samba - Apr 2019 - chown: changing ownership of 'test': Invalid argument

Hi Rowland,

Please see my replies inline.

On Wed, 10 Apr 2019 at 09:58, Rowland Penny via samba <samba at
lists.samba.org>
wrote:
> On Wed, 10 Apr 2019 09:04:06 +0200
> Ian Coetzee via samba <samba at lists.samba.org> wrote:
>
> > Hi All,
> >
> > I have a very weird issue on one of my servers. I think I might just
> > be missing something quite obviously... I will post the config files
> > at the bottom
> >
> > I have a brand new Debian server running as an LXC container
> > I am running said server as a domain member using the latest packages
> > in Louis' 4.9 branch
> >
> > The join seems to be good, nsswitch is working
> >
> > > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc
> > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > > root at ho-vpn-ctx-ac01:~# getent passwd ianc
> > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > >
> >
> >  Yet when I try to change the ownership of a file to a domain user, it
> > fails with "Invalid argument"
> >
> > > root at ho-vpn-ctx-ac01:~# chown -v ianc test
> > > chown: changing ownership of 'test': Invalid argument
> > > failed to change ownership of 'test' from root to ianc
>
> This is very strange, the 'getent' command above shows that the OS
> knows who 'ianc' is, so why can file ownership not be changed ?
>
My thoughts exactly

> > > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test
> > > changed ownership of 'test' from root to jeadmin
> > > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin
> > > jeadmin:x:1000:27::/home/jeadmin:/bin/bash
> > >
> >
> > It works however when changing to a local user. So it looks like the
> > issue might be in samba. This is the first time I have had this
> > problem after quite a few other servers (a mix between CentOS, Debian
> > and Ubuntu) has already been joined to the domain using the exact
> > same smb.conf.
> >
> > On a side note, I am also unable to log into the server using domain
> > credentials, which I am currently attributing to the same cause.
>
> Possibly, but it could just be down to you not having this line
> in /etc/pam.d/common-session
>
> session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
>
I normally add this line through pam-auth-update and a custom file under
/usr/share/pam-configs/

root at ho-vpn-ctx-ac01:~# cat
/usr/share/pam-configs/mkhomedir
> Name: Create home directory on login
> Default: no
> Priority: 0
> Session-Type: Additional
> Session-Interactive-Only: yes
> Session:
>     optional            pam_mkhomedir.so skel=/etc/skel/ umask=0022

> Without that line, the users homedir will not get created and the login
> will fail.
>
This has bitten me more than once already :)

>
> >
> > root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf
> > [global]
> >    workgroup = JEOFFICE
> >    realm = JEOFFICE.JACKLIN.CO.ZA
> >    security = ADS
> >    template shell = /bin/bash
> >    winbind use default domain = true
> >    log file = /var/log/samba/%m.log
> >    log level = 1
> >    idmap config * : backend = tdb
> >    idmap config * : range = 70001-80000
> >    idmap config JEOFFICE : backend = rid
> >    idmap config JEOFFICE : range = 3200000-3300000
> >
>
> If you notice, I have shorted your smb.conf, it is effectively the same
> as what you have now, I have just removed the default lines.
>
Thanks. I will update my smb.conf template accordingly.

>
> There are numerous lines I would add, but they do not really have
> anything to do with your problem.
>
> A last thought, do you have any users in AD that also occur
> in /etc/passwd ?
>
The only user I have is the jeadmin user which is the domain admin as well
as a local admin user.

Should I try renaming the local user?

>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 10 Apr 2019 10:25:25 +0200
Ian Coetzee <samba at iancoetzee.za.net> wrote:
> Hi Rowland,
> 
> Please see my replies inline.
> >
> > Possibly, but it could just be down to you not having this line
> > in /etc/pam.d/common-session
> >  
> 
> > session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
> >  
> 
> I normally add this line through pam-auth-update and a custom file
> under /usr/share/pam-configs/
> 
> root at ho-vpn-ctx-ac01:~# cat /usr/share/pam-configs/mkhomedir
> > Name: Create home directory on login
> > Default: no
> > Priority: 0
> > Session-Type: Additional
> > Session-Interactive-Only: yes
> > Session:
> >     optional            pam_mkhomedir.so skel=/etc/skel/
> > umask=0022  
I take it from that, you already have it ;-) 
> The only user I have is the jeadmin user which is the domain admin as
> well as a local admin user.
ER, no, that would be 'Administrator', is 'jeadmin' a member of
'Administrators', 'Domain Admins' or some other such
administration
group ?
> 
> Should I try renaming the local user?
Either that or delete the user from AD or /etc/passwd, you cannot have
the same user in both. The user in /etc/password will normally be used
on the Unix OS before the AD user and will be the opposite way around
on Windows.

Try adding this line to smb.conf:

winbind enum users = yes, restart or reload Samba, then run 'getent
passwd', this should return all users, local and domain.

Once you are sure that all domain users are being returned, remove the
line.

Rowland

Ho Roland,

Replies inline

On Wed, 10 Apr 2019 at 11:03, Rowland Penny <rpenny at samba.org> wrote:
> On Wed, 10 Apr 2019 10:25:25 +0200
> Ian Coetzee <samba at iancoetzee.za.net> wrote:
>
> > Hi Rowland,
> >
> > Please see my replies inline.
> > >
> > > Possibly, but it could just be down to you not having this line
> > > in /etc/pam.d/common-session
> > >
> >
> > > session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
> > >
> >
> > I normally add this line through pam-auth-update and a custom file
> > under /usr/share/pam-configs/
> >
> > root at ho-vpn-ctx-ac01:~# cat /usr/share/pam-configs/mkhomedir
> > > Name: Create home directory on login
> > > Default: no
> > > Priority: 0
> > > Session-Type: Additional
> > > Session-Interactive-Only: yes
> > > Session:
> > >     optional            pam_mkhomedir.so skel=/etc/skel/
> > > umask=0022
>
> I take it from that, you already have it ;-)
>
That would be correct ;-)

>
> > The only user I have is the jeadmin user which is the domain admin as
> > well as a local admin user.
>
> ER, no, that would be 'Administrator', is 'jeadmin' a
member of
> 'Administrators', 'Domain Admins' or some other such
administration
> group ?
>
We have a group policy that renames Administrator to jeadmin

>
> >
> > Should I try renaming the local user?
>
> Either that or delete the user from AD or /etc/passwd, you cannot have
> the same user in both. The user in /etc/password will normally be used
> on the Unix OS

Which is the intended course of action, so I can ssh into the servers with
the jeadmin account in case the domain is offline (debian ssh denies root
logins)

I will quickly drop the user and see if it makes a difference

> before the AD user and will be the opposite way around
> on Windows.
>
Yup. and using .\jeadmin to log in as a local user

>
> Try adding this line to smb.conf:
>
> winbind enum users = yes, restart or reload Samba, then run 'getent
> passwd', this should return all users, local and domain.
>
Oooh I sense a server overload ;-) (Lots of users in the AD)

I have done a winbind enum groups = yes as and a getent group returned
everything I expected (co-incidentally I first noticed this issue on a
chgrp sysadmin $folder command)

>
> Once you are sure that all domain users are being returned, remove the
> line.
>
I am quite confident that nss and winbind are talking to each other quite
nicely.

>
> Rowland
>
>