samba - Nov 2022 - Domain Users cannot write to the share.

Hi,

I successfully made a GlusterFS+CTDB+Samba cluster, integrated to the AD.
I also made it to work with SELiunx after some investigation.
Now I have some final issues: AD users cannot write to the share, if it has
775 permission.
I tried to put ACLs, but always if 'other' is r-x, no one who is not in
'classic' gluster UNIX group, cannot write to the share. Here getfactl:

[root at fs01 symptoms]# getfacl /mnt/glusterfs/symptoms/
getfacl: Removing leading '/' from absolute path names
# file: mnt/glusterfs/symptoms/
# owner: gluster
# group: gluster
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:XXX\\domain\040users:rwx
default:mask::rwx
default:other::r-x

Here the content (when I did chmod 777 because nothing was working):

[root at fs01 symptoms]# ls -ln
total 659859
[...]
drwxrwxr-x+ 2 315360 300513      4096 Nov 28 20:04  blabla
drwxrwxr-x+ 2 315360 300513      4096 Nov 28 19:57  ble
-rwxrwxr-x. 1   1000   1000         0 Nov 15 15:09  test10
-rwxr--r--. 1   1001   1002         0 Nov 15 18:55  test99
drwxrwxr-x+ 2 315360 300513      4096 Nov 28 19:58  testy
drwxrwxr-x+ 2 315360 300513      4096 Nov 28 20:06  yuma
[...]

So, as you can see, AD user mapped as UID 315360 and GID 300513 can only
write, when this folder has 777. Here is the smb.cong (from registry):

[root at fs01 symptoms]# net conf list
[global]
        logging = syslog
        log level = 1
        netbios name = fs
        workgroup = XXX
        clustering = yes
        security = ads
        realm = XXX.XXX.XXX
        vfs objects = acl_xattr
        map acl inherit = yes
        idmap config XXX: backend = rid
        idmap config * : range = 100000-299999
        idmap config XXX: range = 300000-499999
        idmap config * : backend = tdb
        winbind rpc only = yes
        kerberos method = secrets and keytab

[symptoms]
        path = /mnt/glusterfs/symptoms/
        guest ok = no
        read only = no
        browseable = yes
        map acl inherit = yes
        inherit acls = yes

[root at fs01 symptoms]# net groupmap list
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Guests (S-1-5-32-546) -> BUILTIN\guests
Users (S-1-5-32-545) -> BUILTIN\users
Domain Users (S-1-5-21-76667877-53546716-1882380502-974) -> gluster

[root at fs01 symptoms]# id gluster
uid=974(gluster) gid=974(gluster) groups=974(gluster)

For all local UNIX user belonging to gluster group, either as GID or as
supplementary, write permission is granted (in case of 775). But not for AD
users. What am I doing wrong?

How to allow AD users to write, in case of standard UNIX permissions are
775?
-- 
Leszek A. Szczepanowski
twinsen at mspanc.net

On 28/11/2022 19:36, Leszek Szczepanowski via samba
wrote:
> Hi,
> 
> I successfully made a GlusterFS+CTDB+Samba cluster, integrated to the AD.
> I also made it to work with SELiunx after some investigation.
> Now I have some final issues: AD users cannot write to the share, if it has
> 775 permission.
> I tried to put ACLs, but always if 'other' is r-x, no one who is
not in
> 'classic' gluster UNIX group, cannot write to the share. Here
getfactl:
> 
> [root at fs01 symptoms]# getfacl /mnt/glusterfs/symptoms/
> getfacl: Removing leading '/' from absolute path names
> # file: mnt/glusterfs/symptoms/
> # owner: gluster
> # group: gluster
> user::rwx
> group::rwx
> other::rwx
> default:user::rwx
> default:group::rwx
> default:group:XXX\\domain\040users:rwx
> default:mask::rwx
> default:other::r-x
> 
> Here the content (when I did chmod 777 because nothing was working):
> 
> [root at fs01 symptoms]# ls -ln
> total 659859
> [...]
> drwxrwxr-x+ 2 315360 300513      4096 Nov 28 20:04  blabla
> drwxrwxr-x+ 2 315360 300513      4096 Nov 28 19:57  ble
> -rwxrwxr-x. 1   1000   1000         0 Nov 15 15:09  test10
> -rwxr--r--. 1   1001   1002         0 Nov 15 18:55  test99
> drwxrwxr-x+ 2 315360 300513      4096 Nov 28 19:58  testy
> drwxrwxr-x+ 2 315360 300513      4096 Nov 28 20:06  yuma
> [...]
> 
> So, as you can see, AD user mapped as UID 315360 and GID 300513 can only
> write, when this folder has 777. Here is the smb.cong (from registry):
> 
> [root at fs01 symptoms]# net conf list
> [global]
>          logging = syslog
>          log level = 1
>          netbios name = fs
>          workgroup = XXX
>          clustering = yes
>          security = ads
>          realm = XXX.XXX.XXX
>          vfs objects = acl_xattr
>          map acl inherit = yes
>          idmap config XXX: backend = rid
>          idmap config * : range = 100000-299999
>          idmap config XXX: range = 300000-499999
>          idmap config * : backend = tdb
>          winbind rpc only = yes
>          kerberos method = secrets and keytab
> 
> [symptoms]
>          path = /mnt/glusterfs/symptoms/
>          guest ok = no
>          read only = no
>          browseable = yes
>          map acl inherit = yes
>          inherit acls = yes
> 
> [root at fs01 symptoms]# net groupmap list
> Administrators (S-1-5-32-544) -> BUILTIN\administrators
> Guests (S-1-5-32-546) -> BUILTIN\guests
> Users (S-1-5-32-545) -> BUILTIN\users
> Domain Users (S-1-5-21-76667877-53546716-1882380502-974) -> gluster
> 
> [root at fs01 symptoms]# id gluster
> uid=974(gluster) gid=974(gluster) groups=974(gluster)
> 
> For all local UNIX user belonging to gluster group, either as GID or as
> supplementary, write permission is granted (in case of 775). But not for AD
> users. What am I doing wrong?
> 
> How to allow AD users to write, in case of standard UNIX permissions are
> 775?
Are you following these wiki pages ? :

https://wiki.samba.org/index.php/GlusterFS
https://wiki.samba.org/index.php/My-CTDB

Rowland