samba - Mar 2018 - User permissions of profile/home directory lost

On 03/01/2018 01:02 AM, Rowland Penny wrote:
> Is this a PDC (NT4-style domain) or an AD DC ?
> Either way, I have never heard of anything like this happening before,
> perhaps it might help if you post your smb.conf.
Hi Rowland,

Whatever is occurring has happened again today. I had to "chown -R" my
wife's home/Profile directories and files. Very strange and makes me 
wonder if she doesn't have some kind of malware on her laptop. I am 
checking that now.

In any case let me answer your questions. The DC is an AD DC. I 
originally set it up with an early 4.0 version of Samba. Over time I 
haven't really done anything to the configuration. However, there were a 
few things necessary as the behavior of Samba ADs changed with new 
versions. Before I show the smb.conf file several historical things 
should be noted.

1.) I originally used a RID back-end. However, I was persuaded on a 
10/22/2013 thread to switch to an AD back-end. I did that but kept the 
RID generated UID/GID. You had mentioned in another thread that was 
confusing but I never changed to saner UIDs/GIDs because everything 
worked as it was.

2.) There is a long "server services" line that at one point you had 
questioned in an early thread when winbind on the DC behavior changed. 
You pointed out  what I had was equivalent to something simpler albeit I 
couldn't find the thread but it was around the time I updated from 
4.1.18 to 4.2.2.

3.) I have the winbind enum groups/users set to yes purposely. I have so 
few users there is no penalty really. It is nice to have getent 
enumerate all the users and groups for debug reasons. That is usually 
one of the first things I do after an upgrade.

4.) The original set up is what I could find on the web back in the fall 
of 2013 when I setup the domain. Everything has worked relatively 
flawlessly until this week (2/25/2018) so that is nearly 5 years without 
doing much maintenance except Samba updates.

Presently the AD DC runs on a Dell 2950iii with Centos 6.9, the Sernet 
packages version 4.7.5-10. I am not sure but I think this problem 
occurred with an update from a 4.7.4 version. I was thinking of 
downgrading to see if the problem disappears.

Here is a sanitized version of the smb.conf on the AD DC and some other 
linux stuff on the DC

[global]
         server string = Active Directory Server
         workgroup = MYDOM
         realm = MYDOM.NURDOG.COM
         netbios name = NIKITA
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         bind interfaces only = yes
         interfaces = br0 lo
         encrypt passwords = true
         kerberos method = secrets and keytab
         winbind use default domain = yes
         winbind offline logon = false
         winbind enum groups = yes
         winbind enum users = yes
#        winbind separator = +
         winbind nss info = rfc2307
         map untrusted to domain = no
         template homedir = /home/%U
         template shell = /bin/bash
         idmap_ldb:use rfc2307 = yes

[netlogon]
         path = /var/lib/samba/sysvol/mydom.nurdog.com/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[Profiles]
         path = /home/Profiles/
         read only = No

[home]
         path = /home
         read only = No

The two users have these IDs as determined by getent:
MYDOM\mywife:*:3001108:3000513::/home/mywife_home:/bin/bash
MYDOM\me:*:3001107:3000513::/home/my_home:/bin/bash

Home directories:
drwx------+ 43 MYDOM\mywife MYDOM\domain users  4096 Feb 28 23:02 
mywife_home
drwx------+ 80 MYDOM\me MYHOME\domain users 20480 Feb 28 08:21 my_home

Profile directories:
drwxrwx---+ 17 MYDOM\mywife MYDOMdomain users 4096 Mar  1 17:19 mywife.V2
drwxrwx---+ 20 MYDOM\me MYDOM\domain users 4096 Feb 28 20:15 me.V2

Everything looks just like I show when the problem occurs. There will be 
a permission denied error once the problem occurs even though everything 
looks good. It only happens to my wife's account. She is on a Windows 7 
Professional laptop for most of the day. I am always on linux and have 
not experienced any problems. The issue effects both the Windows and 
linux accounts. It really is like mywife's file ownership is lost even 
though linux says everything is good. And when the problem occurs, 
authentication still works. It is possible to logon to the DC with 
mywife's account but access to the home directory is denied. Very 
strange problem indeed.

Thank you for your help.
-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208

On Thu, 1 Mar 2018 20:08:29 -0700
"Paul R. Ganci via samba" <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> Whatever is occurring has happened again today. I had to "chown
-R"
> my wife's home/Profile directories and files. Very strange and makes
> me wonder if she doesn't have some kind of malware on her laptop. I
> am checking that now.
> 
> In any case let me answer your questions. The DC is an AD DC. I 
> originally set it up with an early 4.0 version of Samba. Over time I 
> haven't really done anything to the configuration. However, there
> were a few things necessary as the behavior of Samba ADs changed with
> new versions. Before I show the smb.conf file several historical
> things should be noted.
> 
> 1.) I originally used a RID back-end. However, I was persuaded on a 
> 10/22/2013 thread to switch to an AD back-end. I did that but kept
> the RID generated UID/GID. You had mentioned in another thread that
> was confusing but I never changed to saner UIDs/GIDs because
> everything worked as it was.
As you are running Samba as a DC, you only have two choices of backend
and RID isn't one of them ;-)

By default a DC uses xidNumber attributes stored in idmap.ldb, these
numbers start at '3000000', you can override these by giving your users
a uidNumber and these will be used instead.
If you do not have any other Unix machines, there is no point in
overriding the xidNumber attributes.
> 
> 2.) There is a long "server services" line that at one point you
had
> questioned in an early thread when winbind on the DC behavior
> changed. You pointed out  what I had was equivalent to something
> simpler albeit I couldn't find the thread but it was around the time
> I updated from 4.1.18 to 4.2.2.
You only need the long 'server services' line if you want to turn off
one (or more) of the servers (in your case, dns), you could also
replace your line with 'server services = -dns' , it means the same
thing. I think your reference to winbind goes back to when the
'winbind' part of the 'samba' daemon was replaced by the
separate
'winbindd' deamon.
> 
> 3.) I have the winbind enum groups/users set to yes purposely. I have
> so few users there is no penalty really. It is nice to have getent 
> enumerate all the users and groups for debug reasons. That is usually 
> one of the first things I do after an upgrade.
At least you understand that just because 'wbinfo -u' shows users, it
doesn't mean the OS knows who they are.
> 
> 4.) The original set up is what I could find on the web back in the
> fall of 2013 when I setup the domain. Everything has worked
> relatively flawlessly until this week (2/25/2018) so that is nearly 5
> years without doing much maintenance except Samba updates.
Yes, the smb.conf on a DC hasn't changed much ;-)
> 
> Presently the AD DC runs on a Dell 2950iii with Centos 6.9, the
> Sernet packages version 4.7.5-10. I am not sure but I think this
> problem occurred with an update from a 4.7.4 version. I was thinking
> of downgrading to see if the problem disappears.
> 
> Here is a sanitized version of the smb.conf on the AD DC and some
> other linux stuff on the DC
> 
> [global]
>          server string = Active Directory Server
>          workgroup = MYDOM
>          realm = MYDOM.NURDOG.COM
>          netbios name = NIKITA
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          bind interfaces only = yes
>          interfaces = br0 lo
>          encrypt passwords = true
>          kerberos method = secrets and keytab
>          winbind use default domain = yes
>          winbind offline logon = false
>          winbind enum groups = yes
>          winbind enum users = yes
> #        winbind separator = +
>          winbind nss info = rfc2307
>          map untrusted to domain = no
>          template homedir = /home/%U
>          template shell = /bin/bash
>          idmap_ldb:use rfc2307 = yes
> 
There are a couple of default settings, but you have 'map untrusted to
domain = no', this was the default until 4.7.0, but this changed to
'auto', it might be an idea to read 'man smb.conf'
> 
> The two users have these IDs as determined by getent:
> MYDOM\mywife:*:3001108:3000513::/home/mywife_home:/bin/bash
> MYDOM\me:*:3001107:3000513::/home/my_home:/bin/bash
Ah, I think I see where your 'RID' backend comes from, you have added
the users RID to '3000000' and then added this as a uidNumber attribute
to AD.

There is nothing really wrong with your set up, I think you may be
doing the right thing by examining the windows client.
 
Rowland

On 03/02/2018 02:23 AM, Rowland Penny via samba wrote:
> Ah, I think I see where your 'RID' backend comes from, you have
added
> the users RID to '3000000' and then added this as a uidNumber
attribute
> to AD.
>
> There is nothing really wrong with your set up, I think you may be
> doing the right thing by examining the windows client.
Thanks Rowland.

I think you pretty much went over everything again that was discussed on 
another thread many years ago. That was approximately the time that 
winbind and winbindd came as you point out. I was going to change the 
uidNumber and gidNumber attributtes then but you came to the same 
conclusion as now. I just left it since everything worked okay albeit it 
is kind of a weird and confusing situation. I was just learning then.

FWIW I had my wife log out of the Win 7 box and everything is good so 
far. I did a scan on the server side on her directories and found 
several suspicious things I am removing. However, I did not see a 
smoking gun. Next step is to scan the Win box. I think the problem is  
something that is happening from there specific to her account.

Finally I am going to be upgrading to Windows 10 Pro for other reasons. 
That will give me a chance to wipe the disk. I am also migrating the DC 
to a CentOS 7 OS. At that time I will clean up all this uid/gid stuff. I 
think I am just going to start from scratch rather than try to salvage 
anything. The hard part will be vetting my wife's email... and even 
harder, getting her to practice safe internet browsing.

Again thanks for your time.

-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208