samba - Nov 2016 - Clients can't write to group-writable files - plea for help

> From my understanding you seem to have Mac and Windows clients and are
> using the Samba machine as a fileserver. If the windows machines are
> joined to a domain, then you will probably be better off joining the
> Samba machine to the domain, this way you will not need the user map. 
>
> It might help if you could explain your setup, if it is different
> from the above and a copy of your smb.conf would help as well.
>
> Rowland
>   
>
>
Didn't even consider that as a possibility (I saw the words "member
server" that implied to be that the server was already joined. TBH I now
have no idea what the OP's setup is...

Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

On 11/17/16 2:53 PM, Alex Crow via samba wrote:
>
>> From my understanding you seem to have Mac and Windows clients and are
>> using the Samba machine as a fileserver. If the windows machines are
>> joined to a domain, then you will probably be better off joining the
>> Samba machine to the domain, this way you will not need the user map.
>>
>> It might help if you could explain your setup, if it is different
>> from the above and a copy of your smb.conf would help as well.
>>
>> Rowland
Sorry - I should have posted this from the beginning.

    http://www.cv.nrao.edu/~jmalone/smb.conf

The samba server is joined to our AD domain. testjoin reports that the 
join is okay and authentication is working properly. The samba server is 
*also* joined to our NIS domain from which it gets the unix users.

Usernames match between unix and AD. All accounts have uidNumber and 
gidNumber set correctly in AD (although it wasn't always like this; only 
recently did I implement this with a nightly script that copies the id 
numbers into AD).

The smb.conf I posted is the one which exhibits the problem with 
group-writable files. By commenting the username map and uncommenting 
the username map script, the problem goes away. The mapusers.sh script 
just echos $1. The usermap.cfg map file is empty. I've also tried 
removing that config line entirely - problem remains.

The share I used for testing is:

[www.nrao.edu]
         comment = www.nrao.edu Web Content
         path = /home/www.nrao.edu
         public = no
         writable = yes
         browsable = yes
         create mask = 664
         directory mask = 2775



Level 10 debug log is here, in its entirety this time:


    http://www.cv.nrao.edu/~jmalone/log.agrajag


It's a Mac client running 10.11.something.

-Josh

-- 
--------------------------------------------------------
        Joshua Malone       Systems Administrator
      (jmalone at nrao.edu)    NRAO Charlottesville
         434-296-0263           www.nrao.edu
	434-249-5699 (mobile)
--------------------------------------------------------

On Fri, 18 Nov 2016 09:13:44 -0500
Josh Malone via samba <samba at lists.samba.org> wrote:
> On 11/17/16 2:53 PM, Alex Crow via samba wrote:
> >
> >> From my understanding you seem to have Mac and Windows clients and
> >> are using the Samba machine as a fileserver. If the windows
> >> machines are joined to a domain, then you will probably be better
> >> off joining the Samba machine to the domain, this way you will not
> >> need the user map.
> >>
> >> It might help if you could explain your setup, if it is different
> >> from the above and a copy of your smb.conf would help as well.
> >>
> >> Rowland
> 
> Sorry - I should have posted this from the beginning.
> 
>     http://www.cv.nrao.edu/~jmalone/smb.conf
> 
> The samba server is joined to our AD domain. testjoin reports that
> the join is okay and authentication is working properly. The samba
> server is *also* joined to our NIS domain from which it gets the unix
> users.
> 
> Usernames match between unix and AD. All accounts have uidNumber and 
> gidNumber set correctly in AD (although it wasn't always like this;
> only recently did I implement this with a nightly script that copies
> the id numbers into AD).
> 
> The smb.conf I posted is the one which exhibits the problem with 
> group-writable files. By commenting the username map and uncommenting 
> the username map script, the problem goes away. The mapusers.sh
> script just echos $1. The usermap.cfg map file is empty. I've also
> tried removing that config line entirely - problem remains.
> 
> The share I used for testing is:
> 
> [www.nrao.edu]
>          comment = www.nrao.edu Web Content
>          path = /home/www.nrao.edu
>          public = no
>          writable = yes
>          browsable = yes
>          create mask = 664
>          directory mask = 2775
> 
> 
> 
> Level 10 debug log is here, in its entirety this time:
> 
> 
>     http://www.cv.nrao.edu/~jmalone/log.agrajag
> 
> 
> It's a Mac client running 10.11.something.
> 
> -Josh
> 
OK, can I suggest you stop using either a usermap or a userscript. Try
setting up your domain member correctly see here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

and here:

https://wiki.samba.org/index.php/Idmap_config_ad

As you have Mac clients, it might be a good idea to use vfs_fruit, try
reading 'man vfs_fruit'

Setup correctly, you wont have windows, Mac and Unix users, you will
just have AD users.

Rowland