samba - Apr 2019 - AD migration issues

Hi ,

We migrated to AD account in a Ubuntu 16.04 (Samba 4.3.11)and came across issues
with user shares. Some of the users were able to access the shares and some were
not.

The server in question has both AD and File and we followed the samba wiki to
enable the Windows ACL

To migrate , we ran the following
samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir
--realm=lin.GROUP --dns-backend=BIND9_DLZ /etc/samba.PDC/smb.PDC.conf
--use-ntvfs

We had to use the ntvfs as we got the Your filesystem or build does not support
posix ACLs, which s3fs requires. Try the mounting the filesystem with the
'acl' option."

The smbd -b | grep HAVE_LIBACL gave    HAVE_LIBACL

A user with the issue has the following
uid=1091(chel) gid=1091(cheryl)
groups=1091(cheryl),1002(domainusers),1004(lin),1009(workshop),1017(deptfin),1057(skillsdb),1058(incidentdb),1059(hrdb),1079(deptlegal),1086(depteng),1109(deptivolve),1117(deptsop),1119(deptjelldb),1169(depttraining),1170(deptshms),100(users),3000002(lin\ocetest)
The bit at the end, ocetest is not even a group, it is a user

One of the share is the netlogon the getacl gives
# file: var/lib/samba/sysvol/lin.group/scripts/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

The other one is a file share
# file: zones/827be14a-ffda-60f5-f7f9-b260c6cab739/data/main/
# owner: root
# group: lin
user::rwx
group::r-x
other::r-x

The home drive has
# file: zones/827be14a-ffda-60f5-f7f9-b260c6cab739/data/home/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

When we use the following smb.conf file the user is not even able to see any
shares
# Global parameters
# Global parameters
[global]
        workgroup = lin
        realm = lin.GROUP
        netbios name = DOZER5
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/log.%m
        log level = 4
        winbind nss info = rfc2307
              winbind enum users = yes
        winbind enum groups = yes
              acl allow execute always = True
              server services = -dns
              allow dns updates = nonsecure


              idmap config * : backend = tdb
              idmap config * : range = 4000-7999
              idmap config lin:backend = ad
              idmap config lin:schema_mode = rfc2307
              idmap config lin:range = 10000-999999

        full_audit:priority = notice
        full_audit:facility = local5
        full_audit:success = mkdir rmdir read pread write pwrite rename unlink
        full_audit:failure = none
        full_audit:prefix = %u|%I|%S

[netlogon]
        path = /var/lib/samba/sysvol/lin.group/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No



But when we use the default smb.conf file (i.e created by AD), the users can see
the sysvol but not access it
# Global parameters
[global]
              workgroup = lin
              realm = lin.GROUP
              netbios name = DOZER5
              server role = active directory domain controller
              server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, smb
              dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, winreg, srvsvc
              idmap_ldb:use rfc2307 = yes
              posix:eadb = /var/lib/samba/private/eadb.tdb

[netlogon]
              path = /var/lib/samba/sysvol/lin.group/scripts
              read only = No

[sysvol]
              path = /var/lib/samba/sysvol
              read only = No


Any assistance will be greaty appreciated


Regards,
Praveen Ghimire

On Thu, 11 Apr 2019 12:05:13 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> Hi ,
> 
> We migrated to AD account in a Ubuntu 16.04 (Samba 4.3.11)and came
> across issues with user shares. Some of the users were able to access
> the shares and some were not.
Can I suggest you migrate again, this time to Ubuntu 18.04, this will
get you a supported (by Samba) version.
> 
> The server in question has both AD and File and we followed the samba
> wiki to enable the Windows ACL
> 
> To migrate , we ran the following
> samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir
> --realm=lin.GROUP --dns-backend=BIND9_DLZ /etc/samba.PDC/smb.PDC.conf
> --use-ntvfs
> 
> We had to use the ntvfs as we got the Your filesystem or build does
> not support posix ACLs, which s3fs requires. Try the mounting the
> filesystem with the 'acl' option."
Which filesystem are you using, most support acl's by default, have you
installed the acl & xattr packages. Whatever your problem is, you need
to fix it, ntvfs is now only used in testing and isn't built by
default, this happened at Samba 4.5.0
> 
> The smbd -b | grep HAVE_LIBACL gave    HAVE_LIBACL
> 
> A user with the issue has the following
> uid=1091(chel) gid=1091(cheryl)
>
groups=1091(cheryl),1002(domainusers),1004(lin),1009(workshop),1017(deptfin),1057(skillsdb),1058(incidentdb),1059(hrdb),1079(deptlegal),1086(depteng),1109(deptivolve),1117(deptsop),1119(deptjelldb),1169(depttraining),1170(deptshms),100(users),3000002(lin\ocetest)
> The bit at the end, ocetest is not even a group, it is a user
I bet it is a group as well ;-)
>         winbind enum users = yes
>         winbind enum groups = yes
Whilst you can use the above two lines on any Samba server, you should
only use them for testing purposes.
 
>         winbind nss info = rfc2307
>         idmap config * : backend = tdb
>         idmap config * : range = 4000-7999
>         idmap config lin:backend = ad
>         idmap config lin:schema_mode = rfc2307
>         idmap config lin:range = 10000-999999
You need to remove the above lines, they are only used on a Unix
domain member

Rowland

Hi Rowland,

Thank you for that.

We did the testing in a Vmware VM, the actual production box is hosted in
SmartOS. Didn't encounter the issues during testing.

I am pretty sure it is not a group, it is a user. When I check the AD , I see it
as  a user. The user with the issue is doesn't have that listed in members
of section.

With the idmap stuff, the server in question is both DC and file server. So I
thought we need the idmap config

With the ACLs, I read the following Wiki article
If you must use the Samba DC as a fileserver, you should be aware that the
auto-enabled acl_xattr virtual file system (VFS) object enables you to only
configure shares with Windows access control lists (ACL). Using POSIX ACLs with
shares on a Samba DC does not work. However the document mentions not to add it
to the config in the DC.

Does it mean, we need to change the share permissions to something like chown
root:"Domain Admins" /srv/samba/Demo? Including the sysvol

What about the smb.conf file? Do we leave it with just 
server role = active directory domain controller

We had to roll back (reverted the tbd files and smb conf) due to the issues, we
only had a few test machine online during the testing.  Then we found same
issues with users in non-AD server. The users had no issue with the shares
previously.

Sorry about the long email, has been a long day.

Regards,
Praveen Ghimire




-----Original Message-----
From: Rowland Penny [mailto:rpenny at samba.org] 
Sent: Thursday, 11 April 2019 11:14 PM
To: samba at lists.samba.org
Cc: Praveen Ghimire
Subject: Re: [Samba] AD migration issues

On Thu, 11 Apr 2019 12:05:13 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> Hi ,
> 
> We migrated to AD account in a Ubuntu 16.04 (Samba 4.3.11)and came 
> across issues with user shares. Some of the users were able to access 
> the shares and some were not.
Can I suggest you migrate again, this time to Ubuntu 18.04, this will get you a
supported (by Samba) version.
> 
> The server in question has both AD and File and we followed the samba 
> wiki to enable the Windows ACL
> 
> To migrate , we ran the following
> samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir 
> --realm=lin.GROUP --dns-backend=BIND9_DLZ /etc/samba.PDC/smb.PDC.conf 
> --use-ntvfs
> 
> We had to use the ntvfs as we got the Your filesystem or build does 
> not support posix ACLs, which s3fs requires. Try the mounting the 
> filesystem with the 'acl' option."
Which filesystem are you using, most support acl's by default, have you
installed the acl & xattr packages. Whatever your problem is, you need to
fix it, ntvfs is now only used in testing and isn't built by default, this
happened at Samba 4.5.0
> 
> The smbd -b | grep HAVE_LIBACL gave    HAVE_LIBACL
> 
> A user with the issue has the following
> uid=1091(chel) gid=1091(cheryl)
> groups=1091(cheryl),1002(domainusers),1004(lin),1009(workshop),1017(de
> ptfin),1057(skillsdb),1058(incidentdb),1059(hrdb),1079(deptlegal),1086
> (depteng),1109(deptivolve),1117(deptsop),1119(deptjelldb),1169(depttra
> ining),1170(deptshms),100(users),3000002(lin\ocetest)
> The bit at the end, ocetest is not even a group, it is a user
I bet it is a group as well ;-)
>         winbind enum users = yes
>         winbind enum groups = yes
Whilst you can use the above two lines on any Samba server, you should only use
them for testing purposes.
 
>         winbind nss info = rfc2307
>         idmap config * : backend = tdb
>         idmap config * : range = 4000-7999
>         idmap config lin:backend = ad
>         idmap config lin:schema_mode = rfc2307
>         idmap config lin:range = 10000-999999
You need to remove the above lines, they are only used on a Unix domain member

Rowland

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

Hi Rowland,

Just a quick summary, we had to roll back the AD migration due to some users
having issues accessing the shares post the migration. They were getting server
couldn't not be found , using both hostname and IP. It won't even show
the shares available in the server.  Some users had no issues, which is the
puzzling bit

Re the OS and file system:

I had a look at the following document regarding the file system support. It
mentions something like adding the
posix:eadb = /usr/local/samba/private/eadb.tdb to smb.conf file
https://wiki.samba.org/index.php/File_System_Support

As mentioned, we got the following during the migration
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: Your filesystem or build does not support posix
ACLs, which s3fs requires.  Try the mounting the filesystem with the
'acl' option.
I then put the old tdb files back on /var/lib/samba and re-ran the migration
with the ntvs flag. Could that have caused issues with share access? But having
said that, post the migration some users had no issues accessing the shares.

Re the packages: 

I followed the following to install the required files for Ubuntu and it does
include the act and attr package
https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba


Let me just explain what I have added to the migration script

- Because some of the unix groups are not in Samba, we're adding them just
before the migration steps. This is because we found that if the groups are not
present pre-migration , they are not migrated which I would expect.
	net groupmap add ntgroup abcd unix group abcd

- Then we remove the well know groups (domain admins and domain users)
- Then perform migration based the main Samba Migration wiki page using
Bind9_DLZ
- Then we setup the krb5 and test Kerberos
- Then configure and populate DNS

The one question I have is we have users and groups defined in the /etc/passwd
and /etc/group. The users and most of the groups are also in the tbd, do we
manually remove them pre/post migration? In our test environment we left them
one and didn't have access issues , possibly because nsswitch looks for
files first then winbind

The other issue we found is we seems to have hit a bug of the max 16 group
membership, it came with sys_panic. When we look run groups username we see
lesser groups that when we do id username. It looks like a default group is
added to the user something like BUILTIN\users, is that normal?

Any thoughts?





Regards,
Praveen Ghimire










-----Original Message-----
From: Rowland Penny [mailto:rpenny at samba.org] 
Sent: Thursday, 11 April 2019 11:14 PM
To: samba at lists.samba.org
Cc: Praveen Ghimire
Subject: Re: [Samba] AD migration issues

On Thu, 11 Apr 2019 12:05:13 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> Hi ,
> 
> We migrated to AD account in a Ubuntu 16.04 (Samba 4.3.11)and came 
> across issues with user shares. Some of the users were able to access 
> the shares and some were not.
Can I suggest you migrate again, this time to Ubuntu 18.04, this will get you a
supported (by Samba) version.
> 
> The server in question has both AD and File and we followed the samba 
> wiki to enable the Windows ACL
> 
> To migrate , we ran the following
> samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir 
> --realm=lin.GROUP --dns-backend=BIND9_DLZ /etc/samba.PDC/smb.PDC.conf 
> --use-ntvfs
> 
> We had to use the ntvfs as we got the Your filesystem or build does 
> not support posix ACLs, which s3fs requires. Try the mounting the 
> filesystem with the 'acl' option."
Which filesystem are you using, most support acl's by default, have you
installed the acl & xattr packages. Whatever your problem is, you need to
fix it, ntvfs is now only used in testing and isn't built by default, this
happened at Samba 4.5.0
> 
> The smbd -b | grep HAVE_LIBACL gave    HAVE_LIBACL
> 
> A user with the issue has the following
> uid=1091(chel) gid=1091(cheryl)
> groups=1091(cheryl),1002(domainusers),1004(lin),1009(workshop),1017(de
> ptfin),1057(skillsdb),1058(incidentdb),1059(hrdb),1079(deptlegal),1086
> (depteng),1109(deptivolve),1117(deptsop),1119(deptjelldb),1169(depttra
> ining),1170(deptshms),100(users),3000002(lin\ocetest)
> The bit at the end, ocetest is not even a group, it is a user
I bet it is a group as well ;-)
>         winbind enum users = yes
>         winbind enum groups = yes
Whilst you can use the above two lines on any Samba server, you should only use
them for testing purposes.
 
>         winbind nss info = rfc2307
>         idmap config * : backend = tdb
>         idmap config * : range = 4000-7999
>         idmap config lin:backend = ad
>         idmap config lin:schema_mode = rfc2307
>         idmap config lin:range = 10000-999999
You need to remove the above lines, they are only used on a Unix domain member

Rowland

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________