Hi, I have an old Fileserver which is working correct: This is the smb.conf: [global] security = ads realm = EXAMPLE.COM workgroup = example winbind refresh tickets = Yes winbind use default domain = yes template shell = /bin/bash idmap config * : range = 1000000 - 1999999 idmap config ZFD : backend = rid idmap config ZFD : range = 0 - 200000 hide dotfiles = yes server string = Standalone server %h (Samba %v) store dos attributes = yes vfs objects = acl_xattr inherit permissions = Yes Afterwards I set up the CTDB cluster and did an "rsync -alpAXvt" to copy the data from the old Fileserver to the cluster net conf list: [global] ??? winbind refresh tickets = Yes ??? winbind use default domain = yes ??? template shell = /bin/bash ??? idmap config * : range = 1000000 - 1999999 ??? idmap config ZFD : backend = rid ??? idmap config ZFD : range = 0 - 200000 ??? hide dot files = yes ??? server string = forumZFD Daten server %h (Samba %v) ??? map acl inherit = yes ??? inherit permissions = yes ??? workgroup = EXAMPLE ??? netbios name = CLUSTER-HO ??? clustering = yes ??? security = ads ??? realm = EXAMPLE.COM ??? store dos attributes = Yes ??? log level = 3 The users have often? "permission denied" problems even though the windows file explorer the group membership is shown and a gpresult /r shows that membership. Sometimes everything works correct. Best Bene Am 29.08.19 um 10:49 schrieb Rowland penny via samba:> On 29/08/2019 09:36, Benedikt Kale? via samba wrote: > > Hi, > > > > sorry to bother you: > > > > I have three AD in the domain. > > > > They all deliver different IDs: > > > > root at addc2:~# id testuser > > uid=3000155(EXAMPLE\testuser) gid=100(users) > > Gruppen=100(users),3000155(EXAMPLE\testuser),3000036(EXAMPLE\TEAM1),3000014(EXAMPLE\gesch?ftsstelle),3000001(BUILTIN\users) > > > > root at addc3:~$ id testuser > > uid=3000133(EXAMPLE\testuser) gid=100(users) > > Gruppen=100(users),3000133(EXAMPLE\testuser),3000093(EXAMPLE\TEAM1),3000041(EXAMPLE\gesch?ftsstelle),3000007(BUILTIN\users) > > > > root at addc3:~# id testuser > > uid=3000080(EXAMPLE\testuser) gid=100(users) > > Gruppen=100(users),3000080(EXAMPLE\testuser),3000051(EXAMPLE\TEAM1),3000023(EXAMPLE\gesch?ftsstelle),3000001(BUILTIN\users) > > > That is quite correct for DCs, unless you sync idmap.ldb between them. > > In your first post there is a smb.conf, where is this from ? > > Rowland > > >-- ?forumZFD Entschieden f?r Frieden|Committed to Peace Benedikt Kale? Leiter Team IT|Head team IT Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service Am K?lner Brett 8 | 50825 K?ln | Germany Tel 0221 91273233 | Fax 0221 91273299 | http://www.forumZFD.de Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board: Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz VR 17651 Amtsgericht K?ln Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX
On 29/08/2019 09:58, Benedikt Kale? via samba wrote:> Hi, > > I have an old Fileserver which is working correct: > > This is the smb.conf: > > [global] > security = ads > realm = EXAMPLE.COM > workgroup = example > winbind refresh tickets = Yes > winbind use default domain = yes > template shell = /bin/bash > idmap config * : range = 1000000 - 1999999 > idmap config ZFD : backend = rid > idmap config ZFD : range = 0 - 200000 > hide dotfiles = yes > server string = Standalone server %h (Samba %v) > store dos attributes = yes > vfs objects = acl_xattr > inherit permissions = Yes > > Afterwards I set up the CTDB cluster and did an "rsync -alpAXvt" to copy > the data from the old Fileserver to the cluster > > net conf list: > > [global] > ??? winbind refresh tickets = Yes > ??? winbind use default domain = yes > ??? template shell = /bin/bash > ??? idmap config * : range = 1000000 - 1999999 > ??? idmap config ZFD : backend = rid > ??? idmap config ZFD : range = 0 - 200000 > ??? hide dot files = yes > ??? server string = forumZFD Daten server %h (Samba %v) > ??? map acl inherit = yes > ??? inherit permissions = yes > ??? workgroup = EXAMPLE > ??? netbios name = CLUSTER-HO > ??? clustering = yes > ??? security = ads > ??? realm = EXAMPLE.COM > ??? store dos attributes = Yes > ??? log level = 3 > > The users have often? "permission denied" problems even though the > windows file explorer the group membership is shown and a gpresult /r > shows that membership. Sometimes everything works correct. > >I think I understand this, the first smb.conf is from the original fileserver, the second is from the cluster, if this is the case, we can ignore the first smb.conf. Are the DCs involved in the ctdb cluster, apart from providing authentication ? Do you have a user called 'root' in AD ? if so, remove it. Change this: idmap config ZFD : range = 0 - 200000 to this: idmap config ZFD : range = 500 - 200000 Add: vfs objects = acl_xattr Rowland
Hi, I don't have the user root. No changes :( Sometimes a user gets permissions, sometimes not. This net conf is now running: [global] ??? winbind refresh tickets = Yes ??? winbind use default domain = yes ??? template shell = /bin/bash ??? idmap config * : range = 1000000 - 1999999 ??? idmap config EXAMPLE : backend = rid ??? idmap config EXAMPLE : range = 500 - 200000 ??? hide dot files = yes ??? server string = FileServer %h (Samba %v) ??? map acl inherit = yes ??? inherit permissions = yes ??? workgroup = ZFD ??? netbios name = CLUSTER-HO ??? clustering = yes ??? security = ads ??? realm = EXAMPLE.com ??? store dos attributes = Yes ??? log level = 3 ??? vfs objects = acl_xattr [home] ??? comment = Home Directories ??? read only = no ??? browseable = yes ??? vfs objects = acl_xattr glusterfs ??? glusterfs:volume = gv-ho ??? glusterfs:logfile = /var/log/samba/glusterfs-gv-ho.log ??? glusterfs:loglevel = 3 ??? glusterfs:volfile_server = gluster1 gluster3 ??? kernel share modes = no ??? path = / [Fileshare] ??? comment = Fileshare ??? read only = no ??? vfs objects = acl_xattr glusterfs ??? glusterfs:volume = gv-ho ??? glusterfs:logfile = /var/log/samba/glusterfs-gv-ho.log ??? glusterfs:loglevel = 10 ??? glusterfs:volfile_server = gluster1 gluster3 ??? kernel share modes = no ??? path = /data/Files Does this error in log.smbd give a hint? [2019/08/29 12:14:24.765433,? 2] ../source3/smbd/open.c:4045(open_directory) ? open_directory: unable to create testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations. Error was NT_STATUS_OBJECT_NAME_COLLISION [2019/08/29 12:14:24.765472,? 3] ../source3/smbd/smb2_server.c:3214(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_NAME_COLLISION] || at ../source3/smbd/smb2_create.c:296 [2019/08/29 12:14:24.767517,? 2] ../source3/smbd/dosmode.c:136(unix_mode) ? unix_mode(testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/f18460fded109990.automaticDestinations-ms) inheriting from testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations [2019/08/29 12:14:24.767603,? 2] ../source3/smbd/dosmode.c:161(unix_mode) ? unix_mode(testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/f18460fded109990.automaticDestinations-ms) inherit mode 40770 [2019/08/29 12:14:24.767690,? 3] ../source3/smbd/smb2_server.c:3214(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at ../source3/smbd/smb2_create.c:296 [2019/08/29 12:14:35.232651,? 2] ../source3/smbd/close.c:802(close_normal_file) ? ZFD\testuser closed file testuser/AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations/f18460fded109990.customDestinations-ms (numopen=26) NT_STATUS_OK Best regards Bene Am 29.08.19 um 11:17 schrieb Rowland penny via samba:> On 29/08/2019 09:58, Benedikt Kale? via samba wrote: > > Hi, > > > > I have an old Fileserver which is working correct: > > > > This is the smb.conf: > > > > [global] > > security = ads > > realm = EXAMPLE.COM > > workgroup = example > > winbind refresh tickets = Yes > > winbind use default domain = yes > > template shell = /bin/bash > > idmap config * : range = 1000000 - 1999999 > > idmap config ZFD : backend = rid > > idmap config ZFD : range = 0 - 200000 > > hide dotfiles = yes > > server string = Standalone server %h (Samba %v) > > store dos attributes = yes > > vfs objects = acl_xattr > > inherit permissions = Yes > > > > Afterwards I set up the CTDB cluster and did an "rsync -alpAXvt" to copy > > the data from the old Fileserver to the cluster > > > > net conf list: > > > > [global] > > ??? winbind refresh tickets = Yes > > ??? winbind use default domain = yes > > ??? template shell = /bin/bash > > ??? idmap config * : range = 1000000 - 1999999 > > ??? idmap config ZFD : backend = rid > > ??? idmap config ZFD : range = 0 - 200000 > > ??? hide dot files = yes > > ??? server string = forumZFD Daten server %h (Samba %v) > > ??? map acl inherit = yes > > ??? inherit permissions = yes > > ??? workgroup = EXAMPLE > > ??? netbios name = CLUSTER-HO > > ??? clustering = yes > > ??? security = ads > > ??? realm = EXAMPLE.COM > > ??? store dos attributes = Yes > > ??? log level = 3 > > > > The users have often? "permission denied" problems even though the > > windows file explorer the group membership is shown and a gpresult /r > > shows that membership. Sometimes everything works correct. > > > > > I think I understand this, the first smb.conf is from the original > fileserver, the second is from the cluster, if this is the case, we can > ignore the first smb.conf. > > Are the DCs involved in the ctdb cluster, apart from providing > authentication ? > > Do you have a user called 'root' in AD ? if so, remove it. > > Change this: > > idmap config ZFD : range = 0 - 200000 > > to this: > > idmap config ZFD : range = 500 - 200000 > > Add: > > vfs objects = acl_xattr > > Rowland > > >-- ?forumZFD Entschieden f?r Frieden|Committed to Peace Benedikt Kale? Leiter Team IT|Head team IT Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service Am K?lner Brett 8 | 50825 K?ln | Germany Tel 0221 91273233 | Fax 0221 91273299 | http://www.forumZFD.de Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board: Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz VR 17651 Amtsgericht K?ln Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX