     usershare allow guests = Yes
>
> Turning to your share, add these lines to 'global':
>
>  vfs objects = acl_xattr
>  map acl inherit = Yes
>
> then make your share look like this:
>
> [HUNY_asset]
>     comment = HUNY/asset
>     read only = No
>
> Then read this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba