samba - Mar 2018 - User permissions of profile/home directory lost

Hi All,

I run a small domain for my home that consists just of two user 
accounts... one for my wife and one for me. I just have a single DC and 
the home and profile shares are located on the DC. For years this setup 
has served just fine giving me access to both linux and windows with a 
unified authentication and file server base.

However, on Monday around 12 noon MST my wife lost permissions to her 
home and profile directories on both our Windows 7 Pro and CentOS 6&7 
systems. If I logged into the DC and did 'getent passwd' her account 
showed up correctly. A 'ls -lat' command showed that the directory/files
were owned properly by my wife's account. A getfacl showed that the ACLs 
were exactly like my own account which functioned properly. There was 
absolutely no reason for her to be denied permission to her directories 
or the files contained therein. And the permission issue was present 
even on the DC.

After struggling with this problem for the past 48 hours I decided to do 
a 'chown -R' on her profile and home directories, even though I thought 
this was silly since other linux commands indicated everything was setup 
correctly. Much to my surprise the 'chown -R' command fixed the problem.

I am at a loss as to what could have possibly occurred to make the DC 
believe that my wife's account was not the owner of her home and profile 
directory and the files contained in those directories. It seems even 
stranger that on the DC, linux indicated that my wife's account owned 
the files but yet would not grant permission even though the ownership 
and ACLs were correct.

Everything is well now, albeit for how long I don't know. I would be 
extremely grateful for any thoughts on what might have occurred and how 
to avoid this issue in the future. My wife's email was lost for ~48 
hours because a bounce occurred due to the inability of dovecot to write 
to her account's maildir. Needless to say my wife was not happy and an 
unhappy wife ... well I let's just say I would like to avoid that in the 
future.

Thank you for any insights.
-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208

On Wed, 28 Feb 2018 21:00:24 -0700
"Paul R. Ganci via samba" <samba at lists.samba.org> wrote:
> Hi All,
> 
> I run a small domain for my home that consists just of two user 
> accounts... one for my wife and one for me. I just have a single DC
> and the home and profile shares are located on the DC. For years this
> setup has served just fine giving me access to both linux and windows
> with a unified authentication and file server base.
> 
> However, on Monday around 12 noon MST my wife lost permissions to her 
> home and profile directories on both our Windows 7 Pro and CentOS 6&7 
> systems. If I logged into the DC and did 'getent passwd' her
account
> showed up correctly. A 'ls -lat' command showed that the
> directory/files were owned properly by my wife's account. A getfacl
> showed that the ACLs were exactly like my own account which
> functioned properly. There was absolutely no reason for her to be
> denied permission to her directories or the files contained therein.
> And the permission issue was present even on the DC.
> 
> After struggling with this problem for the past 48 hours I decided to
> do a 'chown -R' on her profile and home directories, even though I
> thought this was silly since other linux commands indicated
> everything was setup correctly. Much to my surprise the 'chown -R'
> command fixed the problem.
> 
> I am at a loss as to what could have possibly occurred to make the DC 
> believe that my wife's account was not the owner of her home and
> profile directory and the files contained in those directories. It
> seems even stranger that on the DC, linux indicated that my wife's
> account owned the files but yet would not grant permission even
> though the ownership and ACLs were correct.
> 
> Everything is well now, albeit for how long I don't know. I would be 
> extremely grateful for any thoughts on what might have occurred and
> how to avoid this issue in the future. My wife's email was lost for
> ~48 hours because a bounce occurred due to the inability of dovecot
> to write to her account's maildir. Needless to say my wife was not
> happy and an unhappy wife ... well I let's just say I would like to
> avoid that in the future.
> 
> Thank you for any insights.
Is this a PDC (NT4-style domain) or an AD DC ?
Either way, I have never heard of anything like this happening before,
perhaps it might help if you post your smb.conf.

Rowland

On 03/01/2018 01:02 AM, Rowland Penny wrote:
> Is this a PDC (NT4-style domain) or an AD DC ?
> Either way, I have never heard of anything like this happening before,
> perhaps it might help if you post your smb.conf.
Hi Rowland,

Whatever is occurring has happened again today. I had to "chown -R" my
wife's home/Profile directories and files. Very strange and makes me 
wonder if she doesn't have some kind of malware on her laptop. I am 
checking that now.

In any case let me answer your questions. The DC is an AD DC. I 
originally set it up with an early 4.0 version of Samba. Over time I 
haven't really done anything to the configuration. However, there were a 
few things necessary as the behavior of Samba ADs changed with new 
versions. Before I show the smb.conf file several historical things 
should be noted.

1.) I originally used a RID back-end. However, I was persuaded on a 
10/22/2013 thread to switch to an AD back-end. I did that but kept the 
RID generated UID/GID. You had mentioned in another thread that was 
confusing but I never changed to saner UIDs/GIDs because everything 
worked as it was.

2.) There is a long "server services" line that at one point you had 
questioned in an early thread when winbind on the DC behavior changed. 
You pointed out  what I had was equivalent to something simpler albeit I 
couldn't find the thread but it was around the time I updated from 
4.1.18 to 4.2.2.

3.) I have the winbind enum groups/users set to yes purposely. I have so 
few users there is no penalty really. It is nice to have getent 
enumerate all the users and groups for debug reasons. That is usually 
one of the first things I do after an upgrade.

4.) The original set up is what I could find on the web back in the fall 
of 2013 when I setup the domain. Everything has worked relatively 
flawlessly until this week (2/25/2018) so that is nearly 5 years without 
doing much maintenance except Samba updates.

Presently the AD DC runs on a Dell 2950iii with Centos 6.9, the Sernet 
packages version 4.7.5-10. I am not sure but I think this problem 
occurred with an update from a 4.7.4 version. I was thinking of 
downgrading to see if the problem disappears.

Here is a sanitized version of the smb.conf on the AD DC and some other 
linux stuff on the DC

[global]
         server string = Active Directory Server
         workgroup = MYDOM
         realm = MYDOM.NURDOG.COM
         netbios name = NIKITA
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         bind interfaces only = yes
         interfaces = br0 lo
         encrypt passwords = true
         kerberos method = secrets and keytab
         winbind use default domain = yes
         winbind offline logon = false
         winbind enum groups = yes
         winbind enum users = yes
#        winbind separator = +
         winbind nss info = rfc2307
         map untrusted to domain = no
         template homedir = /home/%U
         template shell = /bin/bash
         idmap_ldb:use rfc2307 = yes

[netlogon]
         path = /var/lib/samba/sysvol/mydom.nurdog.com/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[Profiles]
         path = /home/Profiles/
         read only = No

[home]
         path = /home
         read only = No

The two users have these IDs as determined by getent:
MYDOM\mywife:*:3001108:3000513::/home/mywife_home:/bin/bash
MYDOM\me:*:3001107:3000513::/home/my_home:/bin/bash

Home directories:
drwx------+ 43 MYDOM\mywife MYDOM\domain users  4096 Feb 28 23:02 
mywife_home
drwx------+ 80 MYDOM\me MYHOME\domain users 20480 Feb 28 08:21 my_home

Profile directories:
drwxrwx---+ 17 MYDOM\mywife MYDOMdomain users 4096 Mar  1 17:19 mywife.V2
drwxrwx---+ 20 MYDOM\me MYDOM\domain users 4096 Feb 28 20:15 me.V2

Everything looks just like I show when the problem occurs. There will be 
a permission denied error once the problem occurs even though everything 
looks good. It only happens to my wife's account. She is on a Windows 7 
Professional laptop for most of the day. I am always on linux and have 
not experienced any problems. The issue effects both the Windows and 
linux accounts. It really is like mywife's file ownership is lost even 
though linux says everything is good. And when the problem occurs, 
authentication still works. It is possible to logon to the DC with 
mywife's account but access to the home directory is denied. Very 
strange problem indeed.

Thank you for your help.
-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208