I'm trying to use chown/chgrp commands on files on NFS storage. Take a file "l" that I touched: -rw------- 1 jas tech 0 Feb 10 15:21 l (note that user and group mapping is working perfectly) % chgrp core l chgrp: changing group of ?l?: Invalid argument The problem is not the group: % getent group core core:x:1001: % wbinfo -n 'core' S-1-5-21-1981678738-1545235886-4256466701-6765 SID_DOM_GROUP (2) % wbinfo -Y 'S-1-5-21-1981678738-1545235886-4256466701-6765' 1001 The problem is not the user: % getent passwd jas jas:*:1004:1000::/cs/home/jas:/cs/local/bin/tcsh When looking at an strace of the chgrp above, I see this odd call: fchownat(AT_FDCWD, "l", -1, 1001, 0) = -1 EINVAL (Invalid argument) Where the third argument should be my uid 1004 and is instead -1. In smb.conf: idmap config * : backend = tdb idmap config * : range = 1000000-1999999 # idmap config for the EECSYORKUCA domain # range should match UNIX ID in AD idmap config EECSYORKUCA : backend = ad idmap config EECSYORKUCA : schema_mode = rfc2307 idmap config EECSYORKUCA : range = 1000-999999 idmap config EECSYORKUCA : unix_primary_group = yes idmap config EECSYORKUCA : unix_nss_info = yes Yes, and in /etc/nsswitch.conf: passwd:???? files winbind shadow:???? files group:????? files winbind As a side note, if I try to change the ownership of the file, I get a similar behaviour. This is a showstopper if I can't get this figured out. :( panic setting in.... (I'm positive I used chown/chgrp with 4.11 successfully.) Jason.
On 2/10/2021 3:49 PM, Jason Keltz via samba wrote:> I'm trying to use chown/chgrp commands on files on NFS storage. > > Take a file "l" that I touched: > > -rw------- 1 jas tech 0 Feb 10 15:21 l > > (note that user and group mapping is working perfectly) > > % chgrp core l > chgrp: changing group of ?l?: Invalid argument > > The problem is not the group: > > % getent group core > core:x:1001: > > % wbinfo -n 'core' > S-1-5-21-1981678738-1545235886-4256466701-6765 SID_DOM_GROUP (2) > > % wbinfo -Y 'S-1-5-21-1981678738-1545235886-4256466701-6765' > 1001 > > The problem is not the user: > > % getent passwd jas > > jas:*:1004:1000::/cs/home/jas:/cs/local/bin/tcsh > > When looking at an strace of the chgrp above, I see this odd call: > > fchownat(AT_FDCWD, "l", -1, 1001, 0) = -1 EINVAL (Invalid argument) > > Where the third argument should be my uid 1004 and is instead -1. > > In smb.conf: > > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > > # idmap config for the EECSYORKUCA domain > # range should match UNIX ID in AD > > idmap config EECSYORKUCA : backend = ad > idmap config EECSYORKUCA : schema_mode = rfc2307 > idmap config EECSYORKUCA : range = 1000-999999 > idmap config EECSYORKUCA : unix_primary_group = yes > idmap config EECSYORKUCA : unix_nss_info = yes > > Yes, and in /etc/nsswitch.conf: > > passwd:???? files winbind > shadow:???? files > group:????? files winbind > > As a side note, if I try to change the ownership of the file, I get a > similar behaviour. > > This is a showstopper if I can't get this figured out. :( panic > setting in.... > > (I'm positive I used chown/chgrp with 4.11 successfully.)Actually, if I work in /tmp on my machine, I can change the group ownership of a file so it has to do with a file from the NFS server. If I try a Linux client that is not in the domain, then I can change the group successfully. If I put the group into /etc/group on the file server, then it works on the AD client which seems weird. So this probably has something to do with the file server... I've restarted winbind there, but that didn't solve it.... The file server has the identical winbind config as the client. I wonder if I need to reshare the mount because when the mount was originally mounted, the group was in /etc/group, but then /etc/group was reduced, and the group transferred to AD. Hopefully to be figured out. Jason.
Jeremy Allison
2021-Feb-10 21:52 UTC
[Samba] urgent problem with samba 4.13 and chown/chgrp
On Wed, Feb 10, 2021 at 03:49:57PM -0500, Jason Keltz via samba wrote:>I'm trying to use chown/chgrp commands on files on NFS storage. > >Take a file "l" that I touched: > >-rw------- 1 jas tech 0 Feb 10 15:21 l > >(note that user and group mapping is working perfectly) > >% chgrp core l >chgrp: changing group of ?l?: Invalid argument > >The problem is not the group: > >% getent group core >core:x:1001: > >% wbinfo -n 'core' >S-1-5-21-1981678738-1545235886-4256466701-6765 SID_DOM_GROUP (2) > >% wbinfo -Y 'S-1-5-21-1981678738-1545235886-4256466701-6765' >1001 > >The problem is not the user: > >% getent passwd jas > >jas:*:1004:1000::/cs/home/jas:/cs/local/bin/tcsh > >When looking at an strace of the chgrp above, I see this odd call: > >fchownat(AT_FDCWD, "l", -1, 1001, 0) = -1 EINVAL (Invalid argument) > >Where the third argument should be my uid 1004 and is instead -1.-1 means "no change". From man fchownat: "If the owner or group is specified as -1, then that ID is not changed.">In smb.conf: > >idmap config * : backend = tdb >idmap config * : range = 1000000-1999999 > ># idmap config for the EECSYORKUCA domain ># range should match UNIX ID in AD > >idmap config EECSYORKUCA : backend = ad >idmap config EECSYORKUCA : schema_mode = rfc2307 >idmap config EECSYORKUCA : range = 1000-999999 >idmap config EECSYORKUCA : unix_primary_group = yes >idmap config EECSYORKUCA : unix_nss_info = yes > >Yes, and in /etc/nsswitch.conf: > >passwd:???? files winbind >shadow:???? files >group:????? files winbind > >As a side note, if I try to change the ownership of the file, I get a >similar behaviour. > >This is a showstopper if I can't get this figured out. :( panic >setting in.... > >(I'm positive I used chown/chgrp with 4.11 successfully.)You'll almost certainly need "root squash" on your NFS export. https://www.systutorials.com/how-to-allow-root-access-to-nfs/ Remember, Samba does activities as root which are by default disallowed over NFS.
L.P.H. van Belle
2021-Feb-11 09:47 UTC
[Samba] urgent problem with samba 4.13 and chown/chgrp
Besides your problem.>>> idmap config EECSYORKUCA : range = 1000-999999now, ONLY if you didnt create a first user on linux, your ok here. normaly we do recommend to use/start higher. You should now use overlapping ID's. see also : cat /etc/addusers.conf start there, at least verify you dont have any users in the assigned range for samba Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jason Keltz via > samba > Verzonden: woensdag 10 februari 2021 21:50 > Aan: samba at lists.samba.org > Onderwerp: [Samba] urgent problem with samba 4.13 and chown/chgrp > > I'm trying to use chown/chgrp commands on files on NFS storage. > > Take a file "l" that I touched: > > -rw------- 1 jas tech 0 Feb 10 15:21 l > > (note that user and group mapping is working perfectly) > > % chgrp core l > chgrp: changing group of ?l?: Invalid argument > > The problem is not the group: > > % getent group core > core:x:1001: > > % wbinfo -n 'core' > S-1-5-21-1981678738-1545235886-4256466701-6765 SID_DOM_GROUP (2) > > % wbinfo -Y 'S-1-5-21-1981678738-1545235886-4256466701-6765' > 1001 > > The problem is not the user: > > % getent passwd jas > > jas:*:1004:1000::/cs/home/jas:/cs/local/bin/tcsh > > When looking at an strace of the chgrp above, I see this odd call: > > fchownat(AT_FDCWD, "l", -1, 1001, 0) = -1 EINVAL (Invalid argument) > > Where the third argument should be my uid 1004 and is instead -1. > > In smb.conf: > > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > > # idmap config for the EECSYORKUCA domain > # range should match UNIX ID in AD > > idmap config EECSYORKUCA : backend = ad > idmap config EECSYORKUCA : schema_mode = rfc2307 > idmap config EECSYORKUCA : range = 1000-999999 > idmap config EECSYORKUCA : unix_primary_group = yes > idmap config EECSYORKUCA : unix_nss_info = yes > > Yes, and in /etc/nsswitch.conf: > > passwd:???? files winbind > shadow:???? files > group:????? files winbind > > As a side note, if I try to change the ownership of the file, I get a > similar behaviour. > > This is a showstopper if I can't get this figured out. :( panic setting > in.... > > (I'm positive I used chown/chgrp with 4.11 successfully.) > > Jason. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2021-Feb-11 10:03 UTC
[Samba] urgent problem with samba 4.13 and chown/chgrp
Ps.
For the NFS related parts.
Make sure you servers all have the :
- nfs/fqdn SPN.
- A + PTR for all servers, OR if you dont use PTR (not adviced)
set rdns=no in krb5.conf
If you deny root to access the user home.
You might need :
[appdefaults]
forwardable = true
pam = {
minimum_uid = 1000
YOUR.REALM.HERE = {
# automounts try to read the file $HOME/.k5login
# if the cant read it, mount fails, we ignore it.
ignore_k5login = true
}
}
(or add root/spn to the servername, also works)
My exportfs file on debian buster.
I use all options as shown with NFSv4.x (and 3.x not shown here)
sec=sys:krb5:krb5i:krb5p
if you set all these for NFS, you can first try with/without kerberos
authentication.
#/etc/exportfs
/srv
192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
/srv/samba/users
192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
Here my assinged homed dir is on all my server..
/home/users
which im mount bind with systemd as followed.
/etc/systemd/system/home-users.mount
[Unit]
Description=Mount (bind) (/home/users)
Wants=network-online.target
[Mount]
What=/srv/samba/users
Where=/home/users
Type=none
Options=bind
[Install]
WantedBy=multi-user.target
I hope this helps you.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
Belle
> via samba
> Verzonden: donderdag 11 februari 2021 10:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] urgent problem with samba 4.13 and chown/chgrp
>
> Besides your problem.
>
> >>> idmap config EECSYORKUCA : range = 1000-999999
>
> now, ONLY if you didnt create a first user on linux, your ok here.
> normaly we do recommend to use/start higher.
>
> You should now use overlapping ID's.
>
> see also :
> cat /etc/addusers.conf
>
> start there, at least verify you dont have any users in the assigned range
> for samba
>
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jason
Keltz via
> > samba
> > Verzonden: woensdag 10 februari 2021 21:50
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] urgent problem with samba 4.13 and chown/chgrp
> >
> > I'm trying to use chown/chgrp commands on files on NFS storage.
> >
> > Take a file "l" that I touched:
> >
> > -rw------- 1 jas tech 0 Feb 10 15:21 l
> >
> > (note that user and group mapping is working perfectly)
> >
> > % chgrp core l
> > chgrp: changing group of ?l?: Invalid argument
> >
> > The problem is not the group:
> >
> > % getent group core
> > core:x:1001:
> >
> > % wbinfo -n 'core'
> > S-1-5-21-1981678738-1545235886-4256466701-6765 SID_DOM_GROUP (2)
> >
> > % wbinfo -Y 'S-1-5-21-1981678738-1545235886-4256466701-6765'
> > 1001
> >
> > The problem is not the user:
> >
> > % getent passwd jas
> >
> > jas:*:1004:1000::/cs/home/jas:/cs/local/bin/tcsh
> >
> > When looking at an strace of the chgrp above, I see this odd call:
> >
> > fchownat(AT_FDCWD, "l", -1, 1001, 0) = -1 EINVAL (Invalid
argument)
> >
> > Where the third argument should be my uid 1004 and is instead -1.
> >
> > In smb.conf:
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 1000000-1999999
> >
> > # idmap config for the EECSYORKUCA domain
> > # range should match UNIX ID in AD
> >
> > idmap config EECSYORKUCA : backend = ad
> > idmap config EECSYORKUCA : schema_mode = rfc2307
> > idmap config EECSYORKUCA : range = 1000-999999
> > idmap config EECSYORKUCA : unix_primary_group = yes
> > idmap config EECSYORKUCA : unix_nss_info = yes
> >
> > Yes, and in /etc/nsswitch.conf:
> >
> > passwd:???? files winbind
> > shadow:???? files
> > group:????? files winbind
> >
> > As a side note, if I try to change the ownership of the file, I get a
> > similar behaviour.
> >
> > This is a showstopper if I can't get this figured out. :( panic
setting
> > in....
> >
> > (I'm positive I used chown/chgrp with 4.11 successfully.)
> >
> > Jason.
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba