samba - Feb 2021 - Why some user names are not resolved by 'getfacl' ?

On 24/02/2021 20:55, Nicola Mingotti via samba wrote:
>
> ERRATA CORRIGE.
>
> ---- wrong ----
> WINDOM\riccardo at nas $> getfacl aaa-test-riccardo-2/
> -------------
>
> To change with
> ------------------
> WINDOM\riccardo at nas> getent passwd
> ------------------
>
> Sorry
>
> n.
>
>
> On 2/24/21 9:49 PM, Nicola Mingotti wrote:
>> Hi,
>>
>> I have a Samba NAS and a Samba DC. Both running in Linux Debian 10, 
>> stable.
>> Samba installed via .deb packages.
>>
>> Recently i found this strange behavior in 'getfacl' output.
Some user
>> names
>> are correctly reported, for others instead only a number is shown.
>>
>> Note that, if the same domain user runs
>> -------
>> WINDOM\riccardo at nas $> getfacl aaa-test-riccardo-2/
>> -------
>> all usernames are correctly shown.
>> So, for example:
>> -------
>> WINDOM\riccardo at nas> getent passwd | grep 10512
>> WINDOM\adam1:*:11127:10512::/home/WINDOM-adam1:/bin/bash
>> ---------
>>
>> Misbehavior example. Observe user '10512' is not resolved to 
>> 'WINDOM\adam1', for example.
>> ------------------------------
>> WINDOM\riccardo at nas $> getfacl aaa-test-riccardo-2/
>> ---- long output ------
>> # file: aaa-test-riccardo-2/
>> # owner: root
>> # group: adm
>> user::rwx
>> user:10512:rwx
>> user:10513:r-x
>> user:11157:rwx
>> user:11159:r-x
>> user:11173:r-x
>> user:11180:rwx
>> group::r-x
>> group:WINDOM\\domain\040admins:rwx
>> group:WINDOM\\domain\040users:r-x
>> group:WINDOM\\riccardo:rwx
>> group:WINDOM\\g-ufficiotecnico:rwx
>> group:WINDOM\\g-leggitutto:r-x
>> group:WINDOM\\g-utentiufficio:r-x
>> group:WINDOM\\g-foto-video:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:10512:rwx
>> default:user:10513:r-x
>> default:user:WINDOM\\riccardo:rwx
>> default:user:11157:rwx
>> default:user:11159:r-x
>> default:user:11173:r-x
>> default:user:11180:rwx
>> default:group::r-x
>> default:group:WINDOM\\domain\040admins:rwx
>> default:group:WINDOM\\domain\040users:r-x
>> default:group:WINDOM\\g-ufficiotecnico:rwx
>> default:group:WINDOM\\g-leggitutto:r-x
>> default:group:WINDOM\\g-utentiufficio:r-x
>> default:group:WINDOM\\g-foto-video:rwx
>> default:mask::rwx
>> default:other::---
>> ------------------
>>
>> I rebooted the NAS, that was of no help.
>>
>> I can tell you that this directory was made by a Windows system.
>> If a make the same directory, with the same domain user, but from
>> a Linux system the result is much shorter.
>>
>> Thank in advance for any hint you may give me !
>>
>> bye
>> Nicola
>>
>>
>>
>>
>
There is something going wrong here, can you post the smb.conf files 
from the NAS and DC.

Rowland

On 2/24/21 10:07 PM, Rowland penny via samba wrote:
> On 24/02/2021 20:55, Nicola Mingotti via samba wrote:
>>
>> ERRATA CORRIGE.
>>
>> ---- wrong ----
>> WINDOM\riccardo at nas $> getfacl aaa-test-riccardo-2/
>> -------------
>>
>> To change with
>> ------------------
>> WINDOM\riccardo at nas> getent passwd
>> ------------------
>>
>> Sorry
>>
>> n.
>>
>>
>> On 2/24/21 9:49 PM, Nicola Mingotti wrote:
>>> Hi,
>>>
>>> I have a Samba NAS and a Samba DC. Both running in Linux Debian 10,
>>> stable.
>>> Samba installed via .deb packages.
>>>
>>> Recently i found this strange behavior in 'getfacl' output.
Some
>>> user names
>>> are correctly reported, for others instead only a number is shown.
>>>
>>> Note that, if the same domain user runs
>>> -------
>>> WINDOM\riccardo at nas $> getfacl aaa-test-riccardo-2/
>>> -------
>>> all usernames are correctly shown.
>>> So, for example:
>>> -------
>>> WINDOM\riccardo at nas> getent passwd | grep 10512
>>> WINDOM\adam1:*:11127:10512::/home/WINDOM-adam1:/bin/bash
>>> ---------
>>>
>>> Misbehavior example. Observe user '10512' is not resolved
to
>>> 'WINDOM\adam1', for example.
>>> ------------------------------
>>> WINDOM\riccardo at nas $> getfacl aaa-test-riccardo-2/
>>> ---- long output ------
>>> # file: aaa-test-riccardo-2/
>>> # owner: root
>>> # group: adm
>>> user::rwx
>>> user:10512:rwx
>>> user:10513:r-x
>>> user:11157:rwx
>>> user:11159:r-x
>>> user:11173:r-x
>>> user:11180:rwx
>>> group::r-x
>>> group:WINDOM\\domain\040admins:rwx
>>> group:WINDOM\\domain\040users:r-x
>>> group:WINDOM\\riccardo:rwx
>>> group:WINDOM\\g-ufficiotecnico:rwx
>>> group:WINDOM\\g-leggitutto:r-x
>>> group:WINDOM\\g-utentiufficio:r-x
>>> group:WINDOM\\g-foto-video:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:10512:rwx
>>> default:user:10513:r-x
>>> default:user:WINDOM\\riccardo:rwx
>>> default:user:11157:rwx
>>> default:user:11159:r-x
>>> default:user:11173:r-x
>>> default:user:11180:rwx
>>> default:group::r-x
>>> default:group:WINDOM\\domain\040admins:rwx
>>> default:group:WINDOM\\domain\040users:r-x
>>> default:group:WINDOM\\g-ufficiotecnico:rwx
>>> default:group:WINDOM\\g-leggitutto:r-x
>>> default:group:WINDOM\\g-utentiufficio:r-x
>>> default:group:WINDOM\\g-foto-video:rwx
>>> default:mask::rwx
>>> default:other::---
>>> ------------------
>>>
>>> I rebooted the NAS, that was of no help.
>>>
>>> I can tell you that this directory was made by a Windows system.
>>> If a make the same directory, with the same domain user, but from
>>> a Linux system the result is much shorter.
>>>
>>> Thank in advance for any hint you may give me !
>>>
>>> bye
>>> Nicola
>>>
>>>
>>>
>>>
>>
>
> There is something going wrong here, can you post the smb.conf files 
> from the NAS and DC.
>
> Rowland
>
>
>
Hi Rowloand,

I put here my files. Here is late, if you have any other request
I can send you other info tomorrow.

It is the first time i see such a mess with getfacl.

Recently other unusual things happened.

For example today I added a user to a new group and I was not able to 
see it from the NAS,
even after a reboot. I had to wait a few hours and all office employees
to go home to see the change propagated to the NAS.

Other unusual things. About 10 days ago there was a severe power shortage,
backup batteries run off and and all the server shut down badly. On reboot
I observed this unusual fact, a few users were not able to access 
certain target directories
because the lost right to walk through intermediate ones.
For example, image user Foo had access to dir D till the day before
which is in /A/B/C/D. Well, after the power shortage a few users had
lost the ability to walk through B or C.

This is my first serious Samba, so I am pretty sure I made some mistakes
here and there.

The only big thing I added in the last month is that a QNAP is part of the
domain and it is accessing the NAS.? It did not give me the impression
of being solid. I hope it is not that box making the mess because it is
nightmare to configure.

thank you

bye
n.


============================================================ dc
====================================================================
# Global parameters
[global]
 ??? dns forwarder = 172.16.3.49
 ??? netbios name = DC1
 ??? realm = WINDOM.BORGHI.LAN
 ??? server role = active directory domain controller
 ??? workgroup = WINDOM
 ??? idmap_ldb:use rfc2307 = yes
 ??? # . per log
 ??? log level = 1 auth_json_audit:3
 ??????? # log level = 1 auth_audit:3 auth_json_audit:3
 ??? # log level = 1 auth_audit:3
 ??? # . per la propagazione delle group policy
 ??????? apply group policies = yes

[netlogon]
 ??? path = /var/lib/samba/sysvol/windom.borghi.lan/scripts
 ??? read only = No

[sysvol]
 ??? path = /var/lib/samba/sysvol
 ??? read only = No


=========================================================== nas
==============================================================
[global]
 ?? workgroup = WINDOM
 ?? security = ADS
 ?? realm = WINDOM.BORGHI.LAN

 ?? # per le windows ACL
 ?? winbind refresh tickets = Yes
 ?? # vfs objects = acl_xattr
 ?? # vfs objects = acl_xattr shadow_copy2
 ?? map acl inherit = Yes
 ?? store dos attributes = Yes

 ?? dedicated keytab file = /etc/krb5.keytab
 ?? kerberos method = secrets and keytab

 ?? # rimuovere dopo il testing
 ?? winbind enum users = yes
 ?? winbind enum groups = yes

 ?? # disable printing
 ?? load printers = no
 ?? printing = bsd
 ?? printcap name = /dev/null
 ?? disable spoolss = yes

 ?? # logs
 ?? # log file = /var/log/samba/%m.log
 ?? # log level = 1
 ?? log file = /var/log/samba/samba.log
 ?? # log file = /var/log/samba/perPersonOrMachine/%U.log
 ?? # log level = 1 smb:2 smb2:3
 ?? # log level = 2 smb:2 smb2:2 vfs:9
 ?? log level = 2 smb:2 smb2:2
 ?? # . certo di gestirlo con logrotate
 ?? # max file size 100 mega, si spera che logrotate lo tagli prima
 ?? max log size = 100000

 ?? # ---- ID mapping backend rid -------
 ?? # Default ID mapping configuration for local BUILTIN accounts
 ?? # and groups on a domain member. The default (*) domain:
 ?? # - must not overlap with any domain ID mapping configuration!
 ?? # - must use a read-write-enabled back end, such as tdb.
 ?? idmap config * : backend = tdb
 ?? idmap config * : range = 3000-7999
 ?? # - You must set a DOMAIN backend configuration
 ?? # idmap config for the SAMDOM domain
 ?? idmap config WINDOM : backend = rid
 ?? idmap config WINDOM : range = 10000-999999

 ?? # Template settings for login shell and home directory
 ?? template shell = /bin/bash
 ?? template homedir = /home/WINDOM-%U

 ?? # mappare "Administrator" a "root"
 ?? username map = /usr/local/samba/etc/user.map

# directory che funge da disco in condivisione
[sambaDisk]
 ?????? path = /mnt/sambaShared/sambaDisk
 ?????? read only = no
 ?????? # --- mask di default per gli utenti
 ?????? create mask = 777
 ?????? directory mask = 777
 ?????? # -- cosa succede se un'utente se ne va ?
 ?????? #??? meglio assicurarsi che non ci siano problemi fissando
 ?????? #??? un default user e gruppo per tutti i file.
 ?????? #??? (*) vale per i client windows. Non vale per Linux. Per Mac ?
 ?????? # => DISABILITATO, perche' nei log non vedo piu' chi apre i 
files, solo "root", ovunque
 ?????? # force user = root
 ?????? # force group = adm
 ?????? # inherit permissions = true
 ?????? # ---- carica moduli che servono
 ?????? # vfs objects = full_audit shadow_copy2
 ?????? vfs objects = acl_xattr shadow_copy2
 ?????? # -------------------------------
 ?????? # --- per l'audit ---------------
 ?????? # . disattivato, per issues con i log che non ripartono
 ?????? #?? posso leggere gli accessi in lettura/scrittura ai files sui 
log di default.
 ?????? # opendir: troppi output, viene lette in automatico
 ?????? # questi non capisco cosa fanno: read write pread pwrite
 ?????? # full_audit:prefix = %u|%I
 ?????? # full_audit:success = open
 ?????? # full_audit:failure = all
 ?????? # full_audit:facility = LOCAL5
 ?????? # --------------------------------
 ?????? # ---- per le shadow copies ------
 ?????? shadow:snapdir = /mnt/sambaShared/snapshots
 ?????? shadow:basedir = /mnt/sambaShared/sambaDisk
 ?????? shadow:sort = desc

# ===================================================================