L.P.H. van Belle
2019-Apr-10 09:12 UTC
[Samba] chown: changing ownership of 'test': Invalid argument
I forgot, post also: cat /etc/idmapd.conf ( im adding it in the debug-collector atm ) There might be a mis in detecting the Domain or Local-Realm. I suggest, add this : Domain = jeoffice.jacklin.co.za Local-Realm = JEOFFICE.JACKLIN.CO.ZA see if that helps. Greetz, Louis Van: Ian Coetzee [mailto:samba at iancoetzee.za.net] Verzonden: woensdag 10 april 2019 10:17 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] chown: changing ownership of 'test': Invalid argument Hi Louis, Thank you. I will add those line and test. Will revert shortly As requested. The output: root at ho-vpn-ctx-ac01:~# cat /tmp/samba-debug-info.txt Collected config --- 2019-04-10-08:12 ----------- Hostname: ho-vpn-ctx-ac01 DNS Domain: jeoffice.jacklin.co.za FQDN: ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ipaddress: 10.10.18.50 10.10.11.50 ----------- Samba is running as a Unix domain member ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 9.8 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 44: native0 at if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:c1:2a:15:5c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet MailScanner warning: numerical links are often malicious: 10.10.18.50/24 brd 10.10.18.255 scope global native0 inet6 fe80::2c1:2aff:fe15:5cfe/64 scope link 46: dmz0 at if47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:c1:b1:ea:6c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet MailScanner warning: numerical links are often malicious: 10.10.11.50/24 brd 10.10.11.255 scope global dmz0 inet6 fe80::2c1:b1ff:feea:6cfe/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters # --- BEGIN PVE --- 10.10.18.50 ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ho-vpn-ctx-ac01 # --- END PVE --- ----------- Checking file: /etc/resolv.conf # --- BEGIN PVE --- search jeoffice.jacklin.co.za nameserver 10.10.10.4 # --- END PVE --- ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = JEOFFICE.JACKLIN.CO.ZA # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # The only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } CSAIL.MIT.EDU = { admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } ANDREW.CMU.EDU = { admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos-1.srv.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu kdc = kerberos-3.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] workgroup = JEOFFICE realm = JEOFFICE.JACKLIN.CO.ZA security = ADS template homedir = /home/%D/%U template shell = /bin/bash kerberos method = secrets only winbind use default domain = true # winbind offline logon = true winbind enum groups = true netbios name = ho-vpn-ctx-ac01 log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use an read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 70001-80000 idmap config JEOFFICE : backend = rid idmap config JEOFFICE : range = 3200000-3300000 winbind nss info = template ----------- Running as Unix domain member and no user.map detected. ----------- Installed packages: ii acl 2.2.52-3+b1 amd64 Access control list utilities ii attr 1:2.4.47-2+b2 amd64 Utilities for manipulating filesystem extended attributes ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library ii libacl1-dev 2.2.52-3+b1 amd64 Access control list static libraries and headers ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library ii libattr1-dev:amd64 1:2.4.47-2+b2 amd64 Extended attribute static libraries and headers ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba nameservice integration plugins ii libpam-winbind:amd64 2:4.9.6+nmu-1.0debian1 amd64 Windows domain authentication integration plugin ii libwbclient0:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba winbind client library ii python-samba 2:4.9.6+nmu-1.0debian1 amd64 Python bindings for Samba ii samba 2:4.9.6+nmu-1.0debian1 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.9.6+nmu-1.0debian1 all common files used by both the Samba server and client ii samba-common-bin 2:4.9.6+nmu-1.0debian1 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba Virtual FileSystem plugins ii winbind 2:4.9.6+nmu-1.0debian1 amd64 service to resolve user and group information from Windows NT servers ----------- On Wed, 10 Apr 2019 at 09:37, L.P.H. van Belle via samba <samba at lists.samba.org> wrote: Hai Ian, Can you run my setup debugger.. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Anonimize where needed and post output. Because when i run this, it works fine. chown -v username test-own.txt changed ownership of 'test-own.txt' from root to username And yes, this user only exist in AD. Check if attr and acl are installed also. And if the smb.conf below is complete then your missing: # For ACL support on member servers with shares vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes The difference between you and me, in smb.conf as far i can tell now. Me backend AD. You RID. Me kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind refresh tickets = yes You ( only secrets ) I've just tested these versions because today my vpn needed the upgrades of samba also. I've tested and upgraded from 4.8.9 upto 4.8.11, 4.9.6 and 4.10.2 It still might be a bug, but i need more info. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ian > Coetzee via samba > Verzonden: woensdag 10 april 2019 9:04 > Aan: Samba List > Onderwerp: [Samba] chown: changing ownership of 'test': > Invalid argument > > Hi All, > > I have a very weird issue on one of my servers. I think I > might just be > missing something quite obviously... I will post the config > files at the > bottom > > I have a brand new Debian server running as an LXC container > > > root at ho-vpn-ctx-ac01:~# lsb_release -a > > No LSB modules are available. > > Distributor ID: Debian > > Description: Debian GNU/Linux 9.8 (stretch) > > Release: 9.8 > > Codename: stretch > > root at ho-vpn-ctx-ac01:~# uname -a > > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35 > (Wed, 13 Mar > > 2019 08:24:42 +0100) x86_64 GNU/Linux > > root at ho-vpn-ctx-ac01:~# > > > > I am running said server as a domain member using the latest > packages in > Louis' 4.9 branch > > > root at ho-vpn-ctx-ac01:~# net -V > > Version 4.9.6-Debian > > root at ho-vpn-ctx-ac01:~# net ads testjoin > > Join is OK > > > > The join seems to be good, nsswitch is working > > > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > root at ho-vpn-ctx-ac01:~# getent passwd ianc > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash > > > > Yet when I try to change the ownership of a file to a domain user, it > fails with "Invalid argument" > > > root at ho-vpn-ctx-ac01:~# chown -v ianc test > > chown: changing ownership of 'test': Invalid argument > > failed to change ownership of 'test' from root to ianc > > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test > > changed ownership of 'test' from root to jeadmin > > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin > > jeadmin:x:1000:27::/home/jeadmin:/bin/bash > > > > It works however when changing to a local user. So it looks > like the issue > might be in samba. This is the first time I have had this > problem after > quite a few other servers (a mix between CentOS, Debian and > Ubuntu) has > already been joined to the domain using the exact same smb.conf. > > On a side note, I am also unable to log into the server using domain > credentials, which I am currently attributing to the same cause. > > Can you guys maybe point me in the right direction where I > might start to > troubleshoot further? > > Kind regards > Ian > > Configs: > > root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf > [global] > workgroup = JEOFFICE > realm = JEOFFICE.JACKLIN.CO.ZA > security = ADS > template homedir = /home/%D/%U > template shell = /bin/bash > kerberos method = secrets only > winbind use default domain = true > # winbind offline logon = true > winbind enum groups = true > > netbios name = ho-vpn-ctx-ac01 > > log file = /var/log/samba/%m.log > log level = 1 > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use an read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 70001-80000 > idmap config JEOFFICE : backend = rid > idmap config JEOFFICE : range = 3200000-3300000 > > winbind nss info = template > root at ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2019-Apr-10 09:30 UTC
[Samba] chown: changing ownership of 'test': Invalid argument
On Wed, 10 Apr 2019 11:12:30 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> I forgot, post also: > > cat /etc/idmapd.conf > ( im adding it in the debug-collector atm ) > > There might be a mis in detecting the Domain or Local-Realm. > I suggest, add this : > > Domain = jeoffice.jacklin.co.za > Local-Realm = JEOFFICE.JACKLIN.CO.ZALouis, I have seen you mention idmapd.conf before in relation to Samba, why ? From my understanding 'idmapd.conf' is for NFS. Rowland
L.P.H. van Belle
2019-Apr-10 09:38 UTC
[Samba] chown: changing ownership of 'test': Invalid argument
Hai Rowland,> From my understanding 'idmapd.conf' is for NFS.Yes, you are correct, thats for NFS. I asked because i noticed that his setup is an auth only setup, ( no shares ). And on my vpn server ( auth only ), with nfs, yes, the detection of the dns domain and realm needed a bit of help. Due to dns resolving i needed to set ( a non default setup ). He might also be using CIFS or NFS or none of these,.. As you,... Ah... i see now, pointed out to with the mk_homedir. So probley no NFS then. But on servers with, or multiple interfaces and/or ipnumbers, and with NFS used, setting the showed values helps. Or you need a really good setup with your dns/resolving. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Rowland Penny [mailto:rpenny at samba.org] > Verzonden: woensdag 10 april 2019 11:31 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] chown: changing ownership of 'test': > Invalid argument > > On Wed, 10 Apr 2019 11:12:30 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > I forgot, post also: > > > > cat /etc/idmapd.conf > > ( im adding it in the debug-collector atm ) > > > > There might be a mis in detecting the Domain or Local-Realm. > > I suggest, add this : > > > > Domain = jeoffice.jacklin.co.za > > Local-Realm = JEOFFICE.JACKLIN.CO.ZA > > Louis, I have seen you mention idmapd.conf before in relation to > Samba, why ? > > From my understanding 'idmapd.conf' is for NFS. > > Rowland > > >
Rowland Penny
2019-Apr-10 09:51 UTC
[Samba] chown: changing ownership of 'test': Invalid argument
On Wed, 10 Apr 2019 11:38:04 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Rowland, > > > From my understanding 'idmapd.conf' is for NFS. > Yes, you are correct, thats for NFS. > > I asked because i noticed that his setup is an auth only setup, ( no > shares ). And on my vpn server ( auth only ), with nfs, yes, the > detection of the dns domain and realm needed a bit of help. Due to > dns resolving i needed to set ( a non default setup ). > > He might also be using CIFS or NFS or none of these,.. > As you,... Ah... i see now, pointed out to with the mk_homedir. > So probley no NFS then. > > But on servers with, or multiple interfaces and/or ipnumbers, and > with NFS used, setting the showed values helps. Or you need a really > good setup with your dns/resolving. >That explains it better, perhaps if you are adding it to the script, then it should be conditional on NFS being used. Rowland
L.P.H. van Belle
2019-Apr-10 09:56 UTC
[Samba] chown: changing ownership of 'test': Invalid argument
Yes, im working on it already.> -----Oorspronkelijk bericht----- > Van: Rowland Penny [mailto:rpenny at samba.org] > Verzonden: woensdag 10 april 2019 11:51 > Aan: samba at lists.samba.org > CC: L.P.H. van Belle > Onderwerp: Re: [Samba] chown: changing ownership of 'test': > Invalid argument > > On Wed, 10 Apr 2019 11:38:04 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai Rowland, > > > > > From my understanding 'idmapd.conf' is for NFS. > > Yes, you are correct, thats for NFS. > > > > I asked because i noticed that his setup is an auth only setup, ( no > > shares ). And on my vpn server ( auth only ), with nfs, yes, the > > detection of the dns domain and realm needed a bit of help. Due to > > dns resolving i needed to set ( a non default setup ). > > > > He might also be using CIFS or NFS or none of these,.. > > As you,... Ah... i see now, pointed out to with the mk_homedir. > > So probley no NFS then. > > > > But on servers with, or multiple interfaces and/or ipnumbers, and > > with NFS used, setting the showed values helps. Or you need a really > > good setup with your dns/resolving. > > > > That explains it better, perhaps if you are adding it to the script, > then it should be conditional on NFS being used. > > Rowland > >
Apparently Analagous Threads
- chown: changing ownership of 'test': Invalid argument
- chown: changing ownership of 'test': Invalid argument
- chown: changing ownership of 'test': Invalid argument
- chown: changing ownership of 'test': Invalid argument
- chown: changing ownership of 'test': Invalid argument