samba - Aug 2018 - Can't write to a samba share mounted as an AD user

On Thu, 2 Aug 2018 13:16:26 -0400
pisymbol via samba <samba at lists.samba.org> wrote:
> On Thu, Aug 2, 2018 at 1:11 PM, Eric Altman via samba
> <samba at lists.samba.org
> > wrote:
> 
> >
> > It’s just that the mount has read-only access despite the file
> > ownership and modes being set to give full read-write?
> >
> >
> That is almost correct (I can create empty files via touch) which has
> me baffled.
> 
> -aps (Alex)
You do not have any lines like this in your smb.conf:

    winbind nss info = rfc2307
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : range = 10000-999999

So, unless you are using sssd (and if you are, this is the wrong place
to ask for help), you do not anyway to authenticate your AD users on
the NAS. Yes, you may be able to read files on the NAS, but you will not
be able to write to them, this is because Samba has no idea who your
users are and 'guest' access is turned off.

You also shouldn't have a NAS administrator, you should only have a
Domain Administrator.

I think what you are trying to say is that, you have purchased this NAS
and most of the [global] part of the smb.conf is what it came with, if
this is true, then QNAP are you listening, your standard smb.conf is
rubbish. It contains deprecated settings (smbpasswd), default lines and
lines that do not need to be there, it is as if they just took the
output of 'man smbconf', removed most of the text, just leaving the
parameters, threw away some of the parameters and set others to
defaults or things they shouldn't be set to.

I think (and I could be wrong, but I don't think so) it was meant to
be a 'standalone server', but you now want it to be a Unix domain
member, if so, you need to make a lot of changes to your smb.conf.

Rowland

On Thu, Aug 2, 2018 at 1:55 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 Aug 2018 13:16:26 -0400
> pisymbol via samba <samba at lists.samba.org> wrote
> >
> > -aps (Alex)
>
> You do not have any lines like this in your smb.conf:
>
>     winbind nss info = rfc2307
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     idmap config SAMDOM : backend = rid
>     idmap config SAMDOM : schema_mode = rfc2307
>     idmap config SAMDOM : range = 10000-999999
>

I guess I will do some more reading.

> So, unless you are using sssd (and if you are, this is the wrong place
> to ask for help), you do not anyway to authenticate your AD users on
> the NAS. Yes, you may be able to read files on the NAS, but you will not
> be able to write to them, this is because Samba has no idea who your
> users are and 'guest' access is turned off.

Unless QNAP has their own utility similar to sssd, I can absolutely *mount*
a share AND *login* into the NAS device using my AD credentials. That is
fact.

The mount command I printed above is the exact line I'm using and I specify
"user=" and "domain=" options parameters.

> You also shouldn't have a NAS administrator, you should only have a
> Domain Administrator.
>
Honestly, you should have both IMO. This is even true in the Windows world
and a lot of filers (NetApp for instance creates it's own domain so the
administrator account is technically NETAPP/admin or something of that ilk).

> I think what you are trying to say is that, you have purchased this NAS
> and most of the [global] part of the smb.conf is what it came with, if
> this is true, then QNAP are you listening, your standard smb.conf is
> rubbish. It contains deprecated settings (smbpasswd), default lines and
> lines that do not need to be there, it is as if they just took the
> output of 'man smbconf', removed most of the text, just leaving the
> parameters, threw away some of the parameters and set others to
> defaults or things they shouldn't be set to.
>
Well it's a bit more complicated then that. They have an AD wizard you go
through that joins the NAS device to your domain (that worked after a
change on my end).

> I think (and I could be wrong, but I don't think so) it was meant to
> be a 'standalone server', but you now want it to be a Unix domain
> member, if so, you need to make a lot of changes to your smb.conf.
>
Not according to their extensive doc. These filers are suppose to work as
bona fide CIFS file servers connected to AD (and are heavy users of samba).

Antyway, Rowland, don't get upset at me. I did actually Google A LOT before
asking all of the above.

So it seems that to get samba to know who is mounting what I need to add a
few lines to tell it about my domain.

-aps

On Thu, Aug 2, 2018 at 1:55 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 Aug 2018 13:16:26 -0400
> pisymbol via samba <samba at lists.samba.org> wrote:
>
> > On Thu, Aug 2, 2018 at 1:11 PM, Eric Altman via samba
> > <samba at lists.samba.org
> > > wrote:
> >
> > >
> > > It’s just that the mount has read-only access despite the file
> > > ownership and modes being set to give full read-write?
> > >
> > >
> > That is almost correct (I can create empty files via touch) which has
> > me baffled.
> >
> > -aps (Alex)
>
> You do not have any lines like this in your smb.conf:
>
>     winbind nss info = rfc2307
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     idmap config SAMDOM : backend = rid
>     idmap config SAMDOM : schema_mode = rfc2307
>     idmap config SAMDOM : range = 10000-999999
>
>
I added these lines (changed SAMDOM accordingly).

That helped but didn't fix the problem. But I do see users and domains.

[admin at outerdrive Public]# getfacl .
# file: .
# owner: admin
# group: administrators
user::rwx
user:admin:rwx
user:guest:---
group::rwx
group:everyone:r-x
group:SAMDOM\domain\040users\040changed:rwx
group:SAMDOM\users:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:admin:rwx
default:user:guest:---
default:group::rwx
default:group:everyone:r-x
default:group:SAMDOM\domain\040users\040changed:rwx
default:group:SAMDOM\users:rwx
default:mask::rwx
default:other::---

The 'domain users changed' is a real thing and no I am not responsible
for
it.

I am mounting as a user who is in both 'SAMDOM\users' and
'SAMDOM\domain
users changed' etc using SMB 2.1.

But I still can't write a darn file....

-aps

On Thu, Aug 2, 2018 at 2:46 PM, pisymbol <pisymbol at gmail.com> wrote:
>
>
> On Thu, Aug 2, 2018 at 1:55 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Thu, 2 Aug 2018 13:16:26 -0400
>> pisymbol via samba <samba at lists.samba.org> wrote:
>>
>> > On Thu, Aug 2, 2018 at 1:11 PM, Eric Altman via samba
>> > <samba at lists.samba.org
>> > > wrote:
>> >
>> > >
>> > > It’s just that the mount has read-only access despite the
file
>> > > ownership and modes being set to give full read-write?
>> > >
>> > >
>> > That is almost correct (I can create empty files via touch) which
has
>> > me baffled.
>> >
>> > -aps (Alex)
>>
>> You do not have any lines like this in your smb.conf:
>>
>>     winbind nss info = rfc2307
>>     idmap config *:backend = tdb
>>     idmap config *:range = 2000-9999
>>     idmap config SAMDOM : backend = rid
>>     idmap config SAMDOM : schema_mode = rfc2307
>>     idmap config SAMDOM : range = 10000-999999
>>
>>
> I added these lines (changed SAMDOM accordingly).
>
> That helped but didn't fix the problem. But I do see users and domains.
>
> [admin at outerdrive Public]# getfacl .
> # file: .
> # owner: admin
> # group: administrators
> user::rwx
> user:admin:rwx
> user:guest:---
> group::rwx
> group:everyone:r-x
> group:SAMDOM\domain\040users\040changed:rwx
> group:SAMDOM\users:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:admin:rwx
> default:user:guest:---
> default:group::rwx
> default:group:everyone:r-x
> default:group:SAMDOM\domain\040users\040changed:rwx
> default:group:SAMDOM\users:rwx
> default:mask::rwx
> default:other::---
>
> The 'domain users changed' is a real thing and no I am not
responsible for
> it.
>
> I am mounting as a user who is in both 'SAMDOM\users' and
'SAMDOM\domain
> users changed' etc using SMB 2.1.
>
> But I still can't write a darn file....
>
Eureka! Sorry about that. The above did indeed fixed it. I had the uid/gid
set to 0 on mount. If I mount it now as my uid/gid I can write files to it.
Happy Day!

Thank you Rowland and Eric. I really do appreciate it. I completely forget
about 'idmap' and now I feel kinda dumb.

Wow, this was way more a pain in the butt then it should have been given
the QNAP is an "appliance."

-aps

On Thu, 2 Aug 2018 14:28:30 -0400
pisymbol <pisymbol at gmail.com> wrote:
> On Thu, Aug 2, 2018 at 1:55 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On Thu, 2 Aug 2018 13:16:26 -0400
> > pisymbol via samba <samba at lists.samba.org> wrote
> > >
> > > -aps (Alex)
> >
> > You do not have any lines like this in your smb.conf:
> >
> >     winbind nss info = rfc2307
> >     idmap config *:backend = tdb
> >     idmap config *:range = 2000-9999
> >     idmap config SAMDOM : backend = rid
> >     idmap config SAMDOM : schema_mode = rfc2307
> >     idmap config SAMDOM : range = 10000-999999
> >
> 
> 
> I guess I will do some more reading.
Try this for a start:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> 
> > So, unless you are using sssd (and if you are, this is the wrong
> > place to ask for help), you do not anyway to authenticate your AD
> > users on the NAS. Yes, you may be able to read files on the NAS,
> > but you will not be able to write to them, this is because Samba
> > has no idea who your users are and 'guest' access is turned
off.
> 
> 
> Unless QNAP has their own utility similar to sssd, I can absolutely
> *mount* a share AND *login* into the NAS device using my AD
> credentials. That is fact.
Yes, but you are using sudo and sudo = 'root' and you have 'username
map = /etc/config/smbusers' in smb.conf and this is probably mapping
Administrator to root.
> 
> The mount command I printed above is the exact line I'm using and I
> specify "user=" and "domain=" options parameters.
> 
> 
> > You also shouldn't have a NAS administrator, you should only have
a
> > Domain Administrator.
> >
> 
> Honestly, you should have both IMO. This is even true in the Windows
> world and a lot of filers (NetApp for instance creates it's own
> domain so the administrator account is technically NETAPP/admin or
> something of that ilk).
Yes, you do have a local Administrator and a DOMAIN\Administrator on
Windows, but you only use one at once. You (as I said above) map the
DOMAIN\Administrator to the 'root' user on a Unix domain member.
> 
> 
> > I think what you are trying to say is that, you have purchased this
> > NAS and most of the [global] part of the smb.conf is what it came
> > with, if this is true, then QNAP are you listening, your standard
> > smb.conf is rubbish. It contains deprecated settings (smbpasswd),
> > default lines and lines that do not need to be there, it is as if
> > they just took the output of 'man smbconf', removed most of
the
> > text, just leaving the parameters, threw away some of the
> > parameters and set others to defaults or things they shouldn't be
> > set to.
> >
> 
> Well it's a bit more complicated then that. They have an AD wizard
> you go through that joins the NAS device to your domain (that worked
> after a change on my end).
That sort of makes it worse ;-), why complicate something that is so
easy to do from the command line. When I say complicate, I mean adding
all those totally un-required lines and not actually adding really
required lines.
 
> 
> 
> > I think (and I could be wrong, but I don't think so) it was meant
to
> > be a 'standalone server', but you now want it to be a Unix
domain
> > member, if so, you need to make a lot of changes to your smb.conf.
> >
> 
> Not according to their extensive doc. These filers are suppose to
> work as bona fide CIFS file servers connected to AD (and are heavy
> users of samba).
Another way to describe a CIFS file server is a standalone server,
another name is 'Windows home'
> 
> Antyway, Rowland, don't get upset at me. I did actually Google A LOT
> before asking all of the above.
No, I am not getting angry at you, I am just getting upset at your QNAP
thing.
> 
> So it seems that to get samba to know who is mounting what I need to
> add a few lines to tell it about my domain.
You need to sort at the way over the top smb.conf, for instance, do you
have any Apple machines ? If not, then all the references to fruit can
be removed.

Rowland
> 
> -aps

On Thu, 2 Aug 2018 14:46:56 -0400
pisymbol <pisymbol at gmail.com> wrote:
> On Thu, Aug 2, 2018 at 1:55 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On Thu, 2 Aug 2018 13:16:26 -0400
> > pisymbol via samba <samba at lists.samba.org> wrote:
> >
> > > On Thu, Aug 2, 2018 at 1:11 PM, Eric Altman via samba
> > > <samba at lists.samba.org
> > > > wrote:
> > >
> > > >
> > > > It’s just that the mount has read-only access despite the
file
> > > > ownership and modes being set to give full read-write?
> > > >
> > > >
> > > That is almost correct (I can create empty files via touch) which
> > > has me baffled.
> > >
> > > -aps (Alex)
> >
> > You do not have any lines like this in your smb.conf:
> >
> >     winbind nss info = rfc2307
> >     idmap config *:backend = tdb
> >     idmap config *:range = 2000-9999
> >     idmap config SAMDOM : backend = rid
> >     idmap config SAMDOM : schema_mode = rfc2307
> >     idmap config SAMDOM : range = 10000-999999
> >
> >
> I added these lines (changed SAMDOM accordingly).
> 
> That helped but didn't fix the problem. But I do see users and
> domains.
> 
> [admin at outerdrive Public]# getfacl .
> # file: .
> # owner: admin
> # group: administrators
> user::rwx
> user:admin:rwx
> user:guest:---
> group::rwx
> group:everyone:r-x
> group:SAMDOM\domain\040users\040changed:rwx
> group:SAMDOM\users:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:admin:rwx
> default:user:guest:---
> default:group::rwx
> default:group:everyone:r-x
> default:group:SAMDOM\domain\040users\040changed:rwx
> default:group:SAMDOM\users:rwx
> default:mask::rwx
> default:other::---
> 
> The 'domain users changed' is a real thing and no I am not
> responsible for it.
> 
> I am mounting as a user who is in both 'SAMDOM\users' and
> 'SAMDOM\domain users changed' etc using SMB 2.1.
> 
> But I still can't write a darn file....
> 
> -aps
You did change 'SAMDOM' for whatever 'ACME' really is ?

Rowland