samba - Nov 2016 - Clients can't write to group-writable files - plea for help

On Fri, 18 Nov 2016 09:13:44 -0500
Josh Malone via samba <samba at lists.samba.org> wrote:
> On 11/17/16 2:53 PM, Alex Crow via samba wrote:
> >
> >> From my understanding you seem to have Mac and Windows clients and
> >> are using the Samba machine as a fileserver. If the windows
> >> machines are joined to a domain, then you will probably be better
> >> off joining the Samba machine to the domain, this way you will not
> >> need the user map.
> >>
> >> It might help if you could explain your setup, if it is different
> >> from the above and a copy of your smb.conf would help as well.
> >>
> >> Rowland
> 
> Sorry - I should have posted this from the beginning.
> 
>     http://www.cv.nrao.edu/~jmalone/smb.conf
> 
> The samba server is joined to our AD domain. testjoin reports that
> the join is okay and authentication is working properly. The samba
> server is *also* joined to our NIS domain from which it gets the unix
> users.
> 
> Usernames match between unix and AD. All accounts have uidNumber and 
> gidNumber set correctly in AD (although it wasn't always like this;
> only recently did I implement this with a nightly script that copies
> the id numbers into AD).
> 
> The smb.conf I posted is the one which exhibits the problem with 
> group-writable files. By commenting the username map and uncommenting 
> the username map script, the problem goes away. The mapusers.sh
> script just echos $1. The usermap.cfg map file is empty. I've also
> tried removing that config line entirely - problem remains.
> 
> The share I used for testing is:
> 
> [www.nrao.edu]
>          comment = www.nrao.edu Web Content
>          path = /home/www.nrao.edu
>          public = no
>          writable = yes
>          browsable = yes
>          create mask = 664
>          directory mask = 2775
> 
> 
> 
> Level 10 debug log is here, in its entirety this time:
> 
> 
>     http://www.cv.nrao.edu/~jmalone/log.agrajag
> 
> 
> It's a Mac client running 10.11.something.
> 
> -Josh
> 
OK, can I suggest you stop using either a usermap or a userscript. Try
setting up your domain member correctly see here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

and here:

https://wiki.samba.org/index.php/Idmap_config_ad

As you have Mac clients, it might be a good idea to use vfs_fruit, try
reading 'man vfs_fruit'

Setup correctly, you wont have windows, Mac and Unix users, you will
just have AD users.

Rowland

On 11/18/16 9:53 AM, Rowland Penny via samba wrote:
>
> OK, can I suggest you stop using either a usermap or a userscript. Try
> setting up your domain member correctly see here:
With no usermap file or script, the behavior is the same: can't write to 
files you should be able to based on group membership.
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> and here:
>
> https://wiki.samba.org/index.php/Idmap_config_ad
I thought my setup was almost that, with the exception of getting unix 
users from NIS instead of winbindd. Would that not work?

> As you have Mac clients, it might be a good idea to use vfs_fruit, try
> reading 'man vfs_fruit'
I'm not sure this will get us anything, particularly since Mac users 
have to share files with Linux users in almost all of our workflows.

> Setup correctly, you wont have windows, Mac and Unix users, you will
> just have AD users.
Well - that might just be my complication then: We have separate 
directories for Windows and Unix. They both contain the same users and 
have the same uid/gid numbers, but there are two directories.
>
> Rowland
>
Thanks again,

-Josh

-- 
--------------------------------------------------------
        Joshua Malone       Systems Administrator
      (jmalone at nrao.edu)    NRAO Charlottesville
         434-296-0263           www.nrao.edu
	434-249-5699 (mobile)
--------------------------------------------------------

On Fri, 18 Nov 2016 10:11:54 -0500
Josh Malone via samba <samba at lists.samba.org> wrote:
> On 11/18/16 9:53 AM, Rowland Penny via samba wrote:
> >
> > OK, can I suggest you stop using either a usermap or a userscript.
> > Try setting up your domain member correctly see here:
> 
> With no usermap file or script, the behavior is the same: can't write
> to files you should be able to based on group membership.
> 
> >
> > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> >
> > and here:
> >
> > https://wiki.samba.org/index.php/Idmap_config_ad
> 
> I thought my setup was almost that, with the exception of getting
> unix users from NIS instead of winbindd. Would that not work?
> 
> 
> > As you have Mac clients, it might be a good idea to use vfs_fruit,
> > try reading 'man vfs_fruit'
> 
> I'm not sure this will get us anything, particularly since Mac users 
> have to share files with Linux users in almost all of our workflows.
> 
> 
> > Setup correctly, you wont have windows, Mac and Unix users, you will
> > just have AD users.
> 
> Well - that might just be my complication then: We have separate 
> directories for Windows and Unix. They both contain the same users
> and have the same uid/gid numbers, but there are two directories.
> 
> >
> > Rowland
> >
> 
> Thanks again,
> 
> -Josh
> 
OK, you have Windows users stored in AD, these use SID-RIDs, but by
adding uidNumber attributes to the windows users, they become Unix
users as well, there is no need to have two directories. You would end
up with one user with one password being available on windows and Unix.

At the moment, you seem to have users stored in multiple places, with,
I take it, the same (or possibly even worse, different) password(s)
stored in multiple places.

what goes for users also goes for groups, groups and group members
stored in AD and used everywhere.

Rowland