samba - Aug 2018 - Can't write to a samba share mounted as an AD user

Whoops! Replying to all!

On Thu, Aug 2, 2018 at 10:55 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 Aug 2018 10:43:26 -0400
> pisymbol via samba <samba at lists.samba.org> wrote:
>
> > Full disclosure: This is an exported share on a QNAP NAS device.
>
> Even fuller disclosure ;-)
> You haven't given us enough info
>
I can facilitate though.

> What version of Samba is the QNAP NAS using ?
>
4.4.16

What is in smb.conf ?
>
A lot of stuff as you can imagine. But for this share:
[Public]
comment = System default share
path = /share/CACHEDEV1_DATA/Public
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = yes
qbox = no
public = yes
invalid users = "guest"
read list = @"everyone"
write list = "admin",@"ACME\Users"
valid users =
"root",@"everyone","admin",@"Acme\Users"
inherit permissions = yes
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Public/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Public
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes
admin users admin only 

> Is it part of a domain ?
>
Yes. Let's call it ACME.

I am mounting with my login ACME\alex via:

sudo mount -ousername=alex,domain=acme.com,vers=2.1 //
outerdrive.acme.com/Public /mnt

Linux client is latest 7.5 CentOS.

-aps

On Thu, 2 Aug 2018 11:02:45 -0400
pisymbol <pisymbol at gmail.com> wrote:
> Whoops! Replying to all!
> 
> On Thu, Aug 2, 2018 at 10:55 AM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On Thu, 2 Aug 2018 10:43:26 -0400
> > pisymbol via samba <samba at lists.samba.org> wrote:
> >
> > > Full disclosure: This is an exported share on a QNAP NAS device.
> >
> > Even fuller disclosure ;-)
> > You haven't given us enough info
> >
> 
> I can facilitate though.
> 
> 
> > What version of Samba is the QNAP NAS using ?
> >
> 
> 4.4.16
> 
> What is in smb.conf ?
> >
> 
> A lot of stuff as you can imagine.
Yes and it will remain imaginary until you post it

Rowland

On Thu, Aug 2, 2018 at 11:11 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 Aug 2018 11:02:45 -0400
> pisymbol <pisymbol at gmail.com> wrote:
>
> > Whoops! Replying to all!
> >
> > On Thu, Aug 2, 2018 at 10:55 AM, Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > > On Thu, 2 Aug 2018 10:43:26 -0400
> > > pisymbol via samba <samba at lists.samba.org> wrote:
> > >
> > > > Full disclosure: This is an exported share on a QNAP NAS
device.
> > >
> > > Even fuller disclosure ;-)
> > > You haven't given us enough info
> > >
> >
> > I can facilitate though.
> >
> >
> > > What version of Samba is the QNAP NAS using ?
> > >
> >
> > 4.4.16
> >
> > What is in smb.conf ?
> > >
> >
> > A lot of stuff as you can imagine.
>
> Yes and it will remain imaginary until you post it
>
[admin at outerdrive ~]# cat /etc/config/smb.conf
[global]
realm = ACME.COM
passdb backend = smbpasswd
workgroup = ACME
security = ADS       #### NOTE: I had to change this to ADS to get this
toaster oven to join AD
server string encrypt passwords = Yes
username level = 0
map to guest = Bad User
null passwords = yes
max log size = 10
socket options = TCP_NODELAY SO_KEEPALIVE
os level = 20
preferred master = no
dns proxy = No
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = no
load printers = yes
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash
Folder/Temporary
Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/. at __qini/.Qsync/.
at upload_cache/.qsync/.qsync_sn/. at qsys/.streams/.digest/
delete veto files = yes
map archive = no
map system = no
map hidden = no
map read only = no
deadtime = 10
server role = auto
use sendfile = yes
unix extensions = no
store dos attributes = yes
client ntlmv2 auth = yes
dos filetime resolution = no
follow symlinks = yes
wide links = yes
force unknown acl user = yes
template homedir = /share/homes/DOMAIN=%D/%U
inherit acls = yes
domain logons = no
min receivefile size = 256
case sensitive = auto
domain master = auto
local master = no
enhance acl v1 = yes
remove everyone = yes
conn log = no
kernel oplocks = no
min protocol = LANMAN1
smb2 leases = yes
durable handles = yes
kernel share modes = no
posix locking = no
lock directory = /share/CACHEDEV1_DATA/.samba/lock
state directory = /share/CACHEDEV1_DATA/.samba/state
cache directory = /share/CACHEDEV1_DATA/.samba/cache
printcap cache time = 0
acl allow execute always = yes
server signing = disabled
aio read size = 1
aio write size = 0
streams_depot:delete_lost = yes
streams_depot:check_valid = no
fruit:nfs_aces = no
fruit:veto_appledouble = no
winbind expand groups = 1
pid directory = /var/lock
printcap name = /etc/printcap
printing = cups
show add printer wizard = no
host msdfs = yes
winbind enum groups = Yes
winbind enum users = Yes
wins support = no
name resolve order = host bcast
max protocol = SMB2_10
vfs objects =  shadow_copy2 acl_xattr catia fruit qnap_macea streams_depot
aio_pthread

[Multimedia]
comment = System default share
path = /share/CACHEDEV1_DATA/Multimedia
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = no
qbox = no
public = yes
invalid users = "guest"
read list = @"everyone"
write list = "admin"
valid users = "root",@"everyone","admin"
inherit permissions = yes
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Multimedia/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Multimedia
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes

[Download]
comment = System default share
path = /share/CACHEDEV1_DATA/Download
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = no
qbox = no
public = yes
invalid users = "guest"
read list write list = "admin"
valid users = "root","admin"
inherit permissions = yes
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Download/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Download
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes

[Web]
comment = System default share
path = /share/CACHEDEV1_DATA/Web
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = no
qbox = no
public = yes
invalid users = "guest"
read list write list = "admin"
valid users = "root","admin"
inherit permissions = yes
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Web/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Web
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes

[Public]
comment = System default share
path = /share/CACHEDEV1_DATA/Public
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = yes
qbox = no
public = yes
invalid users = "guest"
read list = @"everyone"
write list = "admin",@"ACME\Users"
valid users =
"root",@"everyone","admin",@"ACME\Users"
inherit permissions = yes
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Public/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Public
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes

[homes]
comment = System default share
path = /share/CACHEDEV1_DATA/homes
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = no
qbox = no
public = yes
invalid users read list write list = "admin"
valid users = "root","admin"
inherit permissions = yes
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/homes/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/homes
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
mangled names = yes

[printers]
use client driver = yes
writable = no
browsable = no
printable = yes
guest ok = yes
path = /var/spool/smb

[home]
comment = Home
path = %H
browsable = yes
oplocks = yes
ftp write only = no
inherit permissions = yes
invalid users = guest
writable = yes
read list = "%u"
write list = "%u"
valid users = "%u"
root preexec = /sbin/create_home -u '%q'
shadow:snapdir = /share/CACHEDEV1_DATA/homes/../_.share/homes/.snapshot
shadow:basedir = %H
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S