samba - Aug 2019 - Permission Issue

Hi,

yes, I did.

I get the same results with "getent passwd testuser" on each node.

/etc/ctdb/nodes and /etc/ctdb/public_addresses is exactly the same on
each node

On each node sernet-samba/stretch,now 99:4.9.12-15 amd64 is installed

Yes, I read the documentation. It is strange, that another cluster in
another office configured that way is working perfect ;( The load is not
as high as the load here. But even here only 20 people are working on it
currently

Best

Bene


Am 29.08.19 um 12:36 schrieb Rowland penny via samba:
> On 29/08/2019 11:17, Benedikt Kale? via samba wrote:
> > Hi,
> >
> > I don't have the user root.
> >
> > No changes :( Sometimes a user gets permissions, sometimes not.
> >
> > This net conf is now running:
> >
> > [global]
> >  ??? winbind refresh tickets = Yes
> >  ??? winbind use default domain = yes
> >  ??? template shell = /bin/bash
> >  ??? idmap config * : range = 1000000 - 1999999
> >  ??? idmap config EXAMPLE : backend = rid
> >  ??? idmap config EXAMPLE : range = 500 - 200000
> >  ??? hide dot files = yes
> >  ??? server string = FileServer %h (Samba %v)
> >  ??? map acl inherit = yes
> >  ??? inherit permissions = yes
> >  ??? workgroup = ZFD
> >  ??? netbios name = CLUSTER-HO
> >  ??? clustering = yes
> >  ??? security = ads
> >  ??? realm = EXAMPLE.com
> >  ??? store dos attributes = Yes
> >  ??? log level = 3
> >  ??? vfs objects = acl_xattr
> >
> > [home]
> >  ??? comment = Home Directories
> >  ??? read only = no
> >  ??? browseable = yes
> >  ??? vfs objects = acl_xattr glusterfs
> >  ??? glusterfs:volume = gv-ho
> >  ??? glusterfs:logfile = /var/log/samba/glusterfs-gv-ho.log
> >  ??? glusterfs:loglevel = 3
> >  ??? glusterfs:volfile_server = gluster1 gluster3
> >  ??? kernel share modes = no
> >  ??? path = /
> >
> > [Fileshare]
> >  ??? comment = Fileshare
> >  ??? read only = no
> >  ??? vfs objects = acl_xattr glusterfs
> >  ??? glusterfs:volume = gv-ho
> >  ??? glusterfs:logfile = /var/log/samba/glusterfs-gv-ho.log
> >  ??? glusterfs:loglevel = 10
> >  ??? glusterfs:volfile_server = gluster1 gluster3
> >  ??? kernel share modes = no
> >  ??? path = /data/Files
> >
> > Does this error in log.smbd give a hint?
> >
> > [2019/08/29 12:14:24.765433,? 2]
../source3/smbd/open.c:4045(open_directory)
> >  ? open_directory: unable to create
> >
testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations.
> > Error was NT_STATUS_OBJECT_NAME_COLLISION
> > [2019/08/29 12:14:24.765472,? 3]
> > ../source3/smbd/smb2_server.c:3214(smbd_smb2_request_error_ex)
> >  ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_OBJECT_NAME_COLLISION] || at
> > ../source3/smbd/smb2_create.c:296
> > [2019/08/29 12:14:24.767517,? 2]
../source3/smbd/dosmode.c:136(unix_mode)
> >   
> >
unix_mode(testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/f18460fded109990.automaticDestinations-ms)
> > inheriting from
> >
testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations
> > [2019/08/29 12:14:24.767603,? 2]
../source3/smbd/dosmode.c:161(unix_mode)
> >   
> >
unix_mode(testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/f18460fded109990.automaticDestinations-ms)
> > inherit mode 40770
> > [2019/08/29 12:14:24.767690,? 3]
> > ../source3/smbd/smb2_server.c:3214(smbd_smb2_request_error_ex)
> >  ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at
> > ../source3/smbd/smb2_create.c:296
> > [2019/08/29 12:14:35.232651,? 2]
> > ../source3/smbd/close.c:802(close_normal_file)
> >  ? ZFD\testuser closed file
> >
testuser/AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations/f18460fded109990.customDestinations-ms
> > (numopen=26) NT_STATUS_OK
> >
> > Best regards
> >
> > Bene
> >
> >
> >
> Are you using the same Samba version & smb.conf on all ctdb cluster
members.
>
> If you run 'getent passwd testuser' on each cluster member, do you
get
> identical results ?
>  
> Rowland
>
>
>
-- 
?forumZFD
Entschieden f?r Frieden|Committed to Peace

Benedikt Kale?
Leiter Team IT|Head team IT

Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am K?lner Brett 8 | 50825 K?ln | Germany  

Tel 0221 91273233 | Fax 0221 91273299 | 
http://www.forumZFD.de 

Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz  
VR 17651 Amtsgericht K?ln

Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX

Hi,

just to keep you updated:

The following trick seems to work for me:

1.) I stopped winbind on the cluster

2.) I deleted the cache: "net cash flush"

Afterwards the result for "id testuser" was not quite the same like
the
result on the "old fileserver"

3.) I stopped the ctdb daemon

4.) I backuped /var/lib/samba/winbindd_cache.tdb on all nodes

5.) I restared all nodes

Afterwards the users get the appropriate permissions.

(On some clients the Credentials haveto be deleted too)

Best regards and thank you very much for your help again!

Bene

Am 29.08.19 um 13:03 schrieb Benedikt Kale? via samba:
> Hi,
>
> yes, I did.
>
> I get the same results with "getent passwd testuser" on each
node.
>
> /etc/ctdb/nodes and /etc/ctdb/public_addresses is exactly the same on
> each node
>
> On each node sernet-samba/stretch,now 99:4.9.12-15 amd64 is installed
>
> Yes, I read the documentation. It is strange, that another cluster in
> another office configured that way is working perfect ;( The load is not
> as high as the load here. But even here only 20 people are working on it
> currently
>
> Best
>
> Bene
>
>
> Am 29.08.19 um 12:36 schrieb Rowland penny via samba:
> > On 29/08/2019 11:17, Benedikt Kale? via samba wrote:
> > > Hi,
> > >
> > > I don't have the user root.
> > >
> > > No changes :( Sometimes a user gets permissions, sometimes not.
> > >
> > > This net conf is now running:
> > >
> > > [global]
> > >  ??? winbind refresh tickets = Yes
> > >  ??? winbind use default domain = yes
> > >  ??? template shell = /bin/bash
> > >  ??? idmap config * : range = 1000000 - 1999999
> > >  ??? idmap config EXAMPLE : backend = rid
> > >  ??? idmap config EXAMPLE : range = 500 - 200000
> > >  ??? hide dot files = yes
> > >  ??? server string = FileServer %h (Samba %v)
> > >  ??? map acl inherit = yes
> > >  ??? inherit permissions = yes
> > >  ??? workgroup = ZFD
> > >  ??? netbios name = CLUSTER-HO
> > >  ??? clustering = yes
> > >  ??? security = ads
> > >  ??? realm = EXAMPLE.com
> > >  ??? store dos attributes = Yes
> > >  ??? log level = 3
> > >  ??? vfs objects = acl_xattr
> > >
> > > [home]
> > >  ??? comment = Home Directories
> > >  ??? read only = no
> > >  ??? browseable = yes
> > >  ??? vfs objects = acl_xattr glusterfs
> > >  ??? glusterfs:volume = gv-ho
> > >  ??? glusterfs:logfile = /var/log/samba/glusterfs-gv-ho.log
> > >  ??? glusterfs:loglevel = 3
> > >  ??? glusterfs:volfile_server = gluster1 gluster3
> > >  ??? kernel share modes = no
> > >  ??? path = /
> > >
> > > [Fileshare]
> > >  ??? comment = Fileshare
> > >  ??? read only = no
> > >  ??? vfs objects = acl_xattr glusterfs
> > >  ??? glusterfs:volume = gv-ho
> > >  ??? glusterfs:logfile = /var/log/samba/glusterfs-gv-ho.log
> > >  ??? glusterfs:loglevel = 10
> > >  ??? glusterfs:volfile_server = gluster1 gluster3
> > >  ??? kernel share modes = no
> > >  ??? path = /data/Files
> > >
> > > Does this error in log.smbd give a hint?
> > >
> > > [2019/08/29 12:14:24.765433,? 2]
../source3/smbd/open.c:4045(open_directory)
> > >  ? open_directory: unable to create
> > >
testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations.
> > > Error was NT_STATUS_OBJECT_NAME_COLLISION
> > > [2019/08/29 12:14:24.765472,? 3]
> > > ../source3/smbd/smb2_server.c:3214(smbd_smb2_request_error_ex)
> > >  ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > status[NT_STATUS_OBJECT_NAME_COLLISION] || at
> > > ../source3/smbd/smb2_create.c:296
> > > [2019/08/29 12:14:24.767517,? 2]
../source3/smbd/dosmode.c:136(unix_mode)
> > >   
> > >
unix_mode(testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/f18460fded109990.automaticDestinations-ms)
> > > inheriting from
> > >
testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations
> > > [2019/08/29 12:14:24.767603,? 2]
../source3/smbd/dosmode.c:161(unix_mode)
> > >   
> > >
unix_mode(testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/f18460fded109990.automaticDestinations-ms)
> > > inherit mode 40770
> > > [2019/08/29 12:14:24.767690,? 3]
> > > ../source3/smbd/smb2_server.c:3214(smbd_smb2_request_error_ex)
> > >  ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at
> > > ../source3/smbd/smb2_create.c:296
> > > [2019/08/29 12:14:35.232651,? 2]
> > > ../source3/smbd/close.c:802(close_normal_file)
> > >  ? ZFD\testuser closed file
> > >
testuser/AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations/f18460fded109990.customDestinations-ms
> > > (numopen=26) NT_STATUS_OK
> > >
> > > Best regards
> > >
> > > Bene
> > >
> > >
> > >
> > Are you using the same Samba version & smb.conf on all ctdb
cluster members.
> >
> > If you run 'getent passwd testuser' on each cluster member, do
you get
> > identical results ?
> >  
> > Rowland
> >
> >
> >
-- 
?forumZFD
Entschieden f?r Frieden|Committed to Peace

Benedikt Kale?
Leiter Team IT|Head team IT

Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am K?lner Brett 8 | 50825 K?ln | Germany  

Tel 0221 91273233 | Fax 0221 91273299 | 
http://www.forumZFD.de 

Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz  
VR 17651 Amtsgericht K?ln

Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX

Sorry, typing error ;) "net cache flush" of course.

2.) I deleted the cache: "net cash flush"

-- 
?forumZFD
Entschieden f?r Frieden|Committed to Peace

Benedikt Kale?
Leiter Team IT|Head team IT

Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am K?lner Brett 8 | 50825 K?ln | Germany  

Tel 0221 91273233 | Fax 0221 91273299 | 
http://www.forumZFD.de 

Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz  
VR 17651 Amtsgericht K?ln

Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX