L.P.H. van Belle
2021-Jan-25 11:18 UTC
[Samba] Is it possible to 'getfacl' on a mounted samba share ?
I made some comments below, change these and reboot after> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nicola Mingotti > via samba > Verzonden: maandag 25 januari 2021 11:39 > Aan: Rowland penny; samba at lists.samba.org > Onderwerp: Re: [Samba] Is it possible to 'getfacl' on a mounted samba > share ? > > > Answering to Rowland and Louis, > > . I downgraded the Linux version to: > p at linte> uname -a > Linux linte 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 > GNU/Linux > > => That did not affect the outcome of 'getfacl' nor 'ls -l' > > > . I run the proposed script, I made only a small change, "Administrator" > with my default > admin name in the code. > > =========================================================================> =============> ========================== samba-collect-debug-info.sh > ================================> =========================================================================> =============> > Collected config? --- 2021-01-25-11:27 ----------- > > Hostname: linte > DNS Domain: borghi.lan > FQDN: linte.borghi.lan > ipaddress: 172.16.3.37 > > ----------- > > Kerberos SRV _kerberos._tcp.borghi.lan record verified ok, sample output: > Server:???????? 172.16.3.51 > Address:??????? 172.16.3.51#53 > > Non-authoritative answer: > *** Can't find _kerberos._tcp.borghi.lan: No answer << strange .. > > Authoritative answers can be found from: > borghi.lan > ??????? origin = borghi.lan.borghi.lan > ??????? mail addr = root.borghi.lan.borghi.lan > ??????? serial = 2020121500 > ??????? refresh = 3600 > ??????? retry = 900 > ??????? expire = 604800 > ??????? minimum = 86400 > Samba is running as a Unix domain member > > ----------- > ?????? Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 10 (buster)" > NAME="Debian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > > This computer is running Debian 10.7 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > ??? inet 127.0.0.1/8 scope host lo > 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > ??? link/ether 52:54:00:da:ea:ce brd ff:ff:ff:ff:ff:ff > ??? inet 172.16.3.37/24 brd 172.16.3.255 scope global enp1s0 > > ----------- > ?????? Checking file: /etc/hosts > > 127.0.0.1?????? localhost > 127.0.1.1?????? linte.borghi.lan??????? linte << change IP to real IP 172.16.3.37 > > # The following lines are desirable for IPv6 capable hosts > # ::1???? localhost ip6-localhost ip6-loopback > # ff02::1 ip6-allnodes > # ff02::2 ip6-allrouters > > ----------- > > ?????? Checking file: /etc/resolv.conf > > domain windom.borghi.lan > search windom.borghi.lan < you can remove one of these 2 here (domain/search), the last is the one that is used. ( in this case search ) > nameserver 172.16.3.51 << make sure this is the IP of the AD-DC > # nameserver 172.16.3.49 > # nameserver 172.16.3.54 > > ----------- > > ?????? Checking file: /etc/krb5.conf > > [libdefaults] > ? default_realm = WINDOM.BORGHI.LAN > ? dns_lookup_realm = false > ? dns_lookup_kdc = true > > ----------- > > > ?????? Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > # `info libc "Name Service Switch"' for information about this file. > > passwd:???????? files winbind systemd > group:????????? files winbind systemd > shadow:???????? files winbind < remove winbind here. > gshadow:??????? files > > hosts:????????? files mdns4_minimal [NOTFOUND=return] dns myhostnameTo avoid problems, change the hosts line here to : hosts: files dns myhostname mdns4_minimal [NOTFOUND=return]> networks:?????? files > > protocols:????? db files > services:?????? db files > ethers:???????? db files > rpc:??????????? db files > > netgroup:?????? nis > > ----------- > > ?????? Checking file: /etc/samba/smb.conf > > [global] > ?? workgroup = WINDOM > ?? security = ADS > ?? realm = WINDOM.BORGHI.LAN > > ?? winbind refresh tickets = Yes > ?? vfs objects = acl_xattr > ?? map acl inherit = Yes > ?? store dos attributes = Yes > > ?? dedicated keytab file = /etc/krb5.keytab > ?? kerberos method = secrets and keytab > > ?? # ho un solo dominio, quindi mi conviene non dover digitare sempre > ?? # user invece di "WINDOM\user" > ?? # winbind use default domain = yes > > ?? # rimuovere dopo il testing > ?? winbind enum users = yes > ?? winbind enum groups = yes > > ? # disable printing > ?? load printers = no > ?? printing = bsd > ?? printcap name = /dev/null > ?? disable spoolss = yes > > ?? # logs > ?? log file = /var/log/samba/%m.log > ?? log level = 1 > > ?? # ---- ID mapping backend rid ------- > ?? # Default ID mapping configuration for local BUILTIN accounts > ?? # and groups on a domain member. The default (*) domain: > ?? # - must not overlap with any domain ID mapping configuration! > ?? # - must use a read-write-enabled back end, such as tdb. > ?? idmap config * : backend = tdb > ?? idmap config * : range = 3000-7999 > ?? # - You must set a DOMAIN backend configuration > ?? # idmap config for the SAMDOM domain > ?? idmap config SAMDOM : backend = rid > ?? idmap config SAMDOM : range = 10000-999999 > > ?? # Template settings for login shell and home directory > ?? template shell = /bin/bash > ?? template homedir = /home/WINDOM-%U > > ?? # mappare "Administrator" a "root" > ?? username map = /usr/local/samba/etc/user.map > > # directory che funge da disco in condivisione > # ok- this is working ! > # [sambaDisk] > #?????? path = /home/WINDOM-nicola/testSamba > #?????? read only = no > #?????? vfs objects = shadow_copy2 > #?????? shadow:snapdir = /home/WINDOM-nicola/snapshots > #?????? shadow:basedir = /home/WINDOM-nicola/testSamba > #?????? shadow:sort = desc > > > # [sambaDisk] > #?????? path = /home/WINDOM-nicola/testSamba > #?????? read only = no > #?????? vfs objects = shadow_copy2 > #?????? shadow:mountpoint = /home/WINDOM-nicola/testSamba > #?????? # richiesto relative se si usa 'snapdirseverywhere' > #?????? shadow:snapdir = snapshots > #?????? # shadow:snapdir = /home/WINDOM-nicola/testSamba/snapshots > > #?????? # shadow:basedir = toSnap > #?????? shadow:sort = desc > #?????? # shadow:localtime = yes > #?????? # shadow:format = '%Y.%m.%d-%H.%M.%S' > #?????? shadow:snapdirseverywhere = yes > > > ----------- > > Running as Unix domain member and user.map detected. > > Contents of /usr/local/samba/etc/user.map > > !root = WINDOM\adam1 > > Server Role is set to :? auto > > ----------- > > Installed packages: > ii? acl 2.2.53-4???????????????????????????????????? amd64??????? access > control list - utilities > ii? attr 1:2.4.48-4?????????????????????????????????? amd64 utilities > for manipulating filesystem extended attributes > ii? fonts-quicksand 0.2016-2???????????????????????????????????? all > sans-serif font with round attributes > ii? krb5-config 2.6????????????????????????????????????????? all > Configuration files for Kerberos Version 5 > ii? krb5-locales 1.17-3+deb10u1?????????????????????????????? all > internationalization support for MIT Kerberos > ii? krb5-user 1.17-3+deb10u1?????????????????????????????? amd64 > basic programs to authenticate using MIT Kerberos > ii? libacl1:amd64 2.2.53-4 > amd64??????? access control list - shared library > ii? libattr1:amd64 1:2.4.48-4 > amd64??????? extended attribute handling - shared library > ii? libgssapi-krb5-2:amd64 1.17-3+deb10u1 > amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii? libkrb5-26-heimdal:amd64 > 7.5.0+dfsg-3???????????????????????????????? amd64??????? Heimdal > Kerberos - libraries > ii? libkrb5-3:amd64 1.17-3+deb10u1 > amd64??????? MIT Kerberos runtime libraries > ii? libkrb5support0:amd64 1.17-3+deb10u1 > amd64??????? MIT Kerberos runtime libraries - Support library > ii? libnss-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 > amd64??????? Samba nameservice integration plugins > ii? libpam-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 > amd64??????? Windows domain authentication integration plugin > ii? libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 > amd64??????? shared library for communication with SMB/CIFS servers > ii? libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 > amd64??????? Samba winbind client library > ii? python-samba 2:4.9.5+dfsg-5+deb10u1 > amd64??????? Python bindings for Samba > ii? python3-xattr 0.9.6-1 > amd64??????? module for manipulating filesystem extended attributes - > Python 3 > ii? samba 2:4.9.5+dfsg-5+deb10u1?????????????????????? amd64 > SMB/CIFS file, print, and login server for Unix > ii? samba-common 2:4.9.5+dfsg-5+deb10u1 > all????????? common files used by both the Samba server and client > ii? samba-common-bin 2:4.9.5+dfsg-5+deb10u1 > amd64??????? Samba common files used by both the server and the client > ii? samba-dsdb-modules:amd64 > 2:4.9.5+dfsg-5+deb10u1?????????????????????? amd64??????? Samba > Directory Services Database > ii? samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 > amd64??????? Samba core libraries > ii? samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 > amd64??????? Samba Virtual FileSystem plugins > ii? spice-client-glib-usb-acl-helper > 0.35-2?????????????????????????????????????? amd64??????? Helper tool to > validate usb ACLs > ii? winbind 2:4.9.5+dfsg-5+deb10u1?????????????????????? amd64 > service to resolve user and group information from Windows NT servers > ii? xattr 0.9.6-1????????????????????????????????????? amd64??????? tool > for manipulating filesystem extended attributes > > ----------- > > =========================================================================> =============> =========================================================================> =============> > > bye > Nicola > > > > On 1/25/21 11:00 AM, Rowland penny via samba wrote: > > On 25/01/2021 09:49, Nicola Mingotti via samba wrote: > >> > >> Hi Luois, > >> > >> Going toward the path you suggest I get: > >> > >> p at linte> mount | grep ' / ' > >> /dev/vda1 on / type ext4 (rw,relatime,errors=remount-ro) > >> > >> p at linte> sudo tune2fs -l /dev/vda1? | grep -i defa > >> Default mount options:??? user_xattr acl > >> Default directory hash:?? half_md4 > >> > >> But, then I checked another thing: > >> > >> p at linte> uname -a > >> Linux linte 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) > >> x86_64 GNU/Linux > >> > >> p at nas> uname -a > >> Linux nas 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) > >> x86_64 GNU/Linux > >> > >> => Given that both systems are Debian stable, it might be that kernel > >> 4.19.0-13 > >> has something broken regarding CIFS. > >> > >> I am going to try to change the kernel version and see what happens. > >> > > That should be easy, just run: > > > > apt update && apt upgrade > > > > I think we need more info here, can you download this script: > > > > https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh > > > > Run it on the computer, sanitise the output if required and post the > > output here, do not attach it to a post, this list strips attachments. > > > > Rowland > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2021-Jan-25 11:24 UTC
[Samba] Is it possible to 'getfacl' on a mounted samba share ?
On 25/01/2021 11:18, L.P.H. van Belle via samba wrote:> I made some comments below, change these and reboot after > >You missed a couple, remove 'winbind' from the 'shadow' line in /etc/nsswitch.conf and uncomment '# winbind use default domain = yes' in smb.conf Rowland