On 9/24/20 1:06 PM, Rowland penny via samba wrote:> OK, you are using users & groups in the 1000-29999 range, why ? could > it be that you have the same users in /etc/passwd and AD ?On my Linux installs, I allow for a 'local' account with user id 1000. That is the only local account and is used for installing the OS (or in case AD is down). All other user/group accounts are >= 1001 and come from the AD. Technically that line should probably be 1001-29999, but not sure if that would impact user 1001. The only user in my /etc/passwd is local:x:1000:1000:local,,,:/home/local:/bin/bash> > You are using 'cifsacls' and this calculates a 32 bit ID from the SID, > so it is unlikely your users are getting the same ID from Samba and > cifsacls, I get the feeling that you use one or the other, not both :-\ >Can you please expand on this, I am confused as to what you are suggesting.? If 'getent pass' works properly and shows no overlap/confusion, this seems to be related to cifsacl.
Ken Bass via samba <samba at lists.samba.org> writes:> Can you please expand on this, I am confused as to what you are > suggesting.? If 'getent pass' works properly and shows no > overlap/confusion, this seems to be related to cifsacl.It's still hard to say at this point. cifs.idmap logs messages in the syslog. Can you try mounting with cifsacl, then look at logs in one window # journalctl --since=now While you do a # ls -l /path/to/cifsaclmount/some_file If a mapping fails you should see something like this: cifs.idmap[8370]: key description: cifs.idmap;0;0;39010000;os:S-1-5-18 cifs.idmap[8370]: Unable to convert cifs.idmap;0;0;39010000;os:S-1-5-18 to UID: Some IDs could not be mapped. "os" means it's the file owner (Owner Sid) "gs" means the file group (Group Sid). You can try to map the bad SID manually with wbinfo: # wbinfo --sid-to-uid S-1-5-18 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-18 to uid And then it's a samba/winbind problem. Cheers, -- Aur?lien Aptel / SUSE Labs Samba Team GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 N?rnberg, DE GF: Felix Imend?rffer, Mary Higgins, Sri Rasiah HRB 247165 (AG M?nchen)
Aur?lien Aptel via samba <samba at lists.samba.org> writes:> Ken Bass via samba <samba at lists.samba.org> writes: > Can you try mounting with cifsacl, then look at logs in one window > > # journalctl --since=nowshould be # journalctl -f --since=now Cheers, -- Aur?lien Aptel / SUSE Labs Samba Team GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 N?rnberg, DE GF: Felix Imend?rffer, Mary Higgins, Sri Rasiah HRB 247165 (AG M?nchen)
On 25/09/2020 10:14, Aur?lien Aptel via samba wrote:> Ken Bass via samba <samba at lists.samba.org> writes: >> Can you please expand on this, I am confused as to what you are >> suggesting.? If 'getent pass' works properly and shows no >> overlap/confusion, this seems to be related to cifsacl. > It's still hard to say at this point. > > cifs.idmap logs messages in the syslog. > Can you try mounting with cifsacl, then look at logs in one window > > # journalctl --since=now > > While you do a > > # ls -l /path/to/cifsaclmount/some_file > > If a mapping fails you should see something like this: > > cifs.idmap[8370]: key description: cifs.idmap;0;0;39010000;os:S-1-5-18 > cifs.idmap[8370]: Unable to convert cifs.idmap;0;0;39010000;os:S-1-5-18 to UID: Some IDs could not be mapped. > > "os" means it's the file owner (Owner Sid) > "gs" means the file group (Group Sid). > > You can try to map the bad SID manually with wbinfo: > > # wbinfo --sid-to-uid S-1-5-18 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-18 to uid > > And then it's a samba/winbind problem.Not sure how this could be a Samba problem ? 'S-1-5-18' is SYSTEM and from the looks of it, neither cifs.idmap or winbind maps it on a Unix domain member (it does map on a Samba DC). It is hard to understand from the manpages, does cifsacls use the same ID's as Winbind, or does it calculate its own ? Rowland
On 9/25/20 5:14 AM, Aur?lien Aptel wrote:> Ken Bass via samba <samba at lists.samba.org> writes: >> Can you please expand on this, I am confused as to what you are >> suggesting.? If 'getent pass' works properly and shows no >> overlap/confusion, this seems to be related to cifsacl. > It's still hard to say at this point. > > cifs.idmap logs messages in the syslog. > Can you try mounting with cifsacl, then look at logs in one window > > # journalctl --since=now > > While you do a > > # ls -l /path/to/cifsaclmount/some_file > > If a mapping fails you should see something like this: > > cifs.idmap[8370]: key description: cifs.idmap;0;0;39010000;os:S-1-5-18 > cifs.idmap[8370]: Unable to convert cifs.idmap;0;0;39010000;os:S-1-5-18 to UID: Some IDs could not be mapped. > > "os" means it's the file owner (Owner Sid) > "gs" means the file group (Group Sid). > > You can try to map the bad SID manually with wbinfo: > > # wbinfo --sid-to-uid S-1-5-18 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-18 to uid > > And then it's a samba/winbind problem. > > Cheers,Is there a logging level required and for what application? I don't see a mention of cifs.idmap in the journal logs which deepens my suspicion that it not being used. The only reference I see is: Sep 24 09:32:01 pc-u20 kernel: FS-Cache: Netfs 'cifs' registered for caching Sep 24 09:32:01 pc-u20 kernel: Key type cifs.spnego registered Sep 24 09:32:01 pc-u20 kernel: Key type cifs.idmap registered If I run 'getcifsacl -r /path/to/cifsaclmount/some_file' and then I use the 'wbinfo --sid-to-uid' on the returns SID, it reports the proper mapping. What / how does the cifs.idmap 'upcall' work? What triggers it? I think the issue must be in that area.