And the dramatic conclusion is that no, it wasn't the conflicting group
name interfering with the mount:
root at samba-dc:~# samba-tool group listmembers ea-staff
dhales
whughes
mduffy
root at data2:/var/log/samba# ls -ld /data/share
drwxrwx--- 2 root ea-staff 4096 Nov 2 19:15 /data/share
root at data2:/var/log/samba# id mduffy
uid=11103(mduffy) gid=10513(domain users) groups=10513(domain
users),11103(mduffy),11106(ea-admins),11112(ea-staff),3001(BUILTIN\users)
Same error message logged in /var/samba/log.smbd, I won't repeat it.
The getpwuid(11103) function is failing for some reason.
On 11/3/21 11:32, Patrick Goetz via samba wrote:> Hi Roland-
>
> On 11/3/21 11:20, Rowland Penny via samba wrote:
>> On Wed, 2021-11-03 at 10:58 -0500, Patrick Goetz via samba wrote:
>>> Sorry for spamming the list today.
>>>
>>> I'm slowly testing out my new Samba AD network. At the moment
I'm
>>> trying
>>> to mount a share on a W10 client from a CMD prompt, and the mount
is
>>> failing:
>>>
>>> ??? net use G: \\data2\share
>>>
>>> I tried a suggestion from Louis to use the FQDN:
>>>
>>> ??? net use G: \\data2.ea.linuxcs.com\share
>>>
>>> and it still failed, but with a different Windows error
>>> message.? When I
>>> tail -f /var/log/samba/smbd on the fileserver I see
>>>
>>>
>>> ---------------------------
>>> [2021/11/03 10:20:25.088689,? 0]
>>> ../../source3/auth/token_util.c:565(add_local_groups)
>>> ??? add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-
>>> 1103
>>> -> getpwuid(11103) failed, is nsswitch configured?
>>> [2021/11/03 10:20:35.371582,? 0]
>>> ../../source3/auth/token_util.c:565(add_local_groups)
>>> ??? add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-
>>> 1103
>>> -> getpwuid(11103) failed, is nsswitch configured?
>>> [2021/11/03 10:20:35.383936,? 0]
>>> ../../source3/auth/token_util.c:565(add_local_groups)
>>> ??? add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-
>>> 1103
>>> -> getpwuid(11103) failed, is nsswitch configured?
>>> ---------------------------
>>>
>>>
>>> 11103 is the uid of the user I'm trying to connect this share
>>> for.? The
>>> suggestion is that nsswitch.conf isn't configured, but in fact
it is:
>>>
>>> root at data2:/etc# cat nsswitch.conf
>>> # /etc/nsswitch.conf
>>> #
>>> # Example configuration of GNU Name Service Switch functionality.
>>> # If you have the `glibc-doc-reference' and `info' packages
>>> installed, try:
>>> # `info libc "Name Service Switch"' for information
about this file.
>>>
>>> passwd:???????? files systemd winbind
>>> group:????????? files systemd winbind
>>> ...
>>>
>>>
>>>
>>> I know I'm using the correct password, because I used it to log
in
>>> on
>>> the W10 client as this user.? Any thoughts on what I should look at
>>> next?
>>>
>>>
>>> Other AD stuff works properly:
>>> root at data2:/etc# getent passwd patrickgoetz
>>> patrickgoetz:*:11104:10513::/home/EA/patrickgoetz:/bin/false
>>> root at data2:/etc# wbinfo -i mduffy
>>> mduffy:*:11103:10513::/home/EA/mduffy:/bin/false
>>>
>>>
>>>
>>> The share has appropriate ACLs set:
>>>
>>> root at data2:/data# ls -ld share
>>> drwxrwx--- 2 root staff 4096 Nov? 2 19:15 share
>>
>> The only people that can connect to that share are, the Unix user
>> 'root' and members of the Unix group 'staff'
>> Remember what I said about 'setfacl'
>>
>
>
> Maybe this is the problem?? I set up staff as an AD security group, not
> realizing it's a built in group in /etc/group. But this is likely
> confusing the system.? The group does ID correctly.? You can tell from
> the group UID that it's an AD group:
>
> root at data2:/data# id staff
> uid=11110(staff) gid=11110(staff) groups=11110(staff)
>
> root at data2:/data# grep staff /etc/group
> staff:x:50:
>
> OK, let me change the name of the Security Group to see if this resolves
> the issue.
>
>
>
>>>
>>>
>>> The user is a member of the staff group.
>>
>> Where did you make the user a member of 'staff' and how ?
>>
>>> ?? I can't get `get-adgroup` or
>>> `get-adgroupmember` to work in PowerShell to demonstrate this;
>>> presumably this has to do with the Windows web interface thing.
>>
>> More likely Windows not having a clue what the Unix group
'staff' is.
>>
>>>
>>>
>>> And here is the resource section from smb.conf:
>>>
>>> [share]
>>> ???? comment = Share Directory
>>> ???? path = /data/share
>>> ???? guest ok = no
>>> ???? browseable = yes
>>> ???? writeable = yes
>>> ???? create mask = 0770
>>> ???? directory mask = 0770
>>> ???? follow symlinks = yes
>>
>> Please do not post parts of a smb.conf, without the 'global'
part, it
>> hasn't any context (I know you may have posted it previously, but
this
>> would mean searching for it and you may have changed it anyway) :-)
>>
>> Rowland
>>
>>
>>
>