Eric
2020-Feb-24 14:03 UTC
[Samba] Client station file permission behavior changes after a week or so
Sorry, but I didn't really know how to word this. I have Univention Corporate server running as AD DC, with a UCS running as a member fileserver. One win10 client has file permission issues after lack of reboot or logout/login in roughly a weeks time. Symptom = can't write to shares even though permissions are correct. Sometimes files are created without honoring default ACL. Could this be due to Kerberos tickets expiring? I don't want to change the below without knowing the impact. winbind refresh tickets = No I'm not sure if this is limited to one client as the other five clients shutdown more regularly. What diagnostic steps can I take when the symptom occurs? DC1 smb.conf, samba = Version 4.10.1-Univention [global] bind interfaces only = Yes deadtime = 15 debug pid = Yes domain master = Yes interfaces = lo ens3 ldap server require strong auth = allow_sasl_over_tls logging = file logon drive = I: logon home = \\DC01\%U logon path = \\DC01\%U\windows-profiles\%a machine password timeout = 0 map to guest = Bad User max log size = 0 max open files = 32808 max xmit = 65535 name resolve order = wins host bcast obey pam restrictions = Yes passdb backend = samba_dsdb passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed* preferred master = Yes realm = KIDDLAW.LAN server role = active directory domain controller server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate server string = Univention Corporate Server template homedir = /home/%D-%U template shell = /bin/bash tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem tls certfile = /etc/univention/ssl/DC01.kiddlaw.lan/cert.pem tls keyfile = /etc/univention/ssl/DC01.kiddlaw.lan/private.key tls verify peer = ca_and_name usershare max shares = 0 winbind separator = + wins support = Yes workgroup = KIDDLAW rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external winbindd:use external pipes = true acl:search = no spoolss: architecture = Windows x64 idmap config * : range = 300000-400000 kccsrv:samba_kcc = False dsdb:schema update allowed = no nmbd_proxy_logon:cldap_server = 127.0.0.1 server role check:inhibit = yes idmap config * : backend = tdb acl allow execute always = Yes admin users = administrator join-backup include = /etc/samba/base.conf kernel oplocks = Yes map archive = No vfs objects = dfs_samba4 acl_xattr [netlogon] case sensitive = No comment = Domain logon service path = /var/lib/samba/sysvol/kiddlaw.lan/scripts read only = No [sysvol] acl xattr update mtime = Yes case sensitive = No path = /var/lib/samba/sysvol read only = No [homes] browseable = No comment = Heimatverzeichnisse create mask = 0700 directory mask = 0700 hide files = /windows-profiles/ read only = No vfs objects = acl_xattr [printers] browseable = No comment = Drucker create mask = 0700 path = /tmp printable = Yes [print$] comment = Printer Drivers include = /etc/samba/shares.conf path = /var/lib/samba/drivers read only = No write list = root Administrator @Printer-Admins Fileserver smb.conf, samba = Version 4.10.1-Univention [global] bind interfaces only = Yes deadtime = 15 debug pid = Yes interfaces = lo ens3 ldap server require strong auth = allow_sasl_over_tls logging = file logon drive = I: logon home = \\FS01\%U logon path = \\FS01\%U\windows-profiles\%a machine password timeout = 0 map to guest = Bad User max log size = 0 max open files = 32808 max xmit = 65535 name resolve order = wins host bcast obey pam restrictions = Yes passdb backend = samba_dsdb passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed* preferred master = Yes printcap name = cups realm = KIDDLAW.LAN server role = active directory domain controller server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate server string = Univention Corporate Server template homedir = /home/%D-%U template shell = /bin/bash tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem tls certfile = /etc/univention/ssl/FS01.kiddlaw.lan/cert.pem tls keyfile = /etc/univention/ssl/FS01.kiddlaw.lan/private.key tls verify peer = ca_and_name usershare max shares = 0 winbind separator = + workgroup = KIDDLAW rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external winbindd:use external pipes = true acl:search = no spoolss: architecture = Windows x64 idmap config * : range = 300000-400000 kccsrv:samba_kcc = False dsdb:schema update allowed = no nmbd_proxy_logon:cldap_server = 127.0.0.1 server role check:inhibit = yes idmap config * : backend = tdb acl allow execute always = Yes admin users = administrator join-backup include = /etc/samba/base.conf kernel oplocks = Yes map archive = No vfs objects = dfs_samba4 acl_xattr [netlogon] case sensitive = No comment = Domain logon service path = /var/lib/samba/sysvol/kiddlaw.lan/scripts read only = No [sysvol] acl xattr update mtime = Yes case sensitive = No path = /var/lib/samba/sysvol read only = No [homes] browseable = No comment = Heimatverzeichnisse create mask = 0700 directory mask = 0700 hide files = /windows-profiles/ read only = No vfs objects = acl_xattr [printers] browseable = No comment = Drucker create mask = 0700 path = /tmp printable = Yes [print$] comment = Printer Drivers include = /etc/samba/shares.conf.d/sharedData path = /var/lib/samba/drivers read only = No write list = root Administrator @Printer-Admins [sharedData] access based share enum = Yes hide unreadable = Yes path = /srv/shares/sharedData read only = No veto files = /.Trashes/._*/.DS_Store/ vfs objects = acl_xattr full_audit Thanks in advance! Eric
Rowland penny
2020-Feb-24 14:27 UTC
[Samba] Client station file permission behavior changes after a week or so
On 24/02/2020 14:03, Eric via samba wrote:> Sorry, but I didn't really know how to word this. > > I have Univention Corporate server running as AD DC, with a UCS running > as a member fileserver. > > One win10 client has file permission issues after lack of reboot or > logout/login > in roughly a weeks time. Symptom = can't write to shares even though > permissions > are correct. Sometimes files are created without honoring default ACL. > Could this > be due to Kerberos tickets expiring? I don't want to change the below > without knowing > the impact. > > winbind refresh tickets = No > > > I'm not sure if this is limited to one client as the other five clients > shutdown > more regularly. > > What diagnostic steps can I take when the symptom occurs? > > DC1 smb.conf, samba = Version 4.10.1-Univention > > [global] > bind interfaces only = Yes > deadtime = 15 > debug pid = Yes > domain master = Yes > interfaces = lo ens3 > ldap server require strong auth = allow_sasl_over_tls > logging = file > logon drive = I: > logon home = \\DC01\%U > logon path = \\DC01\%U\windows-profiles\%a > machine password timeout = 0 > map to guest = Bad User > max log size = 0 > max open files = 32808 > max xmit = 65535 > name resolve order = wins host bcast > obey pam restrictions = Yes > passdb backend = samba_dsdb > passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n > *password*changed* > preferred master = Yes > realm = KIDDLAW.LAN > server role = active directory domain controller > server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, > ntp_signd, kcc, dnsupdate > server string = Univention Corporate Server > template homedir = /home/%D-%U > template shell = /bin/bash > tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem > tls certfile = /etc/univention/ssl/DC01.kiddlaw.lan/cert.pem > tls keyfile = /etc/univention/ssl/DC01.kiddlaw.lan/private.key > tls verify peer = ca_and_name > usershare max shares = 0 > winbind separator = + > wins support = Yes > workgroup = KIDDLAW > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > acl:search = no > spoolss: architecture = Windows x64 > idmap config * : range = 300000-400000 > kccsrv:samba_kcc = False > dsdb:schema update allowed = no > nmbd_proxy_logon:cldap_server = 127.0.0.1 > server role check:inhibit = yes > idmap config * : backend = tdb > acl allow execute always = Yes > admin users = administrator join-backup > include = /etc/samba/base.conf > kernel oplocks = Yes > map archive = No > vfs objects = dfs_samba4 acl_xattr > > > [netlogon] > case sensitive = No > comment = Domain logon service > path = /var/lib/samba/sysvol/kiddlaw.lan/scripts > read only = No > > > [sysvol] > acl xattr update mtime = Yes > case sensitive = No > path = /var/lib/samba/sysvol > read only = No > > > [homes] > browseable = No > comment = Heimatverzeichnisse > create mask = 0700 > directory mask = 0700 > hide files = /windows-profiles/ > read only = No > vfs objects = acl_xattr > > > [printers] > browseable = No > comment = Drucker > create mask = 0700 > path = /tmp > printable = Yes > > > [print$] > comment = Printer Drivers > include = /etc/samba/shares.conf > path = /var/lib/samba/drivers > read only = No > write list = root Administrator @Printer-Admins > > Fileserver smb.conf, samba = Version 4.10.1-Univention > > [global] > bind interfaces only = Yes > deadtime = 15 > debug pid = Yes > interfaces = lo ens3 > ldap server require strong auth = allow_sasl_over_tls > logging = file > logon drive = I: > logon home = \\FS01\%U > logon path = \\FS01\%U\windows-profiles\%a > machine password timeout = 0 > map to guest = Bad User > max log size = 0 > max open files = 32808 > max xmit = 65535 > name resolve order = wins host bcast > obey pam restrictions = Yes > passdb backend = samba_dsdb > passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n > *password*changed* > preferred master = Yes > printcap name = cups > realm = KIDDLAW.LAN > server role = active directory domain controller > server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, > ntp_signd, kcc, dnsupdate > server string = Univention Corporate Server > template homedir = /home/%D-%U > template shell = /bin/bash > tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem > tls certfile = /etc/univention/ssl/FS01.kiddlaw.lan/cert.pem > tls keyfile = /etc/univention/ssl/FS01.kiddlaw.lan/private.key > tls verify peer = ca_and_name > usershare max shares = 0 > winbind separator = + > workgroup = KIDDLAW > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > acl:search = no > spoolss: architecture = Windows x64 > idmap config * : range = 300000-400000 > kccsrv:samba_kcc = False > dsdb:schema update allowed = no > nmbd_proxy_logon:cldap_server = 127.0.0.1 > server role check:inhibit = yes > idmap config * : backend = tdb > acl allow execute always = Yes > admin users = administrator join-backup > include = /etc/samba/base.conf > kernel oplocks = Yes > map archive = No > vfs objects = dfs_samba4 acl_xattr > > > [netlogon] > case sensitive = No > comment = Domain logon service > path = /var/lib/samba/sysvol/kiddlaw.lan/scripts > read only = No > > > [sysvol] > acl xattr update mtime = Yes > case sensitive = No > path = /var/lib/samba/sysvol > read only = No > > > [homes] > browseable = No > comment = Heimatverzeichnisse > create mask = 0700 > directory mask = 0700 > hide files = /windows-profiles/ > read only = No > vfs objects = acl_xattr > > > [printers] > browseable = No > comment = Drucker > create mask = 0700 > path = /tmp > printable = Yes > > > [print$] > comment = Printer Drivers > include = /etc/samba/shares.conf.d/sharedData > path = /var/lib/samba/drivers > read only = No > write list = root Administrator @Printer-Admins > > > [sharedData] > access based share enum = Yes > hide unreadable = Yes > path = /srv/shares/sharedData > read only = No > veto files = /.Trashes/._*/.DS_Store/ > vfs objects = acl_xattr full_audit > > Thanks in advance! > > EricBefore I get deeply involved here, are the smb.conf files posted above the actual ones on disk, or are they the output of 'testparm' ? One fact I have gleaned is that you do not a DC and a fileserver, you have two DCs Rowland
Eric
2020-Feb-25 00:46 UTC
[Samba] Client station file permission behavior changes after a week or so
> Thanks Roland.Yes, I didn't even look to verify my fileserver is a DC. I must have debated a few times about the choice and forgot my last decision when installing. I know it's not recommended to run a fileserver on an AD DC, but hopefully you can still offer some advice on troubleshooting. Maybe this isn't even a smb config issue. It could be Windows related??? Here is the actual smb.conf for my fileserver: [global] debug level = 1 logging = file max log size = 0 netbios name = FS01 server role = active directory domain controller name resolve order = wins host bcast server string = Univention Corporate Server server services = -dns -smb +s3fs -nbt server role check:inhibit = yes # use nmbd; to disable set samba4/service/nmb to s4 nmbd_proxy_logon:cldap_server=127.0.0.1 workgroup = KIDDLAW realm = KIDDLAW.LAN tls enabled = yes tls keyfile = /etc/univention/ssl/FS01.kiddlaw.lan/private.key tls certfile = /etc/univention/ssl/FS01.kiddlaw.lan/cert.pem tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem tls verify peer = ca_and_name ldap server require strong auth = allow_sasl_over_tls dsdb:schema update allowed = no max open files = 32808 interfaces = lo ens3 bind interfaces only = yes ntlm auth = ntlmv2-only machine password timeout = 0 acl allow execute always = True kccsrv:samba_kcc = False debug hirestimestamp = yes debug pid = yes winbind separator = + template shell = /bin/bash template homedir = /home/%D-%U idmap config * : backend = tdb idmap config * : range = 300000-400000 passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed* obey pam restrictions = yes encrypt passwords = yes load printers = yes printing = cups printcap name = cups spoolss: architecture = Windows x64 preferred master = yes local master = yes domain master = auto oplocks = yes large readwrite = yes read raw = yes write raw = yes max xmit = 65535 acl:search = no host msdfs = yes kernel oplocks = yes deadtime = 15 getwd cache = yes wide links = no store dos attributes = yes logon home = \\FS01\%U logon drive = I: logon path = \\FS01\%U\windows-profiles\%a preserve case = yes short preserve case = yes guest account = nobody map to guest = Bad User admin users = administrator join-backup usershare max shares = 0 include = /etc/samba/base.conf include = /etc/samba/shares.conf Here is /etc/samba/base.conf: [netlogon] comment = Domain logon service path = /var/lib/samba/sysvol/kiddlaw.lan/scripts public = no preserve case = yes case sensitive = no vfs objects = dfs_samba4 acl_xattr read only = no [sysvol] path = /var/lib/samba/sysvol public = no preserve case = yes case sensitive = no vfs objects = dfs_samba4 acl_xattr read only = no acl xattr update mtime = yes [homes] comment = Heimatverzeichnisse hide files = /windows-profiles/ browsable = no read only = no create mask = 0700 directory mask = 0700 vfs objects = acl_xattr [printers] comment = Drucker browseable = no path = /tmp printable = yes public = no writable = no create mode = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/drivers browseable = yes guest ok = no read only = no write list = root, Administrator, @Printer-Admins Here is /etc/samba/shares.conf include = /etc/samba/shares.conf.d/sharedData Here is /etc/samba/shares.conf.d/sharedData [sharedData] path = /srv/shares/sharedData vfs objects = acl_xattr full_audit msdfs root = no writeable = yes browseable = yes public = no dos filemode = no hide unreadable = yes create mode = 0744 directory mode = 0755 force create mode = 00 force directory mode = 00 locking = 1 blocking locks = 1 strict locking = Auto oplocks = 1 level2 oplocks = 1 fake oplocks = 0 csc policy = manual nt acl support = 1 inherit acls = 0 inherit owner = no inherit permissions = no access based share enum = yes hide dot files = yes veto files = /.Trashes/._*/.DS_Store/
Rowland penny
2020-Feb-25 08:59 UTC
[Samba] Client station file permission behavior changes after a week or so
On 25/02/2020 00:46, Eric via samba wrote:> Yes, I didn't even look to verify my fileserver is a DC. I must have debated > a few times about the choice and forgot my last decision when installing. > > I know it's not recommended to run a fileserver on an AD DC, but hopefully > you can still offer some advice on troubleshooting. >OK, if they are as on disk, who added all the rubbish lines that, in my opinion, have no place in a Samba AD DC smb.conf ? Try this smb.conf: [global] netbios name = FS01 realm = KIDDLAW.LAN server role = active directory domain controller server services = -dns workgroup = KIDDLAW server string = Univention Corporate Server log level = 1 logging = file tls keyfile = /etc/univention/ssl/FS01.kiddlaw.lan/private.key tls certfile = /etc/univention/ssl/FS01.kiddlaw.lan/cert.pem tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem ldap server require strong auth = allow_sasl_over_tls max open files = 32808 interfaces = lo ens3 bind interfaces only = yes template shell = /bin/bash template homedir = /home/%D-%U load printers = yes printing = cups printcap name = cups spoolss: architecture = Windows x64 max xmit = 65535 [netlogon] comment = Domain logon service path = /var/lib/samba/sysvol/kiddlaw.lan/scripts read only = no [sysvol] path = /var/lib/samba/sysvol read only = no [homes] comment = Heimatverzeichnisse hide files = /windows-profiles/ browsable = no read only = no create mask = 0700 directory mask = 0700 [printers] comment = Drucker browseable = no path = /tmp printable = yes create mode = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/drivers read only = no [sharedData] path = /srv/shares/sharedData read only = no hide unreadable = yes veto files = /.Trashes/._*/.DS_Store/ Then read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs It is the only way you can use a DC as a fileserver. Rowland