samba - Apr 2019 - chown: changing ownership of 'test': Invalid argument

Ho Roland,

Replies inline

On Wed, 10 Apr 2019 at 11:03, Rowland Penny <rpenny at samba.org> wrote:
> On Wed, 10 Apr 2019 10:25:25 +0200
> Ian Coetzee <samba at iancoetzee.za.net> wrote:
>
> > Hi Rowland,
> >
> > Please see my replies inline.
> > >
> > > Possibly, but it could just be down to you not having this line
> > > in /etc/pam.d/common-session
> > >
> >
> > > session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
> > >
> >
> > I normally add this line through pam-auth-update and a custom file
> > under /usr/share/pam-configs/
> >
> > root at ho-vpn-ctx-ac01:~# cat /usr/share/pam-configs/mkhomedir
> > > Name: Create home directory on login
> > > Default: no
> > > Priority: 0
> > > Session-Type: Additional
> > > Session-Interactive-Only: yes
> > > Session:
> > >     optional            pam_mkhomedir.so skel=/etc/skel/
> > > umask=0022
>
> I take it from that, you already have it ;-)
>
That would be correct ;-)

>
> > The only user I have is the jeadmin user which is the domain admin as
> > well as a local admin user.
>
> ER, no, that would be 'Administrator', is 'jeadmin' a
member of
> 'Administrators', 'Domain Admins' or some other such
administration
> group ?
>
We have a group policy that renames Administrator to jeadmin

>
> >
> > Should I try renaming the local user?
>
> Either that or delete the user from AD or /etc/passwd, you cannot have
> the same user in both. The user in /etc/password will normally be used
> on the Unix OS

Which is the intended course of action, so I can ssh into the servers with
the jeadmin account in case the domain is offline (debian ssh denies root
logins)

I will quickly drop the user and see if it makes a difference

> before the AD user and will be the opposite way around
> on Windows.
>
Yup. and using .\jeadmin to log in as a local user

>
> Try adding this line to smb.conf:
>
> winbind enum users = yes, restart or reload Samba, then run 'getent
> passwd', this should return all users, local and domain.
>
Oooh I sense a server overload ;-) (Lots of users in the AD)

I have done a winbind enum groups = yes as and a getent group returned
everything I expected (co-incidentally I first noticed this issue on a
chgrp sysadmin $folder command)

>
> Once you are sure that all domain users are being returned, remove the
> line.
>
I am quite confident that nss and winbind are talking to each other quite
nicely.

>
> Rowland
>
>

On Wed, 10 Apr 2019 11:41:52 +0200
Ian Coetzee <samba at iancoetzee.za.net> wrote:
> Ho Roland,
> 
> Replies inline
> 
> >  
> > > The only user I have is the jeadmin user which is the domain
> > > admin as well as a local admin user.  
> >
> > ER, no, that would be 'Administrator', is 'jeadmin' a
member of
> > 'Administrators', 'Domain Admins' or some other such
administration
> > group ?
> >  
> 
> We have a group policy that renames Administrator to jeadmin
OK, then where ever you see 'Administrator' on the Samba wiki etc,
replace it with 'jeadmin'
> 
> 
> >  
> > >
> > > Should I try renaming the local user?  
> >
> > Either that or delete the user from AD or /etc/passwd, you cannot
> > have the same user in both. The user in /etc/password will normally
> > be used on the Unix OS  
> 
> 
> Which is the intended course of action, so I can ssh into the servers
> with the jeadmin account in case the domain is offline (debian ssh
> denies root logins)
Ever heard of sudo ?
Log in as a normal user and then run everything with sudo, or become
root with 'su -'
> 
> I will quickly drop the user and see if it makes a difference
> 
> 
> > before the AD user and will be the opposite way around
> > on Windows.
> >  
> 
> Yup. and using .\jeadmin to log in as a local user
> 
> 
> >
> > Try adding this line to smb.conf:
> >
> > winbind enum users = yes, restart or reload Samba, then run
'getent
> > passwd', this should return all users, local and domain.
> >  
> 
> Oooh I sense a server overload ;-) (Lots of users in the AD)
I did say remove it after the test, I just wondered if getent was
working correctly.
> I am quite confident that nss and winbind are talking to each other
> quite nicely.
Then why isn't working ?

Last things to try, start raising the Samba loglevel and see if
anything pops out and check if Apparmor is stopping the chown.

Rowland

Hi Roland

On Wed, 10 Apr 2019 at 12:00, Rowland Penny <rpenny at samba.org> wrote:
> On Wed, 10 Apr 2019 11:41:52 +0200
> Ian Coetzee <samba at iancoetzee.za.net> wrote:
>
> > Ho Roland,
> >
> > Replies inline
> >
> > >
> > > > The only user I have is the jeadmin user which is the domain
> > > > admin as well as a local admin user.
> > >
> > > ER, no, that would be 'Administrator', is
'jeadmin' a member of
> > > 'Administrators', 'Domain Admins' or some other
such administration
> > > group ?
> > >
> >
> > We have a group policy that renames Administrator to jeadmin
>
> OK, then where ever you see 'Administrator' on the Samba wiki etc,
> replace it with 'jeadmin'
>
Yup. I also normally log into the AD as myself which is part of the Domain
Admins group

>
> >
> >
> > >
> > > >
> > > > Should I try renaming the local user?
> > >
> > > Either that or delete the user from AD or /etc/passwd, you cannot
> > > have the same user in both. The user in /etc/password will
normally
> > > be used on the Unix OS
> >
> >
> > Which is the intended course of action, so I can ssh into the servers
> > with the jeadmin account in case the domain is offline (debian ssh
> > denies root logins)
>
> Ever heard of sudo ?
> Log in as a normal user and then run everything with sudo, or become
> root with 'su -'
>
Yup, most definitely, use sudo everywhere.

>
> >
> > I will quickly drop the user and see if it makes a difference
> >
> >
> > > before the AD user and will be the opposite way around
> > > on Windows.
> > >
> >
> > Yup. and using .\jeadmin to log in as a local user
> >
> >
> > >
> > > Try adding this line to smb.conf:
> > >
> > > winbind enum users = yes, restart or reload Samba, then run
'getent
> > > passwd', this should return all users, local and domain.
> > >
> >
> > Oooh I sense a server overload ;-) (Lots of users in the AD)
>
> I did say remove it after the test, I just wondered if getent was
> working correctly.
>
Yes, yes you did.

>
> > I am quite confident that nss and winbind are talking to each other
> > quite nicely.
>
> Then why isn't working ?
>
This is the question leaving me perplexed as well

>
> Last things to try, start raising the Samba loglevel and see if
> anything pops out and check if Apparmor is stopping the chown.
>
I bumped the loglevel up to 10. What I can glean from the log is:

[2019/04/10 10:09:48.041065,  1, pid=15234, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_LookupSid: struct wbint_LookupSid
          in: struct wbint_LookupSid
              sid                      : *
                  sid                      : <RED>-1407
[2019/04/10 10:09:48.041888, 10, pid=15234, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cache.c:4803(wcache_store_ndr)
  could not fetch seqnum for domain JEOFFICE
[2019/04/10 10:09:48.041954,  1, pid=15234, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_LookupSid: struct wbint_LookupSid
          out: struct wbint_LookupSid
              type                     : *
                  type                     : SID_NAME_USER (1)
              domain                   : *
                  domain                   : *
                      domain                   : 'JEOFFICE'
              name                     : *
                  name                     : *
                      name                     : 'ianc'
              result                   : NT_STATUS_OK
[2019/04/10 10:09:48.042076,  1, pid=15234, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_GetNssInfo: struct wbint_GetNssInfo
          in: struct wbint_GetNssInfo
              info                     : *
                  info: struct wbint_userinfo
                      domain_name              : *
                          domain_name              : 'JEOFFICE'
                      acct_name                : *
                          acct_name                : 'ianc'
                      full_name                : NULL
                      homedir                  : *
                          homedir                  : '/home/%D/%U'
                      shell                    : *
                          shell                    : '/bin/bash'
                      uid                      : 0x000000000030d97f
(3201407)
                      primary_gid              : 0x00000000ffffffff
(4294967295)
                      primary_group_name       : NULL
                      user_sid                 : <RED>-1407
                      group_sid                : <RED>-513
[2019/04/10 10:09:48.043212,  1, pid=15234, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_GetNssInfo: struct wbint_GetNssInfo
          out: struct wbint_GetNssInfo
              info                     : *
                  info: struct wbint_userinfo
                      domain_name              : *
                          domain_name              : 'JEOFFICE'
                      acct_name                : *
                          acct_name                : 'ianc'
                      full_name                : NULL
                      homedir                  : *
                          homedir                  : '/home/%D/%U'
                      shell                    : *
                          shell                    : '/bin/bash'
                      uid                      : 0x000000000030d97f
(3201407)
                      primary_gid              : 0x00000000ffffffff
(4294967295)
                      primary_group_name       : NULL
                      user_sid                 : <RED>-1407
                      group_sid                : <RED>-513
              result                   : NT_STATUS_REQUEST_NOT_ACCEPTED

Is this last "NT_STATUS_REQUEST_NOT_ACCEPTED" maybe the problem?

I will quickly glance at apparmor


>
> Rowland
>
>
>